Press "Enter" to skip to content

Category: Security

Data Correlation Optimization and Cross-Database Data Leaks

Published 2026-01-08 by Kevin Feasel

Fabiano Amorim shows off a vulnerability:

This vulnerability involves restoring a database into a DBaaS and uses a “corrupted” internal view, effectively turning the engine’s own intelligence against itself.

The exploit is elegant in a disturbing way, since there’s no need for xp_cmdshell, CLR, or any of the usual suspects – just a carefully crafted .bak file and SQL Server’s unwavering belief in its own metadata integrity.

The payload hides where no DBA would look – system tables that are supposed to be immutable – and executes under a context that was never meant to be controllable by the user.

This is not a misconfiguration or a permission trick – it’s a design flaw rooted in how the SQL Server engine trusts its persisted metadata, and how that trust persists across the boundary between a user-managed instance and a cloud-managed environment.

This kind of fits in the “Neat, but not incredibly practical” bucket for me, so I can understand Microsoft marking this as a low-risk security issue.

Leave a Comment

An Overview of Fabric Security Insights

Published 2026-01-07 by Kevin Feasel

Yael Biss lays out some changes:

We want to update on a strategic evolution in how you can access and utilize security insights within Microsoft Fabric! The powerful reports you’ve relied on in the Microsoft Purview Hub are officially transitioning and being significantly enhanced within the new Admin Report in the Govern tab of the OneLake Catalog, as was announced at Ignite in November and explained in the Govern in OneLake Catalog for Fabric admins (Preview) blog post.

This isn’t just a relocation; it’s a consolidation and elevation of your most critical governance data. This move is a direct response to your feedback and a key step in providing a more unified, intuitive, and action-oriented governance experience right where your data lives.

There’s a bit too much marketing hype in the blog post for me not to roll my eyes a bit, but the security insights themselves are useful.

Leave a Comment

Object-Level Security in Power BI

Published 2025-12-31 by Kevin Feasel

Vin Mai Quang lays out an explanation:

For a POC project, my team lead asked me to practice and build a demo Power BI report that applied OLS (Object Level Security). Although it sounded simple at first, I was surprised by how OLS actually behaves in Power BI. In this blog, I would like to share my findings with you.

Click through for a demonstration of how it all works, including how to deal with scenarios in which customers shouldn’t get access to specific columns but should still be able to see others.

Leave a Comment

Privilege Escalation via Replication Job

Published 2025-12-23 by Kevin Feasel

Fabiano Amorim makes note of a security concern:

Privilege escalation in SQL Server isn’t just theory – it can happen through everyday maintenance jobs. This article demonstrates how a user with roles like db_owner or db_ddladmin can exploit replication cleanup processes to gain sysadmin rights, and why monitoring trigger creation and job behavior is critical for security.

Replication is one of those things people tend not to understand very well, including the necessary permissions. It’s a lot easier simply to say, “Here’s sysadmin” because that actually works instead of giving you a cryptic error you can barely troubleshoot and that’s only thanks to a Repltalk article from 2009. And heaven help you if you’re looking at merge replication.

But as far as the article goes, I won’t say that it’s much ado about nothing. What I will, however, say is that your account needs to be db_owner or db_ddladmin first, and that does mitigate a fair amount of the risk.

Leave a Comment

Diagnosing SQL Audit Failure

Published 2025-12-22 by Kevin Feasel

Alyssa Montgomery troubleshoots an issue:

Message: 

SQL Server Audit failed to create an audit file related to the audit ‘AuditName_ServerAudit’ in the directory ‘C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Log’. Make sure that the disk is not full and that the SQL Server service account has the required permissions to create and write to the file. 

Based on the error, the solution would be to free up drive space or add user/service account permissions in the file path. Unless you are initially setting up an audit, typically permissions are not the issue. 

Read on for an example and how to resolve this issue.

Leave a Comment

A Security and HA Checklist for Database Application Vendors

Published 2025-12-18 by Kevin Feasel

Andreas Wolter shares a list:

As a database application vendor, the security and reliability of your software are core competitive advantages. To help reaching this goal, we have created a checklist which is meant to serve as a blueprint for designing data applications that are secure by default and resilient to failure, ensuring your customers can trust your product in demanding enterprise environments.

I think it’s a good set of criteria. And from the customer’s side, it’s easy to convert these into questions that you can ask vendors before deploying their software.

Comments closed

Workspace Identity Authentication in Power BI

Published 2025-12-11 by Kevin Feasel

Teo Lachev looks at a new way of authenticating:

What credentials do you use to refresh your Power BI semantic models from Azure SQL SKUs, such as Azure SQL Database. Probably your credentials or a designated Entra account? Both are not ideal for a variety of reasons, including requiring a password. More advanced users might be using service principals, which are more secure but require secret renewal after a maximum of 24 months, which is a hustle.

Read on to learn about a new alternative in workspace identities.

Comments closed

OneLake Security ReadWrite Access

Published 2025-12-10 by Kevin Feasel

Kiefer Sheldon practices least privilege:

Many data teams face the same challenge: balancing the need for open collaboration with the responsibility of protecting sensitive information. As organizations grow, data often lives across multiple domains—some containing critical or confidential datasets—while partner teams may only need access to a subset of that information.

Until recently, maintaining this balance often meant trade-offs. Teams had to choose between a fragmented storage setup or overexposing data just to keep their workflows running smoothly.

Read on to see how this works.

Comments closed

Thoughts on Renaming sa

Published 2025-12-05 by Kevin Feasel

Andreas Wolter asks, what is in a name?

This is another one of those subjects that keep circulating: should you rename your sa account?

Plenty of “security check” scripts swear you should. Meanwhile, when you talk to actual humans in the real world, you’ll notice that almost nobody does it. (Funny how that works.)

So what does Sarpedon Quality Lab® recommend – and why? Our answer (read to the end) may surprise you.

Before reading Andreas’s post, I wanted to note that, when I was a DBA and had control of such things, I would actually rename the sa account and then create a separate account called “sa” with zero permissions, not even the ability to connect. I never considered it a critical part of a security posture, but knowing how many scripts try to brute-force an account called sa, I figured setting up a false front like that would add some protection on the margin.

After reading Andreas’s post, I wasn’t aware that doing so would break replication, though it makes sense because I wasn’t using replication at that time. Making sa’s password extremely long is also a good idea.

Comments closed

Access S3 Buckets in VPCs in Fabric via Entra Integration

Published 2025-12-03 by Kevin Feasel

Premal Shah announces new functionality in preview:

When we first introduced Amazon S3 shortcut integration with Microsoft Entra ID, customers gained a powerful new way to connect S3 data to Microsoft Fabric — without storing or rotating AWS access keys. Using OpenID Connect (OIDC), Fabric authenticates directly with AWS Identity and Access Management (IAM), enabling secure, identity-based access to cloud storage.

However, many enterprises keep their S3 buckets locked down inside Virtual Private Clouds (VPCs) or behind corporate firewalls. In these environments, Entra OIDC can authenticate identities, but it cannot provide network access — so Fabric still cannot reach the S3 endpoint. That changes today.

Read on to see what has changed, how you can enable this functionality, and current limitations.

Comments closed