A Fine Slice Of SQL Server
It’s been a while since we made some improvements to the public version of sp_CheckSecurity, but internally we’ve been busy fine tuning checks and adding even more to discover potential vulnerabilities in your SQL Server instances.
Today we’re announcing a new version that includes additions, corrections, and a few other adjustments that should be helpful. Here’s what new!
Read on to see what has changed.
Leave a CommentSumiran Tandon makes an announcement:
Customer managed keys were launched in preview, offering workspace administrators the ability to use keys in Azure Key Vault and Managed HSM, to protect data in certain Fabric items. Now, we are extending the encryption support to more Fabric workloads. You can now create Fabric Warehouses, Notebooks and utilize the SQL Analytics Endpoint in workspaces enabled with encryption using your keys. The changes are rolling out and should be available in all regions over the next few days.
Freddie Santos digs into what this means for Fabric Warehouse and the SQL analytics endpoint:
Fabric already ensures that your data is encrypted at rest using Microsoft-managed keys. But for many organizations—especially in regulated industries—encryption alone isn’t enough. They need the ability to control and manage the keys that protect their data, aligning with internal compliance requirements, regulatory standards, and governance best practices.
I know that there are enough companies where this is absolutely necessary for adoption of a product, but I should point out that even without bringing your own key, Microsoft does use their own generated keys to encrypt your data at rest.
Leave a CommentMarc Lelijveld writes a script:
You may be using standardized solutions like Fabric Unified Admin Monitoring (FUAM) or any other templated solution that comes with a semantic model. As part of transparency within your organization, you decided to share the insights gathered with others in the organization by adjusting the solution to apply your own security setup on top.
However, after running an update of the template, you’ve overwritten your custom security configuration and reapplying costs a lot of time, again and again after each update. Why don’t we just script this security? In this blog I will share how you can deploy security configurations to semantic models and assign users to these roles.
Click through for an example script and details on how it works.
Leave a CommentBrendan Tierney follows up on a SQL Firewall post:
In a previous post, we’ve explored some of the core functionality of SQL Firewall in Oracle 23ai, In this post I’ll explore some of the other functionality that I’ve had to use as we’ve deployed SQL Firewall over the past few weeks.
Sometimes, when querying the DBA_SQL_FIREWALL_VIOLATIONS view, you might not get the current up to-date violations, or if you are running it for the first time you might get now rows or violations being returned from the view. This is a slight timing issue, as the violations log/cacbe might not have been persisted to the data dictionary. If you end up in this kind of situation you might need to flush the logs to to data dictionary. To do this, run the following.
Click through for that command, as well as a few other scenarios and commands that may be of interest.
Leave a CommentThe methods that I will share here allow an attacker to either conceal his identity or even evade auditing completely.
Most of these commands require sysadmin privileges. However, if your goal is to audit every access to sensitive data, this typically means “all users” – not with an exception for administrators. Because of this, it’s important to understand these methods so you can make an informed decision about whether to include them in your auditing scope.
Some of these are wildly impractical, but they do work and Andreas has mitigations for each.
Leave a CommentAbhishek Narain has a list of updates:
Workspace Private Link Support for Data Factory (Preview): Microsoft Fabric enables secure data integration through Private Link support in Dataflows Gen2, Pipelines, and Copy jobs. This ensures that inbound data access remains isolated and compliant within protected workspaces. By leveraging VNet data gateways, organizations can securely connect to data sources across Private Link-enabled environments—eliminating exposure to public networks and reinforcing enterprise-grade security for sensitive data operations.
Most of these are security-related updates, with a mixture of things now GA, things currently in preview, and a pair of items coming soon.
Leave a CommentSebastiao Pereira demonstrates a combination of encryption and redirection to store sensitive data:
As privacy regulations tighten like General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standards (PCI DSS) organizations and more, there is an increased focus to protect sensitive information within databases. Tokenization is an option to adhere to those regulations. Let’s see how to implement SQL tokenization in SQL Server.
This is a reasonably clever solution, though if you need to search on any of the tokenized (i.e., encrypted and moved to a separate table) values, performance would be miserable. Even displaying the results for a moderately sized result set would run into serious performance issues. I suppose that if you, for some regulatory reason, need to keep these tokens stored elsewhere from the data, then you manage expectations the best you can.
Comments closedAaron Merrill announces a new preview feature:
Introducing the Secure tab in the OneLake catalog—your central place to understand and manage access across Fabric items. From a single view, you can workspace roles with the View users experience and inspect or modify role OneLake security roles with View security roles. The Secure tab brings a streamlined view for governance teams and workspace owners to quickly validate permissions and tighten least‑privilege access.
Click through to see how it looks.
Comments closedBrendan Tierney tries out the SQL Firewall feature in Oracle:
SQL Firewall allows you to implement a firewall within the database to control what commands are allowed to be run on the data. With SQL Firewall you can:
- Monitor the SQL (and PL/SQL) activity to learn what the normal or typical SQL commands are being run on the data
- Captures all commands and logs them
- Manage a list of allowed commands, etc, using Policies
- Block and log all commands that are not allowed. Some commands might be allowed to run
Read on to see how it works. It’s an interesting approach that can supplement traditional firewall and web application firewall systems.
Comments closedRadim Marek doesn’t need special access:
How many people/services have superuser access to your PostgreSQL cluster(s)? Did you ever ask why your software engineers might need it? Or your BI team? Why those use cases require same privileges as someone who can drop your databases?
The answer isn’t because these operations are inherently dangerous – it’s because PostgreSQL historically offered limited options for operational access or simply because not enough people are aware of the options. So the common practice is to either got basic permissions or handover the keys to the kingdom.
Read on to see how pre-defined roles can help. These have recently come into the product, so read on to see how different versions of PostgreSQL have extended this functionality.
Comments closed