Press "Enter" to skip to content

Category: Security

SID Mismatches on SQL Server Logins

Published 2025-04-16 by Kevin Feasel

Chad Callihan fixes a mismatch:

Just as you can’t judge a book by its cover, you can’t judge a SQL Server login by its name.

With availability groups, you may notice a login on a primary replica and a “matching” login on the secondary replica. But just because the login is named the same on each replica doesn’t mean they’re the same to SQL Server.

Click through for the explanation and how you can fix it. The other way to fix it is to use Active Directory (or Entra ID) logins, though that’s not always in the cards.

Leave a Comment

A Required Privilege Is Not Held by the Client

Published 2025-04-15 by Kevin Feasel

Rebecca Lewis runs into a permissions error:

I received an email from a customer yesterday regarding their Replication, which began failing with this error after Windows updates were applied:

Message Replication-Replication Transaction-Log Reader Subsystem: agent servername-xxx2 failed. Executed as user: domainname\svcaccount. A required privilege is not held by the client. The step failed.

Slightly dummied, but the important content is in red.  What does that mean?  ‘A required privilege is not held by the client’… he didn’t change anything, I didn’t change anything – why is Replication suddenly failing with permissions problems?

Click through for the answer.

Leave a Comment

Locking Down a PostgreSQL Database

Published 2025-04-07 by Kevin Feasel

Thom Brown shares some advice:

As you may have heard, there are reportedly over 1,500 PostgreSQL servers that have been exploited to mine Bitcoin. And your server could be next if you haven’t taken precautions. Firstly, you need to update to the latest minor release, just so no known exploitable bugs exist on your system. But regardless of whether you update, your PostgreSQL instance could still be misconfigured in a way that would allow unwelcome visitors access, so you need to make sure you shore up your defenses. Here are some steps you should take.

Click through for some solid guidance.

Leave a Comment

Avoid Exposing PostgreSQL Port 5432 to the Internet

Published 2025-04-03 by Kevin Feasel

Christophe Pettus shares some good advice:

Sometimes, we run into a client who has port 5432 exposed to the public Internet, usually as a convenience measure to allow remote applications to access the database without having to go through an intermediate server appllication.

Do not do this.

This is the equivalent of exposing port 1433 on a SQL Server instance to the broader internet, and is a bad idea for many of the same reasons.

Leave a Comment

Updates to OneLake Security

Published 2025-04-01 by Kevin Feasel

Aaron Merrill announces some upcoming changes:

This evolution of OneLake security is still in development. Over the next few months, we will be expanding OneLake security’s integration across the platform, adding even more robust capabilities, and boosting performance. Customers wishing to get an early look at these capabilities and provide feedback before the broad public preview, can sign up for the early access preview. Once we’ve enabled your workspaces, these new features will show up as new capabilities within OneLake data access roles.

Click through to see what’s on the list. The original promise of a single security model covering all data in Microsoft Fabric is still quite a ways away, though this is a step in the right direction.

Leave a Comment

Avoid using sysadmin Accounts for Linked Servers

Published 2025-04-01 by Kevin Feasel

Denny Cherry shares sound advice:

When setting up linked servers, the selection of the accounts that are used for the linked server logins should have the lowest permissions needed to get what the users on the source side of the linked server need to do. Over time, this will mean changing the permissions of the linked server or even setting up multiple linked servers that all point to the same target server so that different applications don’t have permission to access each other’s databases over the linked server. The one thing that you never want to do is to use a login for the linked server that has sysadmin rights on the target instance, especially if that linked server is available for everyone on the server to use.

Click through to understand why.

Leave a Comment

CIS Benchmarks for PostgreSQL

Published 2025-03-26 by Kevin Feasel

Elizabeth Christensen reviews some security guidance:

The Center for Internet Security (CIS) releases security benchmarks to cover a wide variety of infrastructure used in modern applications, including databases, operating systems, cloud services, containerized services, and even networking. Since 2016 Crunchy Data has collaborated with CIS to provide this security resource for those deploying Postgres. The output of this collaboration is a checklist for folks to follow and improve the security posture of Postgres deployments.

The PostgreSQL CIS Benchmark™ for PostgreSQL 17 was just recently released.

Click through for more information on the CIS, as well as a link to the benchmark PDF and some tips around it.

Comments closed

Digital Signatures on SQL Server Stored Procedures

Published 2025-03-17 by Kevin Feasel

Rick Dobson signs a procedure:

This tip introduces the basics of digital signatures based on self-signed certificates for selected T-SQL objects (stored procedures, functions, and triggers) with T-SQL samples. Learn how to detect what happens to a digital signature when a stored procedure is accidentally altered by a database administrator or intentionally modified by a bad actor.

Click through for the process.

Comments closed

Using the Entra ID Powershell Module

Published 2025-03-13 by Kevin Feasel

Patrick Gruenauer checks out a new module:

The new PowerShell Entra ID Module is a powerful tool designed to streamline the management and automation of Microsoft Entra resources. This module is part of the Microsoft Graph PowerShell SDK and offers a range of functionalities to enhance administrative tasks.

One of the key benefits of the Microsoft Entra PowerShell module is its focus on usability. Unlike MS Graph, the module is more user-friendly to operate. Let’s dive in.

Click through for a demonstration of what you can do with it.

Comments closed

Object-Level Security in Power BI Desktop

Published 2025-03-06 by Kevin Feasel

Nikola Ilic locks things down:

You’ve heard about the Oblect-level security feature in Power BI, but you’ve also heard that you CAN’T configure it directly from the Power BI Desktop? And, that you must use an external tool, such as Tabular Editor, to configure and manage OLS.

Well, this is not the case anymore! With the new TMDL view in Power BI Desktop, you can define Object-level security directly in the Power BI Desktop.

Read on for a tutorial on what it takes to implement object-level security.

Comments closed