Press "Enter" to skip to content

Category: Security

Fun with SQL Firewall in Oracle

Published 2025-10-09 by Kevin Feasel

Brendan Tierney follows up on a SQL Firewall post:

In a previous post, we’ve explored some of the core functionality of SQL Firewall in Oracle 23ai, In this post I’ll explore some of the other functionality that I’ve had to use as we’ve deployed SQL Firewall over the past few weeks.

Sometimes, when querying the DBA_SQL_FIREWALL_VIOLATIONS view, you might not get the current up to-date violations, or if you are running it for the first time you might get now rows or violations being returned from the view. This is a slight timing issue, as the violations log/cacbe might not have been persisted to the data dictionary. If you end up in this kind of situation you might need to flush the logs to to data dictionary. To do this, run the following.

Click through for that command, as well as a few other scenarios and commands that may be of interest.

Comments closed

Evading Data Access Auditing in SQL Server and How to Stop It

Published 2025-10-09 by Kevin Feasel

Andreas Wolter brainstorms:

The methods that I will share here allow an attacker to either conceal his identity or even evade auditing completely.

Most of these commands require sysadmin privileges. However, if your goal is to audit every access to sensitive data, this typically means “all users”  –  not with an exception for administrators. Because of this, it’s important to understand these methods so you can make an informed decision about whether to include them in your auditing scope.

Some of these are wildly impractical, but they do work and Andreas has mitigations for each.

Comments closed

Updates to Fabric Data Factory

Published 2025-10-06 by Kevin Feasel

Abhishek Narain has a list of updates:

Workspace Private Link Support for Data Factory (Preview): Microsoft Fabric enables secure data integration through Private Link support in Dataflows Gen2, Pipelines, and Copy jobs. This ensures that inbound data access remains isolated and compliant within protected workspaces. By leveraging VNet data gateways, organizations can securely connect to data sources across Private Link-enabled environments—eliminating exposure to public networks and reinforcing enterprise-grade security for sensitive data operations.

Most of these are security-related updates, with a mixture of things now GA, things currently in preview, and a pair of items coming soon.

Comments closed

Tokenization in SQL Server

Published 2025-09-29 by Kevin Feasel

Sebastiao Pereira demonstrates a combination of encryption and redirection to store sensitive data:

As privacy regulations tighten like General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standards (PCI DSS) organizations and more, there is an increased focus to protect sensitive information within databases. Tokenization is an option to adhere to those regulations. Let’s see how to implement SQL tokenization in SQL Server.

This is a reasonably clever solution, though if you need to search on any of the tokenized (i.e., encrypted and moved to a separate table) values, performance would be miserable. Even displaying the results for a moderately sized result set would run into serious performance issues. I suppose that if you, for some regulatory reason, need to keep these tokens stored elsewhere from the data, then you manage expectations the best you can.

Comments closed

Viewing Security Settings in OneLake Catalog

Published 2025-09-26 by Kevin Feasel

Aaron Merrill announces a new preview feature:

Introducing the Secure tab in the OneLake catalog—your central place to understand and manage access across Fabric items. From a single view, you can workspace roles with the View users experience and inspect or modify role OneLake security roles with View security roles. The Secure tab brings a streamlined view for governance teams and workspace owners to quickly validate permissions and tighten least‑privilege access.

Click through to see how it looks.

Comments closed

SQL Firewall in Oracle

Published 2025-09-19 by Kevin Feasel

Brendan Tierney tries out the SQL Firewall feature in Oracle:

SQL Firewall allows you to implement a firewall within the database to control what commands are allowed to be run on the data. With SQL Firewall you can:

  • Monitor the SQL (and PL/SQL) activity to learn what the normal or typical SQL commands are being run on the data
  • Captures all commands and logs them
  • Manage a list of allowed commands, etc, using Policies
  • Block and log all commands that are not allowed. Some commands might be allowed to run

Read on to see how it works. It’s an interesting approach that can supplement traditional firewall and web application firewall systems.

Comments closed

Maintaining PostgreSQL without Superuser

Published 2025-09-15 by Kevin Feasel

Radim Marek doesn’t need special access:

How many people/services have superuser access to your PostgreSQL cluster(s)? Did you ever ask why your software engineers might need it? Or your BI team? Why those use cases require same privileges as someone who can drop your databases?

The answer isn’t because these operations are inherently dangerous – it’s because PostgreSQL historically offered limited options for operational access or simply because not enough people are aware of the options. So the common practice is to either got basic permissions or handover the keys to the kingdom.

Read on to see how pre-defined roles can help. These have recently come into the product, so read on to see how different versions of PostgreSQL have extended this functionality.

Comments closed

SQL Server Auditing Bug Allows Data Exfiltration without Logging

Published 2025-09-10 by Kevin Feasel

Andreas Wolter describes a bug in SQL Server’s auditing capabilities:

Last week, I was contacted by an IT Leader from Saudi-Arabia who previously found several CVE’s in Oracle and Microsoft SQL Server. He wanted my opinion on a newly discovered security issue in SQL Server Auditing.

Interestingly, his findings directly overlap with a topic I wrote about just last month: Using Data Classification to Audit Data Access.

Emad Al-Mousa identified two vulnerabilities in the SENSITIVE_BATCH_COMPLETED Audit Action Group. Microsoft Security Response Center (MSRC) acknowledged the issue but classified it as low priority – meaning it may not be addressed until a major release, if at all.

Read on to see what the issue is and how you can trigger it today. Andreas also includes a workaround that will work in the meantime.

Comments closed

Regaining Access to sa on SQL Server

Published 2025-09-03 by Kevin Feasel

Garry Bargsley has a method:

Have you ever inherited a SQL Server instance or been called in to troubleshoot, only to discover that no one has SysAdmin access? It happens more often than you’d think. Clients reach out, needing urgent work done, but the SA password is long forgotten, and no other account has elevated permissions.

Unfortunately, SQL Server doesn’t offer a “reset on next login” option for SQL-authenticated accounts. So what can you do?

Read on for one technique. I also covered a similar method from Tim Radney, so you can see the ‘raw’ way (Tim) or the dbatools way (Garry).

Comments closed

SQL Injection Vulnerabilities Fixed in SQL Server

Published 2025-08-29 by Kevin Feasel

Vlad Drumea tests out a pair of fixes:

In this post I demo two PoCs for SQL injection vulnerabilities fixed in SQL Server 2025 CU20 GDR KB5063814.

This August’s Patch Tuesday came with a security patch for SQL Server 2022, 2019, 2017, and 2016.

The number of SQL injection vulnerabilities caught my attention and I decided to see what system stored procedures have changed to see if I can find anything useful.

Vlad looks at a pair of spatial stored procedures and puts together a method to exploit the old versions.

Comments closed