Press "Enter" to skip to content

Category: Security

No More RC4 for Kerberos

Published 2026-06-24 by Kevin Feasel

Mike Lynn provides a heads-up:

In July 2026 Microsoft is making a change that may impact your environment. The change being implemented will make your environment more secure by no longer accepting the RC4 algorithm for the Kerberos protocol by default. The problem though is it could cause authentication failures, services to not start, and Kerberos to stop working. Microsoft has been working to implement this change since January 2026, and July 2026 is the final phase.

Click through to see what this means and what you can do to make sure it doesn’t affect you.

Leave a Comment

Patched SQL Injection Vulnerability in sys.sp_dbmmonitorupdate

Published 2026-06-23 by Kevin Feasel

Fabiano Amorim digs into a fixed issue:

What makes this case particularly interesting is not just that the vulnerability exists in a trusted system object, but how it works: the injection bypasses a REPLACE-based sanitization attempt through a subtle Unicode character conversion that happens silently during a variable assignment.

The vulnerability was reported to Microsoft and they have since fixed it, but it’s still worth exposing and explaining given how intricate it is. So, that’s what I’ll do in this article.

Click through to see how it works. And of course this database mirroring stored procedure is still hanging around long after database mirroring itself was deprecated. But that’s the downside to deprecation without subsequent removal.

Leave a Comment

Using Entra ID Authentication in Azure Database for PostgreSQL

Published 2026-06-19 by Kevin Feasel

Taiob Ali wants to use Entra for authentication:

During the livestream of my session at the POSETTE: An Event for Postgres 2026 conference, I received the following question on the hallway track via Discord:

I have one question : I added an Entra group as PostgreSQL Entra administrator, created/mapped the PostgreSQL role for that group, and granted permissions to that group. I am a member of the Entra group, but I still cannot log in with my own Entra user. Does Azure PostgreSQL allow group members to authenticate through the group role, or must each user also be individually created/mapped as a PostgreSQL role?

Read on for Taiob’s full answer.

Leave a Comment

Fabric Data Agents and Power BI Row-Level Security

Published 2026-06-19 by Kevin Feasel

Jens Vestergaard digs into a security challenge:

In the last post I walked through auditing a semantic model before connecting it to an AI tool like Fabric Data Agent. Descriptions, naming, explicit measures, star schema: the things that decide whether a Fabric data agent generates an accurate query or a confident wrong one. I left one thing out on purpose, because it deserved its own post and because I got it wrong the first time I thought about it.

Security.

Click through for a few subtle security issues that automated agents can expose. It turns out to be a lot more challenging than you may first expect, just as Jens discovered.

Leave a Comment

Treating Query Store Abort Hints like a SQL Firewall

Published 2026-06-15 by Kevin Feasel

Emad Al-Mousa plays around a bit:

It’s a security mechanism designed to filter, and block unauthorized or malicious SQL query being executed against the database system before it reaches the database kernel itself. It acts as a specialized gatekeeper that ensures only “known good” queries are allowed to run. In a sense, you can compare it with WAF (web application firewall) in terms of protection mechanism.

SQL Firewall will provide protection against the following threats and attacks:

SQL Injection

Privilege Escalation

Data Exfiltration

Emad makes it very clear that this is not a viable technique, but it is also a fun enough idea that it’s worth checking out.

Leave a Comment

Multiple Domain Controllers and Kerberos Double-Hops

Published 2026-06-12 by Kevin Feasel

Randy Knight sorts out a problem:

We recently had a customer where Windows logins to a SQL Server Availability Group started throwing “Cannot generate SSPI context” — but only sometimes, and only for some people. The same user, on the same workstation, would fail one minute and connect the next. Applications were fine. Nothing had changed on SQL Server.

It took the better part of two days and a lot of second-guessing to run down, and the culprit turned out to be something most of us never think about: which domain controller handed out the Kerberos ticket.

Click through for the answer. Surprisingly, it has nothing to do with SPNs for once.

Leave a Comment

Power BI’s Row-Level Security Bitmap Changes

Published 2026-06-12 by Kevin Feasel

Phil Seamark lays out the consequences of a change:

If you have ever watched a model with row-level security run beautifully for months and then quietly fall off a cliff, this one is for you. Nothing in the model changed. You did not touch the security rules. One table just grew past a line you could not see, and every query under that role started doing a great deal more work than it used to.

That line just moved, and it moved in your favour. Here is what it is and why it sits where it does.

Click through to learn more about how Power BI handles row-level security predicate matching.

Leave a Comment

The Vendor-Security Researcher Relationship

Published 2026-06-10 by Kevin Feasel

Andreas Wolter shares some thoughts:

The recent public discussion around YellowKey and Microsoft’s vulnerability disclosure process has put vulnerability research, coordinated disclosure, and Microsoft’s Security Response Center (MSRC) into the spotlight.   While that specific discussion is about Windows and BitLocker, it exposes a broader problem that many researchers recognize: vulnerability disclosure is often framed as a simple responsibility of the researcher.

The idealized workflow is straightforward: find the issue, report it, wait for the vendor, and accept the outcome.

But coordinated disclosure cannot be a one-way obligation.

Andreas shares some perspective from having been a top security person on the SQL Server team. Along the way, he hits one on of my bugbears: the fact that there is no easy way to tell exactly what login X (or user X) can do on a SQL Server instance. The closest I ever got was to impersonate user X and run sys.fn_my_permissions() in the context of that user. But even that isn’t perfect.

Leave a Comment

Accessing Data between Private Link and Public Fabric Workspaces

Published 2026-06-05 by Kevin Feasel

Gilbert Quevauvilliers uses the private endpoint:

In this blog post I show how it is possible to access data between a Private Link Workspace, where I want to read the data from my Public Workspace.

An example of this is where I wanted to use a DirectLake Semantic Model sitting in my Public Workspace where the data is from data in my Private Link Workspace.

Click through to see how it works.

Leave a Comment

Finding the Windows Groups for a SQL Server Login

Published 2026-06-03 by Kevin Feasel

Greg Low looks for an answer:

I saw a question on a SQL Server mailing list about how to determine the Windows groups for a given SQL Server login.

That’s actually easy for a sysadmin login, as they have IMPERSONATE permission for other logins/users.

It does require the ability to impersonate, as Greg mentions. If you don’t have that ability and you’re dealing with an Active Directory user, I could recommend: net user /domain {ActiveDirectoryUserName} in a command prompt to start.

Comments closed