Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Security Considerations for SQL Server in Azure Virtual Machines

Updated: April 22, 2015

This topic includes overall security guidelines that help establish secure access to SQL Server instances in an Azure VM. However, in order to ensure better protection to your SQL Server database instances in Azure, we recommend that you implement the traditional on-premises security practices in addition to the security best practices for Azure.

For more information about the SQL Server security practices, see:

Azure complies with several industry regulations and standards that can enable you to build a compliant solution with SQL Server running in a Virtual Machine. For information about regulatory compliance with Azure, see Azure Trust Center.

Following is a list of security recommendations that should be considered when configuring and connecting to the instance of SQL Server in an Azure VM.

  • Create a unique local administrator account that is not named Administrator.

  • Use complex strong passwords for all your accounts. For more information about how to create a strong password, see Create Strong Passwords article in the Safety and Security Center.

  • By default, Azure selects Windows Authentication during SQL Server Virtual Machine setup. Therefore, the SA login is disabled and a password is assigned by setup. We recommend that the SA login should be not be used or enabled. The following are alternative strategies if a SQL Login is desired:

    • Create a SQL account that has CONTROL SERVER permissions.

    • If you must use a SA login, enable the login and rename it and assign a new password.

    • Both the options that were mentioned earlier require a change the authentication mode to SQL Server and Windows Authentication Mode. For more information, see Change Server Authentication Mode.

  • Consider using Azure Virtual Network to administer the virtual machines instead of public RDP ports.

  • Remove any endpoints on the virtual machine if you do not use them.

  • Enable an encrypted connection option for an instance of the SQL Server Database Engine in Azure Virtual Machines. Configure SQL server instance with a signed certificate. For more information, see Enable Encrypted Connections to the Database Engine and Connection String Syntax.

  • If your virtual machines should be accessed only from a specific network, use Windows Firewall to restrict access to certain IP addresses or network subnets.

© 2015 Microsoft