Category: Security

Andreas Wolter digs into some new permissions:

This article provides a brief overview of the new permissions introduced with SQL Server 2025 and the few adjustments to existing ones.

Overall, the changes are subtle – which is not surprising. The past couple of years have focused heavily on SQL Database in Fabric, Entra ID integration, and incremental improvements rather than major changes to the core permission model.

All newly introduced permissions are tied to new functionality. The underlying permission model itself remains unchanged since its last significant evolution in SQL Server 2022.

Even so, click through to see what’s new and what granting EXECUTE across the board can net you in SQL Server 2025.

Leave a Comment

Deepthi Goguri covers the real value of gMSA accounts:

A Failover Cluster Instance (FCI) is a SQL Server high-availability solution where multiple servers share the same storage. If the active node fails, SQL Server automatically fails over to another node with minimal downtime.

You need to follow all the steps mentioned in the first blog post, which you can find here.

From there, Deepthi covers how to change the SQL Server service account to use a gMSA if you have FCI or other high availability setups for SQL Server.

Leave a Comment

Rebecca Lewis notes the slowdown:

You upgraded to SQL Server 2025. Your SQL auth logins are slower. This is not a bug. Microsoft did this on purpose — which is actually good news, but if you’re not using connection pooling, it’s not going to feel very good.

Read on for more details, as well as a recommendation for connection pooling. On the whole, this is a very good thing—PBKDF2 is a mature process that we’ve had available to use in applications for 15+ years, and what’s particularly neat about it is that the level of effort scales linearly. As computer hardware becomes more powerful, add more iterations of the hashing algorithm to keep a fairly consistent per-login delay.

Leave a Comment

Deepthi Goguri takes advantage of Group Managed Service Accounts in Windows:

A Service Account is something that applications like the SQL Server, IIS, or scheduled tasks need to run under using Microsoft Active Directory. These are the regular domain user accounts, where the passwords needs to be manually managed and rotated. As these needs to be manually updated, downtime to the services are required if the password needs to be changed. Not only that but syncing these passwords across multiple servers can be an issue. This problem is resolved by using the Standalone Managed Service Account as Windows can manage the password automatically.

Read on to learn more about single MSAs and group MSAs, and some tips and limitations.

Leave a Comment

Vibhor Kumar releases an extension:

This extension provides transparent column-level encryption using custom PostgreSQL datatypes so developers can read and write encrypted columns without changing their SQL queries.

And perhaps the most human part of this project is this:

the idea for this project started back in 2016.

It stayed with me for years as one of those engineering ideas that never quite leaves your mind — the thought that PostgreSQL itself could enforce encryption at the column level.

The diagram does look a bit like what you’d see for SQL Server’s Transparent Data Encryption, though the internal mechanics are a good bit different.

Leave a Comment