stian3555
commented
11 months ago I would also really like to figure out what is the correct here, I also see some SQL servers where "minimalTlsVersion": "None"
Like this:
{
"identity": {
"principalId": "123e4567-e89b-12d3-a456-426614174000",
"type": "SystemAssigned",
"tenantId": "123e4567-e89b-12d3-a456-426614174001"
},
"kind": "v12.0",
"properties": {
"administratorLogin": "admin",
"version": "12.0",
"state": "Ready",
"fullyQualifiedDomainName": "demo-sql.database.windows.net",
"privateEndpointConnections": [],
"minimalTlsVersion": "None",
"publicNetworkAccess": "Enabled",
"restrictOutboundNetworkAccess": "Disabled"
},
"location": "westeurope",
"tags": {
"environment": "demo"
},
"id": "/subscriptions/123e4567-e89b-12d3-a456-426614174002/resourceGroups/test-rg/providers/Microsoft.Sql/servers/demo-sql",
"name": "demo-sql",
"type": "Microsoft.Sql/servers"
}According to the SQL documentation: The default for the minimal TLS version is to allow all versions
If all sources are correct, the built-in policy should also check if "Microsoft.Sql/servers/minimalTlsVersion" equals "None":
{
"properties": {
"displayName": "Azure SQL Database should be running TLS version 1.2 or newer",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.",
"metadata": {
"version": "2.0.0",
"category": "SQL"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled",
"Deny"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers"
},
{
"anyOf": [
{
"field": "Microsoft.Sql/servers/minimalTlsVersion",
"exists": false
},
{
"field": "Microsoft.Sql/servers/minimalTlsVersion",
"less": "1.2"
},
{
"field": "Microsoft.Sql/servers/minimalTlsVersion",
"equals": "None"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "32e6bbec-16b6-44c2-be37-c5b672d103cf"
Details of the scenario you tried and the problem that is occurring
Regarding the policy Azure SQL Database should be running TLS version 1.2 or newer currently SQL servers are non-compliant if less than TLS version 1.2 or if the property doesn’t exist at all however if TLS hasn't been set then the property on the SQL Server is "minimalTlsVersion": "None" which the BuiltIn policy doesn't check for therefore any SQL Servers that don't have TLS set are "Compliant" against this policy which is incorrect..
Verbose logs showing the problem
N/A
Suggested solution to the issue
Add to the builtin policy a check if "minimalTlsVersion": "None" so that SQL servers that don't have TLS set are flagged as non-compliant
If policy is Guest Configuration - details about target node
N/A