The Innocent Killer on Azure
Ever thought that a small feature can hand access of your sql server databases to anyone with an Azure account? Yes, you read it right, “anyone with an Azure account”.
With this feature enabled, anyone on Azure network can access your SQL databases in Azure SQL Server from any of the Azure services. You might have applied so many access policies, firewalls, ip restrictions but if this feature was left enabled, anyone with an Azure account can access your databases.
I guess that now I have your attention!
Well, getting your attention was important on this because the feature I’m talking about is most overlooked, misinterpreted and is kept enabled by most of the people.
The feature I’m talking about is “Allow Azure services and resources to access this server” under Security settings in Firewalls and Virtual Networks tab in Azure Sql Server resource.
This innocent looking setting is interpreted to be giving access to all the Azure resources under your subscription or to the resources mapped to your current Azure Active Directory. But here’s what we all get mistaken. This feature not only provides access to you, your subscriptions, all resources in your AD, but to also everyone on the Azure network. Literally anyone with credentials to your SQL Server on Azure can access your SQL Server and it’s databases from any service on Azure. Don’t believe me? Keep “Allow Azure services and resources to access this server” setting enabled for your SQL Server and try access this SQL Server from a Virtual Machine created on your friend’s account though SSMS. Ideally, this should not work, but interestingly it will!
Here’s what Microsoft Azure team has to say on this.
I guess now you would have understood why I called this feature as innocent killer. I hope you now keep an eye on this feature and would enable it only if it is really required to be enabled.
Please feel free to reach me out in case of any queries or help. I’ll be happy to assist!