You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/sql-server/azure-arc/security-overview.md
+7-2Lines changed: 7 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -235,9 +235,8 @@ SQL Server enabled by Azure Arc stores the certificate for Microsoft Entra ID in
235
235
236
236
*[Rotate certificates](rotate-certificates.md)
237
237
*[Microsoft Entra authentication for SQL Server](../../relational-databases/security/authentication-access/azure-ad-authentication-sql-server-overview.md).
238
-
*[Tutorial: Set up Microsoft Entra authentication for SQL Server](entra-authentication-setup-tutorial.md)
239
238
240
-
To set up Microsoft Entra ID, follow the instructions at [Tutorial: Set up Microsoft Entra authentication for SQL Server](entra-authentication-setup-tutorial.md).
239
+
To set up Microsoft Entra ID, follow the instructions at [Tutorial: Set up Microsoft Entra authentication for SQL Server](https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/microsoft-entra-authentication-with-managed-identity).
241
240
242
241
### Microsoft Purview
243
242
@@ -249,6 +248,11 @@ Key requirements to use [Purview](/purview/register-scan-azure-arc-enabled-sql-s
249
248
* The latest [self-hosted integration runtime](https://go.microsoft.com/fwlink/?linkid=2246619). For more information, see [Create and manage a self-hosted integration runtime](/purview/manage-integration-runtimes).
250
249
* For Azure RBAC, you need to have both Microsoft Entra ID and Azure Key Vault enabled.
251
250
251
+
### Remote management and Script execution
252
+
253
+
Azure Arc supports remote management scenarios that include script execution on Arc-enabled servers via [Run Command](https://learn.microsoft.com/en-us/azure/azure-arc/servers/run-command?tabs=azure-powershell), which lets you securely execute scripts/commands on connected machines without needing direct RDP/SSH access, using the Connected Machine agent as the control-plane pathway. Because scripts executed through Run command run in a highly privileged context, **Local System** on Windows or **root** on Linux; this capability should be treated as “remote admin,” and access should be tightly governed to avoid unintended elevation-of-privilege.
254
+
255
+
252
256
## Best practices
253
257
254
258
Implement the following configurations to comply with current best practices to secure instances of SQL Server enabled by Azure Arc:
@@ -258,6 +262,7 @@ Implement the following configurations to comply with current best practices to
* Enable [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-sql-usage) and resolve the issues pointed out by Defender for SQL.
260
264
* Don't enable SQL authentication. It's disabled by default. Review [SQL Server security best practices](../../relational-databases/security/sql-server-security-best-practices.md).
265
+
* Restrict remote script execution using [Azure Run command with least-privileged Azure RBAC](https://learn.microsoft.com/en-us/azure/azure-arc/servers/run-command?tabs=azure-powershell#limit-access-to-run-command-preview). Additionally, [block the Run command](https://learn.microsoft.com/en-us/azure/azure-arc/servers/run-command?tabs=azure-powershell#block-run-commands-locally) in your Arc enabled server, if you don’t need it.
0 commit comments