Press "Enter" to skip to content

Category: Security

Information Disclosure Vulnerability in SQL Server

Published 2025-07-11 by Kevin Feasel

Mike Walsh takes us through a recent CVE entry:

On patch Tuesday this week, Microsoft released an Important severity security update (a CVSS base score of 7.5)

The details of this 0-day exploit are available to read at the NIST site, and the Microsoft security update site.

In short, the exploit that Microsoft has discovered and subsequently fixed can allow information disclosure.

The NIST entry is kind of a joke right now, and the Microsoft security update info is basically what they submitted to NIST plus links to download the patches. Still, this is worth patching and it’s an issue that goes back at least to 2016—probably earlier, but 2016 is the last version of SQL Server that still gets security updates.

Comments closed

Troubleshooting Permissions in SQL Server

Published 2025-07-10 by Kevin Feasel

Jon Russell takes a look at several ways to gauge user permissions:

Understanding and troubleshooting SQL Server permissions can be challenging, especially when direct grants, role inheritance, ownership chains, and explicit denies all interact. The six scenarios that follow show how the engine decides who can do what, then demonstrate the diagnostic steps that reveal why it made that decision. Each section provides a setup script you can run in a dedicated test database, followed by a diagnostic query and a short explanation of the result.

Click through for six methods. I do wish that, instead of sys.fn_my_permissions() there was some sys.fn_user_permissions(@UserName) option. I realize that you can execute as a specific user and then run the function, but I had dreamed for years about having a way to track effective user permission changes, and sys.fn_my_permissions() requires not only that you have the authority to execute as a specific user, but also that you know all of the relevant users.

Comments closed

Goodbye Default Contributor Role in Fabric Workspace Identities

Published 2025-07-10 by Kevin Feasel

Varun Jain makes a security announcement:

Fabric workspace identity is an automatically managed service principal that can be associated with a Fabric workspace. Fabric workspaces with a workspace identity can securely read or write to firewall-enabled Azure Data Lake Storage Gen2 accounts through trusted workspace access for OneLake shortcuts. Fabric items can use the identity when connecting to resources that support Microsoft Entra authentication. Fabric uses workspace identities to obtain Microsoft Entra tokens without the customer having to manage any credentials. 

Previously, a workspace identity was automatically assigned the workspace contributor role and had access to workspace items.  

Read on to see what’s changing, why, and what you can do instead.

Comments closed

Changes to Power BI’s Publish to Web

Published 2025-06-30 by Kevin Feasel

Boniface Muchendu looks at some changes:

Power BI includes a powerful feature called Publish to Web, which allows users to share interactive reports publicly without requiring viewers to sign in. While this tool simplifies access, it can also create security risks if misused. In this guide, you’ll learn what “Publish to Web” does, how Microsoft updated it for better governance, and how to manage access responsibly.

Click through to see what’s new.

Comments closed

Customer Managed Keys in OneLake

Published 2025-06-27 by Kevin Feasel

Harmeet Gill shows us how we can bring our own keys to data in OneLake:

One of the highly requested features in Microsoft Fabric is now available: the ability to encrypt data in OneLake using your own keys. As organizations face growing data volumes and tighter regulatory expectations, Customer-Managed Keys (CMK) offer a powerful way to enforce enterprise-grade security and ensure strict ownership of encryption keys and access.

With Microsoft’s OneLake, we’ve built a unified data lake that’s open, secure, and ready for enterprise scale. Now, with support for CMK, we’re giving customers the power to take encryption into their own hands.

Read on to learn more about Microsoft’s default for data encryption, and how you can use your own keys to encrypt the data.

Comments closed

PBKDF2 in SQL Server 2025

Published 2025-06-25 by Kevin Feasel

Vlad Drumea has my interest:

I’ve written previously about auditing or cracking SQL Server login passwords either online (inside the instance itself) or offline (exporting the hashes and using a specialized cracking tool).

Last week, Microsoft’s Pieter Vanhove published a blog post that covers What’s new in SQL Server 2025 security.

This is one of the few instances in which I’d prefer things be slower in the database.

Comments closed

OneLake Security Updates

Published 2025-06-25 by Kevin Feasel

Aaron Merrill shares some news:

It’s been almost 3 months since we announced OneLake security at FabCon 2025 in Las Vegas, and while the interest has not slowed down, we’ve also been working behind the scenes to improve the feature and address your feedback. In this blog post, we’ll go through some of the latest updates on OneLake security including further support for OneLake shortcuts, improved RLS authoring, and updated permissions to manage OneLake security.

Read on to see what has changed.

Comments closed

It’s Always Permissions (or DNS)

Published 2025-06-24 by Kevin Feasel

Kristina Mishra takes us through troubleshooting a problem:

Ah, you’ve setup a deployment pipeline and let your people know it’s ready for them to do the thing. Everything looks fine on your end, so you shoot off a message to the group and go about your busy day. (Nevermind your Test environment was set up 4 months ago, Production 3 days ago, and Development was replaced 2 months ago with a new Development environment because your region changed.) You’ve added all the permission groups to each environment and added your “contributors” as Admin to the deployment pipeline (no comment), so everything should be grand.

Famous last words, indeed.

Comments closed

Exfiltration Opportunities in Power Query

Published 2025-06-23 by Kevin Feasel

Oscar Martinez lays out the risks:

Data exfiltration is the act of moving sensitive data outside a trusted environment without authorisation. In the context of Power Query (the data transformation engine behind Excel, Power BI, dataflows, etc.), this means an insider could use a Power Query script to siphon data from secure sources (like databases) out to an external destination. Microsoft defines data exfiltration as the movement of sensitive business data outside a trusted boundary, whether intentionally or unintentionally.^1

Click through to learn more about what is possible, as well as practical tips on how to reduce this risk.

Comments closed

Restoring a Database via dbatools

Published 2025-06-18 by Kevin Feasel

David Seis digs into the Restore-DbaDatabase cmdlet:

In this blog post, we will audit the dbatools command Restore-DbaDatabase. I will test, review, and evaluate the script based on a series of identical steps. Our goal is to provide insights, warnings, and recommendations to help you use this script effectively and safely. Restore-DbaDatabase is powerful tool to automate the restore of any database, and it works well in automated solutions such as daily refreshes or weekly refreshes of production to a lower environment.

David’s blog post takes a look at the cmdlet’s functionality, but also thinking about it from a security perspective.

Comments closed