Press "Enter" to skip to content

Category: Security

SQL Login Overhead in SQL Server 2025

Sean Gallardy has a wonderful rant:

There were a few emails about login times so I figured it warranted a blog post. Strap in, this one goes sideways fast.

Some people noted that the amount of time to log in with a SQL Login in SQL Server 2025 all of a sudden took longer. This is clearly stated in the Docs, though the way it is written is documented is problematic.

As Sean mentions, this is on purpose and it is good. Yeah, the amount of time it takes to log in using SQL authenticated accounts in SQL Server 2025 is higher. That’s because the mechanism to log in is now considerably more secure than it was before. And let’s be honest: how frequently are you logging into SQL Server? What percentage of your processing time does that take? Because if the answer is “a large percentage,” that sounds like a job for connection pooling or revising the calling application.

2 Comments

No More RC4 for Kerberos

Mike Lynn provides a heads-up:

In July 2026 Microsoft is making a change that may impact your environment. The change being implemented will make your environment more secure by no longer accepting the RC4 algorithm for the Kerberos protocol by default. The problem though is it could cause authentication failures, services to not start, and Kerberos to stop working. Microsoft has been working to implement this change since January 2026, and July 2026 is the final phase.

Click through to see what this means and what you can do to make sure it doesn’t affect you.

Comments closed

Patched SQL Injection Vulnerability in sys.sp_dbmmonitorupdate

Fabiano Amorim digs into a fixed issue:

What makes this case particularly interesting is not just that the vulnerability exists in a trusted system object, but how it works: the injection bypasses a REPLACE-based sanitization attempt through a subtle Unicode character conversion that happens silently during a variable assignment.

The vulnerability was reported to Microsoft and they have since fixed it, but it’s still worth exposing and explaining given how intricate it is. So, that’s what I’ll do in this article.

Click through to see how it works. And of course this database mirroring stored procedure is still hanging around long after database mirroring itself was deprecated. But that’s the downside to deprecation without subsequent removal.

Comments closed

Using Entra ID Authentication in Azure Database for PostgreSQL

Taiob Ali wants to use Entra for authentication:

During the livestream of my session at the POSETTE: An Event for Postgres 2026 conference, I received the following question on the hallway track via Discord:

I have one question : I added an Entra group as PostgreSQL Entra administrator, created/mapped the PostgreSQL role for that group, and granted permissions to that group. I am a member of the Entra group, but I still cannot log in with my own Entra user. Does Azure PostgreSQL allow group members to authenticate through the group role, or must each user also be individually created/mapped as a PostgreSQL role?

Read on for Taiob’s full answer.

Comments closed

Fabric Data Agents and Power BI Row-Level Security

Jens Vestergaard digs into a security challenge:

In the last post I walked through auditing a semantic model before connecting it to an AI tool like Fabric Data Agent. Descriptions, naming, explicit measures, star schema: the things that decide whether a Fabric data agent generates an accurate query or a confident wrong one. I left one thing out on purpose, because it deserved its own post and because I got it wrong the first time I thought about it.

Security.

Click through for a few subtle security issues that automated agents can expose. It turns out to be a lot more challenging than you may first expect, just as Jens discovered.

Comments closed

Treating Query Store Abort Hints like a SQL Firewall

Emad Al-Mousa plays around a bit:

It’s a security mechanism designed to filter, and block unauthorized or malicious SQL query being executed against the database system before it reaches the database kernel itself. It acts as a specialized gatekeeper that ensures only “known good” queries are allowed to run. In a sense, you can compare it with WAF (web application firewall) in terms of protection mechanism.

SQL Firewall will provide protection against the following threats and attacks:

SQL Injection

Privilege Escalation

Data Exfiltration

Emad makes it very clear that this is not a viable technique, but it is also a fun enough idea that it’s worth checking out.

Comments closed

Multiple Domain Controllers and Kerberos Double-Hops

Randy Knight sorts out a problem:

We recently had a customer where Windows logins to a SQL Server Availability Group started throwing “Cannot generate SSPI context” — but only sometimes, and only for some people. The same user, on the same workstation, would fail one minute and connect the next. Applications were fine. Nothing had changed on SQL Server.

It took the better part of two days and a lot of second-guessing to run down, and the culprit turned out to be something most of us never think about: which domain controller handed out the Kerberos ticket.

Click through for the answer. Surprisingly, it has nothing to do with SPNs for once.

Comments closed

Power BI’s Row-Level Security Bitmap Changes

Phil Seamark lays out the consequences of a change:

If you have ever watched a model with row-level security run beautifully for months and then quietly fall off a cliff, this one is for you. Nothing in the model changed. You did not touch the security rules. One table just grew past a line you could not see, and every query under that role started doing a great deal more work than it used to.

That line just moved, and it moved in your favour. Here is what it is and why it sits where it does.

Click through to learn more about how Power BI handles row-level security predicate matching.

Comments closed

The Vendor-Security Researcher Relationship

Andreas Wolter shares some thoughts:

The recent public discussion around YellowKey and Microsoft’s vulnerability disclosure process has put vulnerability research, coordinated disclosure, and Microsoft’s Security Response Center (MSRC) into the spotlight.   While that specific discussion is about Windows and BitLocker, it exposes a broader problem that many researchers recognize: vulnerability disclosure is often framed as a simple responsibility of the researcher.

The idealized workflow is straightforward: find the issue, report it, wait for the vendor, and accept the outcome.

But coordinated disclosure cannot be a one-way obligation.

Andreas shares some perspective from having been a top security person on the SQL Server team. Along the way, he hits one on of my bugbears: the fact that there is no easy way to tell exactly what login X (or user X) can do on a SQL Server instance. The closest I ever got was to impersonate user X and run sys.fn_my_permissions() in the context of that user. But even that isn’t perfect.

Comments closed

Accessing Data between Private Link and Public Fabric Workspaces

Gilbert Quevauvilliers uses the private endpoint:

In this blog post I show how it is possible to access data between a Private Link Workspace, where I want to read the data from my Public Workspace.

An example of this is where I wanted to use a DirectLake Semantic Model sitting in my Public Workspace where the data is from data in my Private Link Workspace.

Click through to see how it works.

Comments closed