When you hear “default settings” in the context of the cloud, a few things can come to mind: default admin passwords when setting up a new application, a public AWS S3 bucket, or default user access. Often, vendors and providers consider customer usability and ease more important than security, resulting in default settings. One thing needs to be clear: Just because a setting or control is default doesn’t mean it’s recommended or secure.
Below, we’ll review some examples of defaults that can leave your organization at risk.
Azure
Azure SQL Databases, unlike Azure SQL Managed Instances, have a built-in firewall that can be configured to allow connectivity at the server or database level. This gives users a lot of options to ensure the right things are talking.
For applications inside Azure to connect to an Azure SQL Database, there is an “Allow Azure Services” setting on the server that sets the starting and ending IP addresses to 0.0.0.0. Called “AllowAllWindowsAzureIps,” it sounds…