Press "Enter" to skip to content

Category: Security

TDE with Customer-Managed Keys in Azure SQL Database

Published 2023-04-05 by Kevin Feasel

Mirek Sztajno announces a public preview:

In this scenario, a key that is stored in a customer-owned and customer-managed Azure Key Vault (AKV) can be used for each database within a server to encrypt the database encryption key (DEK), called the TDE protector. The feature provides the ability to add keys, remove keys, and change the user-assigned managed identity (UMI) for each database. For more information on identity management, see Managed identity types in Azure.

Click through for more details on how it works and what’s currently not supported in the public preview.

Comments closed

Hiding Power BI Pages Is Not for Security

Published 2023-04-05 by Kevin Feasel

Marc Lelijveld points out that, just because the kitten covered its eyes and can’t see you don’t mean that you can’t see it:

Most of us probably know, but every now and then, I still run into cases where hiding pages in a Power BI report is used for security purposes. Although hiding pages might seem like a security feature, it is not intended to be used as one since it can be easily bypassed. Users can find hidden pages by simple URL tweaking or right-clicking on the tabs. The article provides an example of how users can use the Reports-Get Pages API to get all report pages and report sections without having to write a single line of code. The default page when publishing a report is the one that is open, even if it is hidden.

Yeah, hiding pages is really more of a convenience thing, especially if you’re making heavy use of drillthrough and other cross-page functionality.

Comments closed

SQL Alerts on Potential Attacks

Published 2023-03-31 by Kevin Feasel

David Fowler keeps his head on a swivel:

But let’s be honest, the above attacks are just going to be opportunistic hackers probably using an automated tool to hunt out open servers and try to exploit them, a bit like the guy walking down the road and trying all the car doors in the hope that someone will have left their unlocked. It someone’s specifically targeting your servers, the chances are that they’ll be a bit more sophisticated.

This is where things get a little more troublesome and where SQL doesn’t really give us any tools to help.

But there are warning signs that we can look out for and these can be certain error messages in the logs. There are three in particular that I see as red flags that something amiss may be going on.

Click through for those three warning signs and how you an create SQL Server alerts upon logging these messages. The errors aren’t guaranteed to be an attacker, though in reading them, I’d expect a high signal to noise ratio on them.

Comments closed

Enabling Powershell Constrained Mode

Published 2023-03-24 by Kevin Feasel

Patrick Gruenauer slips on the straightjacket:

In this blog post I am going to show you how to enable the PowerShell Constrained Mode. What is the Constrained Mode? Microsoft explains this as follows:

Click through for that definition, as well as a demonstration and bit more explanation. It seems that there’s a specific use case for constrained mode, and it’s not one most of us are likely to work with.

Comments closed

An Overview of SQL Server Security Options

Published 2023-03-22 by Kevin Feasel

Ben DeBow gives us a once-over of things you can do to harden a SQL Server instance:

Microsoft SQL Server is one of the most secure platforms available, but companies need to deploy, configure, and implement it correctly – along with implementing its built-in security features – in order to ensure their systems are fully protected. Here, we’ll explore six of the most important security features and how to implement them to enhance your SQL Server security.

This isn’t a how-to guide so much as it is a what-you-can-do guide.

Comments closed

Pro Encryption in SQL Server Errata

Published 2023-03-22 by Kevin Feasel

Matthew McGiffen made the first mistake—admitting fault for anything, ever:

My biggest fear when my book went into production was that any factual errors had slipped through my checks and the various reviews. I had a lot of reviewer support from Apress, but at the end of the day any issues are my responsibility.

So far I’m not aware of any factual errors but one kind reader (Ekrem Önsoy) has shared with me a few typos they have found. I’m going to document them here and will keep this post up to date as I’m made aware of any others:

Mistakes in 300 pages of text will happen, no matter how many times you go through your magnum opus. For example, I hate the fact that I went through every chapter of PolyBase Revealed 8 or 9 times to weed out any little typo. Then, as soon as I got my copies of the print edition in, I flipped open to a random page and immediately spotted a typo.

Comments closed

Using Security Groups with Power BI Row-Level Security

Published 2023-03-20 by Kevin Feasel

Soheil Bakhshi has a recommendation for us:

However, managing RLS roles can be challenging if you have a large number of users or if your user base changes frequently. You need to manually assign each user account to one or more roles, which can be time-consuming and error-prone. Moreover, if a user changes their position or leaves the organisation, you must update their role membership accordingly.

This is where Security Groups become handy. 

Soheil explains why and then gives us a step-by-step guide on what we can do to use security groups instead.

Comments closed

Unmasking Dynamic Data Masking via Powershell

Published 2023-03-17 by Kevin Feasel

Jana Sattainathan needs to see all the details:

Today, I had to unmask all the columns I had helped mask using Dynamic Data Masking. This simple post assumes that you are a privileged user with the ability to drop “Column Masking”!

In other words, this isn’t exploiting the mechanics of Dynamic Data Masking to view data you shouldn’t be able to; it’s about removing Dynamic Data Masking from columns with it enabled.

Comments closed

Role-Based Access Controls in Amazon OpenSearch

Published 2023-03-16 by Kevin Feasel

Scott Chang and Muthu Pitchaimani show how to assign rights in Amazon OpenSearch to IAM groups:

Amazon OpenSearch Service is a managed service that makes it simple to secure, deploy, and operate OpenSearch clusters at scale in the AWS Cloud. AWS IAM Identity Center (successor to AWS Single Sign-On) helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. To build a strong least-privilege security posture, customers also wanted fine-grained access control to manage dashboard permission by user role. In this post, we demonstrate a step-by-step procedure to implement IAM Identity Center to OpenSearch Service via native SAML integration, and configure role-based access control in OpenSearch Dashboards by using group attributes in IAM Identity Center. You can follow the steps in this post to achieve both authentication and authorization for OpenSearch Service based on the groups configured in IAM Identity Center.

Click through for the process.

Comments closed

RBAC with Kubernetes

Published 2023-03-15 by Kevin Feasel

Mercy Bassey locks down some containers:

Have you been searching for a way to manage your resources effectively in Kubernetes? Why not consider Kubernetes Role-Based Access Control (RBAC)? With Kubernetes RBAC, you can securely manage containers.

Kubernetes RBAC allows administrators like yourself to define roles with specific permissions to access resources in a Kubernetes cluster. And in this tutorial, you will learn how to create a user and define roles with specific permissions.

There are enough steps involved that I’d definitely want to manage this at the group level.

Comments closed