Security – Curated SQL

Column-Level Encryption in SQL Server

Published 2025-11-24 by Kevin Feasel

Way back in SQL Server 2005, Microsoft introduced an amazing array of technologies. I suspect that many SQL Server professionals aren’t aware of just how many technologies were introduced in that release. It’s not surprising that professionals are still learning about a number of these technologies, even 20 years later. In particular, questions regarding certificates, keys, and column-based encryption still draw blank responses from most SQL Server professionals.

What’s interesting is that, as far as technologies like Always Encrypted have taken us, one of the first things to get support in new twists on SQL Server (e.g., Synapse, Fabric) is column-level security.

Leave a Comment

Power BI Build Permissions

Published 2025-11-24 by Kevin Feasel

Chris Webb explains what the Build permission actually does:

If there is sensitive data in your Power BI semantic model that you don’t want some users to see then you need to use row-level security or object-level security to control access to that data. You’re an experienced Power BI developer – you know that, right? But what about Build permissions? If an end-user only has access to a report you’ve built and doesn’t have Build permissions on the underlying semantic model, and if there’s no other security on the semantic model, can they access data in the semantic model that isn’t visible in the report? The answer is potentially yes: you can’t rely on Build permissions for security.

I’ve found that the best method of security is never deploying products to begin with. Also, never using a computer.

Leave a Comment

What’s New in OneLake

Published 2025-11-20 by Kevin Feasel

Kim Manis shares an update:

In this blog post, I’ll highlight the new zero-ETL, zero-copy sources in OneLake, deeper interoperability between OneLake and Microsoft Foundry, and new tools to help admins manage capacity, security, and governance at scale. Together, these updates further cement Fabric as the ideal data platform for your mission-critical workloads—open, integrated, secure, and built to connect every part of your data estate to the intelligence your business needs.

Read on to see some of the latest from Ignite.

Leave a Comment

Thoughts on OneLake Security

Published 2025-11-14 by Kevin Feasel

Reitse Eskens troubleshoots an issue:

Today was a very interesting day at a customer’s site, where I had some trouble determining why the OneLake security wasn’t functioning as I expected. Spoiler alert: a part was me, and a part had to do with setting up my testing account.

Click through to see what happened and for two Fabric Ideas to improve how column-level and row-level security work.

Leave a Comment

Exploiting Database as a Service SQL Server

Published 2025-11-06 by Kevin Feasel

Fabiano Amorim has a post-mortem of a nasty privilege escalation bug in SQL Server:

This article explores a serious flaw in this security model – a SQL Injection vulnerability in sys.sp_help_spatial_geography_histogram that allowed a standard user on managed SQL Server instances (AWS, GCP, Alibaba, Azure) to completely bypass these restrictions, gain access to privileged user data, and decrypt the source code of internal management stored procedures.

It was fixed in SQL Server 2022 CU20 (KB5063814), but this article explains how the exploit worked and the process of eliminating it.

Click through for the details and make sure your on-premises SQL Server instances are patched.

Leave a Comment

Replicating PBKDF2 Hashing with T-SQL

Published 2025-11-03 by Kevin Feasel

Vlad Drumea does a bit of digging:

Back in June I wrote a post about SQL Server 2025’s new PBKDF2 hashing algorithm, in which I’ve mentioned that “I don’t yet have way to build the new PBKDF2 password hash from parts”.
So, almost 5 months later, after some more reading and a decent amount of trial and error, I finally have it.

That is some neat detective work on Vlad’s part.

Comments closed

OneLake Security and the Fabric SQL Analytics Endpoint

Published 2025-10-24 by Kevin Feasel

Freddy Santos takes us through the latest with respect to security in OneLake:

OneLake Security centralizes fine-grained data access for Microsoft Fabric data items and enforces it consistently across engines.
Currently in Preview and opt-in per item, it lets you define roles over tables or folders and optionally add Row-Level Security (RLS) and Column-Level Security (CLS) policies. These definitions govern what users can see across Fabric experiences.

Read on to see what you can do.

Comments closed

Updates to sp_CheckSecurity

Published 2025-10-16 by Kevin Feasel

Jeff Iannucci has been busy:

It’s been a while since we made some improvements to the public version of sp_CheckSecurity, but internally we’ve been busy fine tuning checks and adding even more to discover potential vulnerabilities in your SQL Server instances.

Today we’re announcing a new version that includes additions, corrections, and a few other adjustments that should be helpful. Here’s what new!

Read on to see what has changed.

Comments closed

Customer-Managed Keys in Microsoft Fabric

Published 2025-10-16 by Kevin Feasel

Sumiran Tandon makes an announcement:

Customer managed keys were launched in preview, offering workspace administrators the ability to use keys in Azure Key Vault and Managed HSM, to protect data in certain Fabric items. Now, we are extending the encryption support to more Fabric workloads. You can now create Fabric Warehouses, Notebooks and utilize the SQL Analytics Endpoint in workspaces enabled with encryption using your keys. The changes are rolling out and should be available in all regions over the next few days.

Freddie Santos digs into what this means for Fabric Warehouse and the SQL analytics endpoint:

Fabric already ensures that your data is encrypted at rest using Microsoft-managed keys. But for many organizations—especially in regulated industries—encryption alone isn’t enough. They need the ability to control and manage the keys that protect their data, aligning with internal compliance requirements, regulatory standards, and governance best practices.

I know that there are enough companies where this is absolutely necessary for adoption of a product, but I should point out that even without bringing your own key, Microsoft does use their own generated keys to encrypt your data at rest.

Comments closed

Automating Semantic Model Security via Semantic Link

Published 2025-10-15 by Kevin Feasel

Marc Lelijveld writes a script:

You may be using standardized solutions like Fabric Unified Admin Monitoring (FUAM) or any other templated solution that comes with a semantic model. As part of transparency within your organization, you decided to share the insights gathered with others in the organization by adjusting the solution to apply your own security setup on top.

However, after running an update of the template, you’ve overwritten your custom security configuration and reapplying costs a lot of time, again and again after each update. Why don’t we just script this security? In this blog I will share how you can deploy security configurations to semantic models and assign users to these roles.

Click through for an example script and details on how it works.

Comments closed

M	T	W	T	F	S	S
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30

Category: Security