Press "Enter" to skip to content

Category: Security

sqlcmd in SQL Server 2025 and Certificate Chain Not Trusted

Published 2025-05-27 by Kevin Feasel

Vlad Drumea points out a new thing to keep an eye on:

SQL Server 2025 provides ODBC sqlcmd version 17 which enforces an encrypted connection.

If you’re trying to use it to connect to instances that don’t have a CA-signed certificate or where TLS encryption was never properly configured, sqlcmd will throw the famous “certificate chain not trusted” error message:

Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : SSL Provider: The certificate chain was issued by an authority that is not trusted.
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : Client unable to establish connection.

The proper answer to this is to get trusted certificates. The workaround is what Vlad describes, so click through for that.

Leave a Comment

Preventing Injection Attacks in Shiny

Published 2025-05-23 by Kevin Feasel

Arthur Breant shares some advice:

Code injection is a common security vulnerability that involves injecting malicious code into a page or application. This code is then executed, creating the security breach. There are several ways to inject code into an application, and Shiny is unfortunately not immune to these risks.

Click through for a quick overview of the three most common types of injection attack. There’s nothing special about Shiny here—any system that executes code based on user input is potentially vulnerable to injection attacks—so it is good to keep these tips in mind. H/T R-Bloggers.

Leave a Comment

Auditing SQL Server Login Options

Published 2025-05-20 by Kevin Feasel

Chad Callihan audits logins:

Do you know who is logging into your SQL Server?

I was once asked about the need to track SQL Server logins. Many servers were already tracking failed logins. Where the issue came up in this case was tracking successful logins to determine login usage. Let’s take a quick look at how we can track both failed and successful logins.

Security-oriented me always wants both failed and successful logins, as you want to know if the person who failed to log in eight times did in fact successfully log in on the ninth attempt.

Leave a Comment

sudo in Windows

Published 2025-05-12 by Kevin Feasel

Patrick Gruenauer elevates our access:

Sudo for Windows is a new way for users to execute commands with elevated privileges (as an administrator) directly from a non-relevant console session on Windows.

The following requirements apply to the use of sudo in Windows:

  1. Windows 11 24H2
  2. Sudo needs to be enabled

Click through to see how to activate sudo. The English-language header reads “System > For Developers” and the exact setting is at the bottom of the first section and has the name “Enable sudo” with a toggle switch. The number of times I’ve run a command just to see it error out because I needed to be in an administrative command prompt or PowerShell terminal is high enough that I immediately turned it on.

But importantly, this is different from Linux, in that it opens up a new command prompt or PowerShell terminal rather than executing the command with elevated permissions in the same prompt. This is important because that new prompt goes away after the command finishes, so you lose the output. In other words, if you run sudo ipconfig in a command prompt, it will hit you with a UAC request (depending on how you’ve configured your PC) and then run ipconfig in a new command prompt, which disappears as soon as the command finishes. You don’t get to keep what was in stdout. I think this limits some of the capability of the option, unfortunately.

Leave a Comment

Checking Key Vault Access in Microsoft Fabric Spark Notebooks

Published 2025-05-09 by Kevin Feasel

Marc Lelijveld has clearance:

Working with sensitive data in Microsoft Fabric requires careful handling of secrets, especially when collaborating externally. In a recent customer engagement, I needed to validate access to Azure Key Vault from within a Fabric Notebook, without ever exposing the actual secret values. With only read access granted and no need to manage or update secrets, I focused on confirming that the connection was working as expected.

In this blog, I’ll walk you through the approach, including the setup, code snippets, and logic behind this quick but crucial verification step.

Click through for the full story.

Leave a Comment

Working through an Azure SQL DB Vulnerability Assessment

Published 2025-05-08 by Kevin Feasel

Josephine Bush digs in:

But do you always need them? Not necessarily. A vulnerability assessment might confirm what you already know. On the other hand, if you’re managing multiple environments or collaborating across teams, these tools can catch things you might miss, like forgotten test accounts or relaxed security rules.

They’re not a silver bullet, but can be a smart way to stay proactive. Ensure you understand what you are trying to achieve, not just blindly accept what they tell you.

Click through for an example and some solid advice.

Leave a Comment

Authenticate to Fabric Data Connections via Key Vault Secrets

Published 2025-05-05 by Kevin Feasel

Aditya Jain announces a preview:

Azure Key Vault support in Fabric Data connections is now in preview! With this capability, we are introducing a new concept called ‘Azure Key Vault references’ in Microsoft Fabric, using which, users can reuse their existing Azure key vault secrets for authentication to data source connections instead of copy-pasting passwords, slashing credential-management effort and audit risk.

Click through to see what works so far and the current limitations.

Comments closed

Permissions to Execute Fabric Data Factory REST API Calls

Published 2025-05-01 by Kevin Feasel

Andy Leonard doesn’t need to ask for permission:

The problem we are trying to solve is: Grant an Azure Data Factory permission to execute the ReST API method calls against artifacts in a Fabric workspace.

I begin visiting the Azure Portal. If you don’t have an Azure account, you can create one. You can do a lot of things in Azure for little money, but you need an account and that account needs to be secured by a working source of funds in case you leave a virtual machine running for days. Hypothetically. BE CAREFUL. DO NOT LEAVE A VM RUNNING FOR DAYS.

Good en passant advice. I once blew through a $250 Azure credit by laving an HDInsight cluster on for, uh, a few hours.

Comments closed

How Random are SQL Server Random Functions?

Published 2025-04-24 by Kevin Feasel

Rick Dobson publishes a book of guaranteed random numbers, like 41 and 8:

Microsoft provides T-SQL developers with three functions (rand, newid, and crypt_gen_random) for generating random numbers. Each of these functions is effective at returning random values, but feature sets associated with each function make them best suited to different use cases. This tip’s Solution section presents an overview of common use cases for random numbers in SQL Server along with references to learn more about random numbers in SQL Server. The first substantive provides a short comparative overview of the three functions. The remaining tip sections present and describe T-SQL examples for evaluating the randomness of values returned by SQL Server pseudorandom number generators.

Knowing that SQL Server doesn’t have some nice entropy engine (which does exist, typically as an embedded device that plugs in to a USB port) to pull from, it does a pretty good job of things.

Comments closed