Azure Virtual Machines and SQL Server—Mind Your Endpoints

I am a big advocate of using Microsoft Azure VMs for lots of uses—many clients don’t have the wherewithal to manage a full scale data center operation, or in other cases they don’t have the budget for a second data center for disaster recovery. Azure is a great use case for those options, as well as quickly spinning up dev environments for testing new releases or doing a proof of concepts. In fact, I’m currently working on a PoC for a client and we are using Azure IaaS and Power BI for Office 365.

The biggest fear most people have around cloud computing is the security aspect—they don’t trust their data not to be in their data center. In general, I think Microsoft (and Amazon) have way better security than most data centers that I’ve ever set foot in, but whenever you are using a cloud provider, you have to have a good understanding of the nuances of their security model. One thing to note about Microsoft Azure is that all virtual machines get their own public IP address (personally, I feel like this a waste of a limited resource, as VMs that are within virtual networks generally have no need for a public facing IP address, but that’s a different blog post) and security is provided by creating endpoints (by default the SQL Server template opens PowerShell, RDP and 1433 for SQL Server). Access to these endpoints can be controlled by ACL—you can define a list of IP addresses (presumably the other machines in your network) that can talk to your VM over that endpoint. However, by default, your new VM is accessible on port 1433 to the entire internet.

I was troubleshooting connectivity from my SharePoint VM to my SQL Server VM this morning, and I went to the SQL Server log, and I found:

 

Figure 1 Log of Failed Logins

Those IP addresses aren’t on my virtual network, and they aren’t the public IPs of any of the servers in my network. Let’s use an IP lookup service to see where they are from:

 

Figure 2 Ip Address #1 Nanjing, China

 

Figure 3 IP Address #2 Walnut, CA

 

As Denny Cherry (b|t) mentions in Securing SQL Server having an SA account named SA and enabled is a definite security risk. Since SQL Server accounts won’t get locked out from failed password attempts these hackers know half of the battle, and they are hammering my VM trying to guess the SA password. Chred1433 seems like an interesting name for a user (or a hack attempt at SQL Server) and kisadmin shows up in this list of attacks on SQL Server.

Securing Your VM

So what does this mean for you? If you have VMs in Azure (or in your own data center—this is just general security best practices):

  • Never expose port 1433 to the internet. There are some scenarios where you have to, but I try to always work around this
  • Always disable your SA account—use domain groups for access to SQL Server
  • When launching a SQL Server VM in Microsoft Azure either disable the endpoint on 1433 or use ACLs to limit access to specific machines
  • Use Azure Virtual Networks and Gateways to connect securely to Azure Infrastructure—when you have a virtual network, you never have to use the public IP address, and all connections can take place over secure VPN connections

No one wants to have their data breached—so make sure to follow these steps!

June was a Good Month

The month of June and into July have been very good to me. Along with my great volunteers at PSSUS, Microsoft, and all of our wonderful sponsors we had a great SQL Saturday event on June 6-7. Allan Hirt, Stacia Misner and myself had great precons, and almost 60 hours of training was provided to our attendees.

A few days after that happened, I got an email that I’d been awaiting for a long time—Microsoft was awarding me as a SQL Server MVP. I can’t begin to describe how humbled and honored I was to receive this award. I don’t do all the things I do in the community because of recognition (I do it because I love my friends in the community and its fun), but it is really nice to get recognition for the work I’ve done. There are entirely too many people to thank, for their assistance and guidance with my career progression as a presenter and writer, but I thank you all for helping to get me where I am.


 

 

 

 

So that happened, and then I got to Germany for a bit of a vacation. For those of you who don’t know, I’m a pretty big fan of auto racing. Germany is home to one of the largest, fastest racetracks in the world, the Nürburgring Nordschleife. We were lucky enough to be there the week of the 24 Hours of the Nürburgring. We didn’t stay for the race, but went to a qualifying day. It is incredibly impressive to see people driving fast cars around the plunging, twisting circuit that Formula 1 abandoned in 1976 for safety reasons. The skill and bravery of the drivers was quite impressive. Also, the engineering skills of some of the race fans was quite good—there were many elaborate camping setups, a beer pulley, and the below trash can converted into a grill/keg holder/stereo/prep table.

 

 

 

 

 

 

 

 

 

 

The week after I returned from Germany, sessions were announced for the PASS Summit. I was awarded two sessions, including a three hour talk on Hybrid Disaster Recovery. I’m looking forward to seeing folks in Seattle in November—my birthday is during summit week, so let’s have a beverage!

Right after that, I got news that I would be speaking at both SQL Server Days in Belgium and Live 360! in Orlando this fall. So it will be a busy quarter.

%d bloggers like this: