Press "Enter" to skip to content

Category: Security

Managed Identities in SQL Server 2025

Published 2026-05-06 by Kevin Feasel

Greg Low offers another security option for service management:

Those who have worked with SQL Server will understand the need to avoid storing passwords for accessing resources. Windows-based identities are fine for on-premises SQL Server systems, including those on cloud-based virtual machines (VMs), but are of no use when you need to access cloud-based resources like those in Azure.

Some Azure-based resources (including storage accounts) offer other access methods, such as shared access signatures (SAS), but these aren’t much of a step-up from passwords.

What’s really needed is for SQL Server to have its own Microsoft Entra based identity. These can be used directly with Azure-based resources – and that’s exactly where managed identities come in.

Click through to see how it works. Importantly, this is a feature that requires additional payment.

Leave a Comment

A Primer on Group Managed Service Accounts

Published 2026-05-04 by Kevin Feasel

Randy Knight shows off a useful feature in Windows:

Service account management is one of the quietest ways a SQL Server estate goes wrong. Passwords get set once during install, written down somewhere (or worse, not written down), and then never rotated. The DBA who built the environment leaves. A security audit shows up. Suddenly you’re staring at a hundred service account passwords nobody remembers, and the prospect of changing them all on a maintenance window nobody wants to schedule. Group Managed Service Accounts (gMSAs) solve this.

They’ve been a fully supported option for SQL Server since 2014, they work with Failover Cluster Instances and Availability Groups, and Active Directory rotates the passwords for you on a schedule you control. We use them by default on every new SQL Server build at SSG.

And yet, in a decade of Health Checks, we still rarely see them deployed. The most common reasons we hear: “I tried it once and SPNs broke,” or, “I wasn’t sure it would work with our AG.” Both are addressable. Here’s what you need to know to deploy gMSAs successfully.

gMSAs are very useful at providing a managed identity for on-premises solutions. You don’t need to save passwords anywhere but still have full control over who’s allowed to access a given resource.

Leave a Comment

Dropping Users and Stale EXTERNAL MODEL Permissions

Published 2026-05-01 by Kevin Feasel

Andreas Wolter sees a cache invalidation issue:

When identity or permission boundaries behave inconsistently – even under specific lifecycle conditions – that is more than a product bug. It becomes a security-relevant design issue, because security depends not just on how access is granted, but also on how reliably it is revoked.

While investigating the new permission model introduced alongside SQL Server 2025’s AI integration and vector search capabilities (Article: New Permissions in SQL Server 2025), I encountered a case where EXTERNAL MODEL permissions can persist after a user is dropped, creating stale authorization state.

Click through to learn more about this issue and what it means.

Leave a Comment

Microsoft Fabric Eventstream Network Security Features

Published 2026-04-22 by Kevin Feasel

Alex Lin looks at network security features:

Eventstream in Fabric Real-Time Intelligence stream data from both inside and outside the Fabric platform. When your external sources sit behind firewalls or in private networks, choosing the right network security feature is essential. This post breaks down the available options in Eventstream and helps you determine which one fits your scenario.

Click through for more information.

Leave a Comment

New SQL Server CVEs

Published 2026-04-20 by Kevin Feasel

Rebecca Lewis takes a look at a few more vulnerabilities Microsoft has patched in SQL Server:

This week’s Patch Tuesday landed three new SQL Server CVEs. Two are elevation-of-privilege bugs — familiar territory, we had three of those last month. The third one is different. CVE-2026-33120 is a remote code execution flaw in SQL Server 2022. CVSS 8.8. An authenticated, low-privileged login on the network can execute arbitrary code on your SQL Server.

Go. Patch. Now.

Click through for more information and be sure to get these patched.

Comments closed

Cracking SQL Server 2025 SQL Auth Passwords with hashcat

Published 2026-04-17 by Kevin Feasel

Vlad Drumea has a great post:

Last year I wrote about SQL Server 2025’s new PBKDF2 hashing algorithm: what that means from a security perspective, as well as how it impacts online cracking.
And even how to enable it in SQL Server 2022.

Vlad created a module that cracks SQL Server 2025 passwords offline (versus actually connecting to the SQL Server instance itself and extrapolates it to online cracking (connecting to the SQL Server instance and trying different passwords). Vlad has some really good news on the whole and this post serves to explain why Microsoft introduced PBKDF2 as part of the hashing algorithm for SQL Server 2025.

Comments closed

Preventing SQL Injection in Stored Procedures

Published 2026-04-16 by Kevin Feasel

Vlad Drumea fixes a procedure:

In the past few years, I’ve seen quite a few stored procedures that rely on dynamic T-SQL without properly guarding for SQL injection.

Some cases were reporting stored procedures, while others were maintenance type stored procedures (e.g. stats updates) that could be kicked off from the app, or even stored procedures that handled app upgrades/patching.

In all these cases, certain portions of the dynamic T-SQL relied on input provided by users via input parameters.

Read on for an example. The solution is still the classic combination of QUOTENAME() and sp_execute_sql whenever you have user input.

Comments closed

Syncing Logins across Failover Groups for Managed Instances

Published 2026-04-15 by Kevin Feasel

Andy Brownsword gets replicating:

Failover Groups for Managed Instances are a great option to replicate data, but they don’t replicate key instance elements – one of which is logins that live in the master database. If left unchecked, failovers leave systems unable to connect and panic ensues.

To alleviate this we’ll look at a script to synchronise logins and permissions across replicas.

Click through for a link to the script and an explanation of what’s going on with it.

Comments closed

Cross-Database Ownership Chaining and Why to Avoid It

Published 2026-04-14 by Kevin Feasel

Fabiano Amorim provides a public service announcement:

A dangerous privilege-escalation path exists in SQL Server when cross-database ownership chaining, system database defaults, and overly permissive permissions are combined. Under these conditions, a low-privilege authenticated user can escalate to sysadmin, gaining full control of the instance. This article walks through how an attacker can abuse these mechanics.

Click through for a detailed explanation of the problem. Then, check out module signing as an alternative that is considerably more secure.

Comments closed

Comparing Schemas between PostgreSQL and Oracle

Published 2026-04-09 by Kevin Feasel

Laurenz Albe makes a comparison:

Recently, somebody asked me for a reference to a blog or other resource that describes how schemas work differently in Oracle. I didn’t have such a reference, so I’m writing this article. But rather than just describing Oracle schemas to a reader who knows PostgreSQL, I’ll try to present the topic in a way that helps Oracle users understand schemas in PostgreSQL as well. Since I already wrote about the difference between database transactions in Oracle and PostgreSQL, perhaps this can turn into a series!

Click through for the comparison. As far as SQL Server, here’s my off-the-cuff take:

  • Users and schemas — SQL Server follows the same model PostgreSQL does.
  • Schemas as namespaces — SQL Server follows roughly the same model Oracle does.
  • Schemas and object ownership — Different from the two, based on my reading. Objects are owned by the security principal that owns the schema. This is closer to the Oracle model but isn’t quite the same.
  • Schemas and privileges –Because of how object ownership works, there’s more flexibility to the SQL Server model, but also more complexity. In practice, it’s closer to the way PostgreSQL works.
  • Default schema — Different from the two. With one-part naming, SQL Server will first try the user’s default schema. If the object is not there, it checks dbo. That check, by the way, takes a small amount of time but can add up if you’re talking hundreds of thousands of transactions per second. Just ensuring you have consistent two-part naming can be a marked performance improvement on extremely busy servers.
  • System schemas — The sys schema includes system tables and Dynamic Management Views, and INFORMATION_SCHEMA provides the types of information the ANSI SQL standard requires.
Comments closed