Press "Enter" to skip to content

Category: Security

Azure Defender for SQL Overview

Published 2023-02-16 by Kevin Feasel

Deepthi Goguri looks at an Azure security offering:

Azure Defender for SQL, once you enable it will alert you for any SQL injection attacks, brute force attacks or any breached identities trying to access the data of your database. It also provides the vulnerability assessments. Vulnerability assessments give you alerts about the configurations of your database. If your database configuration is not following the standards of Azure, you will receive the alerts in the vulnerability assessment report.

You can enable the Azure Defender at the subscription level or at the Server level or at the resource level as well. Under the recommendations in the security center in the Azure portal, check for the Remediate security configuration. This will show if the Azure defender is configured properly.

I like Azure Defender for SQL, especially the advanced threat protection element. It’s based on IP address location and has caught me in different locations as I’ve traveled.

Comments closed

Security Updates for SQL Server 2014 and Up

Published 2023-02-16 by Kevin Feasel

Harvey Mora notes that Microsoft has been busy:

The Security Update for SQL Server 2022 RTM GDR is now available for download at the Microsoft Download Center and Microsoft Update Catalog sites. This package includes the new security fixes detailed in the KB Article.

This link is specifically for SQL Server 2022 but there are other posts for 2019, 2017, 2016, and 2014. This includes fixes to several security problems and is something you should install post-haste. Because this is a GDR, you’re also liable to find it in Windows Update if your update admins haven’t shut that channel off already.

Comments closed

Disabling Public Network Access in Synapse

Published 2023-02-10 by Kevin Feasel

Ryan Adams builds a private endpoint:

If you disable public access to your Azure Synapse Workspace you will get the following error message when attempting to open Synapse Studio. 

“Failed to load one or more resources due to forbidden issue, error code 403.” 

Click through for more information about routing for Synapse resources and what you’d need to do in order to disable public network access entirely.

Comments closed

Adaptive Protection and More in Microsoft Purview

Published 2023-02-10 by Kevin Feasel

Victoria Holt summarizes some Microsoft Purview updates:

 Yesterday a lot of changes were announced for Microsoft Purview at the Microsoft security event securing your data with a multilayered defense.  Microsoft Purview is about managing data security risks across hybrid multi-cloud data estates that have a defense in depth strategy to mitigate risk. The recording can be watched at this link

Read on for a summary of what went down.

Comments closed

Data Protection in Azure

Published 2023-02-10 by Kevin Feasel

Deepthi Goguri enumerates the ways:

Data needs to be protected no matter where it lives, On-prem or in Azure. Data can be protected by using the encryption that Azure provides. What are the types of encryption we have in Azure?

In addition to specific encryption options, Deepthi also provides an overview of Dynamic Data masking and Ledger tables.

Comments closed

Rotating TDE Certificates

Published 2023-02-06 by Kevin Feasel

Matthew McGiffen switches out a certificate:

In terms of encryption, Key Rotation is the process of replacing your encryption keys on a periodic basis. This is considered good practice and is required by many security certifications.

In practice, if you had to rotate/replace the key that is used to encrypt your data then that would be an intensive activity requiring all your data to be decrypted with the old key before being replaced with the new. This could also create a vulnerability where data sits in an unencrypted state during the process.

Instead, see what SQL Server does by reading Matthew’s blog post.

Comments closed

Power BI Workspace Roles

Published 2023-02-03 by Kevin Feasel

Reza Rad shares some recommendations with us:

Power BI workspaces are not like the old days when we had Edit access and View access only. You have more options for roles in a workspace, and in my courses, I have found that many people have chosen the incorrect role without knowing what the role does. In this article, I’ll explain all the roles in the workspace, and what is the best way to set them up to have a secure workspace.

Click through for the article, as well as an accompanying video. Or a video and an accompanying article, if that’s how you roll.

Comments closed

The Power of Managed Identities in Azure

Published 2023-02-02 by Kevin Feasel

Koen Verbeeck waxes about managed identities:

This however presented me with the opportunity to review what users were actually necessary in the ETL. Turns out, not that many. In many cases, one Azure resource (for example, an Logic App) can use a managed identity to access another Azure resource (such as an Azure SQL DB). For those of you not familiar with the concept, a managed identity is basically a service principal in Azure AD with the same name as your resource. If your Azure Data Factory instance is called myADF, you’ll have an entry in AAD with the name myADF (it’s very much alike the SQL Server service account used on-premises). You can then assign role permissions to this managed identity.

Read on to see how you can use these managed identities to grant permissions without having to set (or reset or store) passwords.

Comments closed

Restoring a TDE Database Sans Certificate

Published 2023-02-01 by Kevin Feasel

Matthew McGiffen helps us recover from a big oopsie:

If you don’t have the backups of the certificate and private key from the old server, as well as the password used to encrypt the private key backup then you could be in a lot of trouble. There is one scenario where you have a way out. I’m going to assume you don’t have the possibility to recover your old server from a complete file system backup – if you do then you can do that and access all the keys you require. If the two following things are true though then you can still recover your database:

Read on to see what those requirements are and how you can, in specific circumstances, recover that database.

Comments closed