SQL Server ‘periodic recurring scans’ for vulnerability assessments should be enabled

Description

The vulnerability assessment setting “periodic recurring scans” schedules weekly vulnerability scanning for SQL servers and corresponding databases. Regular scanning improves risk visibility based on updated known vulnerability signatures and best practices.

Remediation Steps

Azure Portal

  • Navigate to SQL servers.

  • Select the SQL server and in the left navigation, select Security Center.

  • Select Enable Azure Defender for SQL if not already enabled.

  • In Azure Defender for SQL: Enabled at the subscription-level, select Configure.

  • Under VULNERABILITY ASSESSMENT SETTINGS, ensure Storage account is configured.

  • Set Periodic recurring scans to ON.

  • Click Save.

Azure PowerShell

  • Enable Azure Defender for SQL, if not already enabled:

    • Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True

  • Enable periodic recurring scans for the vulnerability assessment service:

Update-AzSqlServerVulnerabilityAssessmentSetting `
  -ResourceGroupName "<resource group name>" `
  -ServerName "<server name>" `
  -StorageAccountName "<storage name from same subscription and same location" `
  -ScanResultsContainerName "vulnerability-assessment" `
  -RecurringScansInterval Weekly `
  -EmailSubscriptionAdmins $true `
  -NotificationEmail @("mail1@mail.com" , "mail2@mail.com")