A Fine Slice Of SQL Server
Soheil Bakhshi continues a series:
Now, in the third and final part of this blog series, we focus on two important areas that are often overlooked:
- What happens when Microsoft Purview sensitivity labels are applied to a report
- How to refine admin portal settings to better control guest users’ access to Fabric
Click through for the conclusion of this series.
Comments closedYael Biss doesn’t want people walking off with the data:
As data volume and complexity soar, protecting sensitive information has become non-negotiable. With the latest enhancements to Purview Data Loss Prevention (DLP) Policies in Microsoft Fabric, organizations now have the power to proactively secure their data in Onelake.
Whether you’re just getting started or looking to take your data governance to the next level, following proven best practices will maximize your security, compliance, and productivity.
Click through for several tips on how to use Microsoft Purview DLP in Fabric. One of those tips ought to be “Get a side hustle so you can afford both Purview and Fabric.”
Comments closedWith this update, Azure Mirrored Databricks Catalog items can now be enabled with OneLake security. Security at the table, column, or row level can be defined directly in each item, allowing access to be controlled at a granular level. This allows security to be defined directly over the data mirrored into OneLake so it can be securely used by downstream sources such as lakehouses, notebooks, or semantic models.
Read on to see what to do in order to make use of this. It is, of course, currently in preview.
Comments closedAaron Merrill explains how OneLake security works when you introduce shortcuts:
OneLake allows for security to be defined once and enforced consistently across Microsoft Fabric. One of its standout features is its ability to work seamlessly with shortcuts, offering users the flexibility to access and organize data from different locations while maintaining robust security controls. In this blog post, we will look at how OneLake security is integrated with shortcuts, explain the distinction between passthrough and delegated auth modes for shortcuts, and look at an example use case.
Read on for an overview of OneLake shortcuts, as well as different security models around them.
Comments closedKevin Hill explains that there are two wolves inside your SQL Server:
“We added them to the database, but they still can’t connect.”
Sound familiar? That’s the kind of confusion SQL Server’s two-layer security model creates when people don’t understand the difference between a login and a user.
Let’s clear that up, because getting it wrong causes broken access, orphaned users, and frustrated help desk calls.
Click through for Kevin’s explanation.
Comments closedVlad Drumea points out a new thing to keep an eye on:
SQL Server 2025 provides ODBC sqlcmd version 17 which enforces an encrypted connection.
If you’re trying to use it to connect to instances that don’t have a CA-signed certificate or where TLS encryption was never properly configured, sqlcmd will throw the famous “certificate chain not trusted” error message:
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : SSL Provider: The certificate chain was issued by an authority that is not trusted.
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : Client unable to establish connection.
The proper answer to this is to get trusted certificates. The workaround is what Vlad describes, so click through for that.
Comments closedArthur Breant shares some advice:
Code injection is a common security vulnerability that involves injecting malicious code into a page or application. This code is then executed, creating the security breach. There are several ways to inject code into an application, and Shiny is unfortunately not immune to these risks.
Click through for a quick overview of the three most common types of injection attack. There’s nothing special about Shiny here—any system that executes code based on user input is potentially vulnerable to injection attacks—so it is good to keep these tips in mind. H/T R-Bloggers.
Comments closedDo you know who is logging into your SQL Server?
I was once asked about the need to track SQL Server logins. Many servers were already tracking failed logins. Where the issue came up in this case was tracking successful logins to determine login usage. Let’s take a quick look at how we can track both failed and successful logins.
Security-oriented me always wants both failed and successful logins, as you want to know if the person who failed to log in eight times did in fact successfully log in on the ninth attempt.
Comments closedPatrick Gruenauer elevates our access:
Sudo for Windows is a new way for users to execute commands with elevated privileges (as an administrator) directly from a non-relevant console session on Windows.
The following requirements apply to the use of sudo in Windows:
- Windows 11 24H2
- Sudo needs to be enabled
Click through to see how to activate sudo. The English-language header reads “System > For Developers” and the exact setting is at the bottom of the first section and has the name “Enable sudo” with a toggle switch. The number of times I’ve run a command just to see it error out because I needed to be in an administrative command prompt or PowerShell terminal is high enough that I immediately turned it on.
But importantly, this is different from Linux, in that it opens up a new command prompt or PowerShell terminal rather than executing the command with elevated permissions in the same prompt. This is important because that new prompt goes away after the command finishes, so you lose the output. In other words, if you run sudo ipconfig in a command prompt, it will hit you with a UAC request (depending on how you’ve configured your PC) and then run ipconfig in a new command prompt, which disappears as soon as the command finishes. You don’t get to keep what was in stdout. I think this limits some of the capability of the option, unfortunately.
Working with sensitive data in Microsoft Fabric requires careful handling of secrets, especially when collaborating externally. In a recent customer engagement, I needed to validate access to Azure Key Vault from within a Fabric Notebook, without ever exposing the actual secret values. With only read access granted and no need to manage or update secrets, I focused on confirming that the connection was working as expected.
In this blog, I’ll walk you through the approach, including the setup, code snippets, and logic behind this quick but crucial verification step.
Click through for the full story.
Comments closed