Security – Page 7 – Curated SQL

Exfiltration Opportunities in Power Query

Published 2025-06-23 by Kevin Feasel

Data exfiltration is the act of moving sensitive data outside a trusted environment without authorisation. In the context of Power Query (the data transformation engine behind Excel, Power BI, dataflows, etc.), this means an insider could use a Power Query script to siphon data from secure sources (like databases) out to an external destination. Microsoft defines data exfiltration as the movement of sensitive business data outside a trusted boundary, whether intentionally or unintentionally.^1

Click through to learn more about what is possible, as well as practical tips on how to reduce this risk.

Comments closed

Restoring a Database via dbatools

Published 2025-06-18 by Kevin Feasel

David Seis digs into the Restore-DbaDatabase cmdlet:

In this blog post, we will audit the dbatools command Restore-DbaDatabase. I will test, review, and evaluate the script based on a series of identical steps. Our goal is to provide insights, warnings, and recommendations to help you use this script effectively and safely. Restore-DbaDatabase is powerful tool to automate the restore of any database, and it works well in automated solutions such as daily refreshes or weekly refreshes of production to a lower environment.

David’s blog post takes a look at the cmdlet’s functionality, but also thinking about it from a security perspective.

Comments closed

EchoLeak: Zero-Click Copilot Vulnerability

Published 2025-06-18 by Kevin Feasel

Alex Woodie reports on a vulnerability:

The Microsoft Copilot vulnerability, dubbed EchoLeak, was listed as CVE-2025-32711 in the NIST’s National Vulnerability Database, which gave the flaw a severity score of 9.3. According to Aim Labs, which discovered EchoLeak and shared its research with the world last week, the “zero-click” flaw could “allow attackers to automatically exfiltrate sensitive and proprietary information from M365 Copilot context, without the user’s awareness, or relying on any specific victim behavior.” Microsoft patched the flaw the following day.

The blog post linked above is pretty interesting. Microsoft has patched the vulnerability, so this particular attack vector shouldn’t be an issue. But it will certainly open up the doors for more fun ways of exploiting generative AI-based services.

Comments closed

Securely Sharing Power BI Reports with External Users

Published 2025-06-18 by Kevin Feasel

Soheil Bakhshi continues a series:

Now, in the third and final part of this blog series, we focus on two important areas that are often overlooked:

What happens when Microsoft Purview sensitivity labels are applied to a report

How to refine admin portal settings to better control guest users’ access to Fabric

Click through for the conclusion of this series.

Comments closed

Purview Data Loss Prevention in Microsoft Fabric

Published 2025-06-06 by Kevin Feasel

Yael Biss doesn’t want people walking off with the data:

As data volume and complexity soar, protecting sensitive information has become non-negotiable. With the latest enhancements to Purview Data Loss Prevention (DLP) Policies in Microsoft Fabric, organizations now have the power to proactively secure their data in Onelake.

Whether you’re just getting started or looking to take your data governance to the next level, following proven best practices will maximize your security, compliance, and productivity.

Click through for several tips on how to use Microsoft Purview DLP in Fabric. One of those tips ought to be “Get a side hustle so you can afford both Purview and Fabric.”

Comments closed

Securing Mirrored Databricks Data in Fabric

Published 2025-06-05 by Kevin Feasel

Aaron Merrill has a catalog:

With this update, Azure Mirrored Databricks Catalog items can now be enabled with OneLake security. Security at the table, column, or row level can be defined directly in each item, allowing access to be controlled at a granular level. This allows security to be defined directly over the data mirrored into OneLake so it can be securely used by downstream sources such as lakehouses, notebooks, or semantic models.

Read on to see what to do in order to make use of this. It is, of course, currently in preview.

Comments closed

OneLake Security and Shortcuts

Published 2025-05-29 by Kevin Feasel

Aaron Merrill explains how OneLake security works when you introduce shortcuts:

OneLake allows for security to be defined once and enforced consistently across Microsoft Fabric. One of its standout features is its ability to work seamlessly with shortcuts, offering users the flexibility to access and organize data from different locations while maintaining robust security controls. In this blog post, we will look at how OneLake security is integrated with shortcuts, explain the distinction between passthrough and delegated auth modes for shortcuts, and look at an example use case.

Read on for an overview of OneLake shortcuts, as well as different security models around them.

Comments closed

Explaining Logins vs Users in SQL Server

Published 2025-05-29 by Kevin Feasel

Kevin Hill explains that there are two wolves inside your SQL Server:

“We added them to the database, but they still can’t connect.”

Sound familiar? That’s the kind of confusion SQL Server’s two-layer security model creates when people don’t understand the difference between a login and a user.

Let’s clear that up, because getting it wrong causes broken access, orphaned users, and frustrated help desk calls.

Click through for Kevin’s explanation.

Comments closed

sqlcmd in SQL Server 2025 and Certificate Chain Not Trusted

Published 2025-05-27 by Kevin Feasel

Vlad Drumea points out a new thing to keep an eye on:

SQL Server 2025 provides ODBC sqlcmd version 17 which enforces an encrypted connection.

If you’re trying to use it to connect to instances that don’t have a CA-signed certificate or where TLS encryption was never properly configured, sqlcmd will throw the famous “certificate chain not trusted” error message:

Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : SSL Provider: The certificate chain was issued by an authority that is not trusted.
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : Client unable to establish connection.

The proper answer to this is to get trusted certificates. The workaround is what Vlad describes, so click through for that.

Comments closed

Preventing Injection Attacks in Shiny

Published 2025-05-23 by Kevin Feasel

Arthur Breant shares some advice:

Code injection is a common security vulnerability that involves injecting malicious code into a page or application. This code is then executed, creating the security breach. There are several ways to inject code into an application, and Shiny is unfortunately not immune to these risks.

Click through for a quick overview of the three most common types of injection attack. There’s nothing special about Shiny here—any system that executes code based on user input is potentially vulnerable to injection attacks—so it is good to keep these tips in mind. H/T R-Bloggers.

Comments closed

M	T	W	T	F	S	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Category: Security