Press "Enter" to skip to content

Category: Security

Transparent Column Encryption in PostgreSQL

Published 2026-03-13 by Kevin Feasel

Vibhor Kumar releases an extension:

This extension provides transparent column-level encryption using custom PostgreSQL datatypes so developers can read and write encrypted columns without changing their SQL queries.

And perhaps the most human part of this project is this:

the idea for this project started back in 2016.

It stayed with me for years as one of those engineering ideas that never quite leaves your mind — the thought that PostgreSQL itself could enforce encryption at the column level.

The diagram does look a bit like what you’d see for SQL Server’s Transparent Data Encryption, though the internal mechanics are a good bit different.

Leave a Comment

Certificate Validation in Power BI Report Server

Published 2026-03-13 by Kevin Feasel

Deepthi Goguri notes a change:

When trying to connect to a SQL database within Power BI Desktop January 2026 met with certificate chain trust error when trying to connect to the SQL Database using database DNS. Below is the error:

Microsoft SQL: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 – The certificate chain was issued by an authority that is not trusted.)”

The workaround for this is a bit weird, but Deepthi provides a solid explanation.

Leave a Comment

Making Row-Level Security Faster

Published 2026-03-12 by Kevin Feasel

Brent Ozar speeds up some operations:

The official Azure SQL Dev’s Corner blog recently wrote about how to enable soft deletes in Azure SQL using row-level security, and it’s a nice, clean, short tutorial. I like posts like that because the feature is pretty cool and accomplishes a real business goal. It’s always tough deciding where to draw the line on how much to include in a blog post, so I forgive them for not including one vital caveat with this feature.

Click through for that caveat, as well as how you can mitigate its performance impact.

Leave a Comment

Major Security Update for SQL Server

Published 2026-03-12 by Kevin Feasel

Rebecca Lewis digs into an important patch:

Yesterday was Patch Tuesday, and this month we’ve got a good one. CVE-2026-21262 was already publicly disclosed before Microsoft shipped the fix – and it lets an authenticated SQL Server user escalate straight to sysadmin. SQL Server 2016 through 2025, Windows and Linux. No physical access required. No user interaction required. Just a valid login and a network path to your instance. Go patch!

If you’re a SQL Server DBA or consultant and you’re reading this before patching, stop reading and go patch.

Read on for more information about the vulnerability and how to make sure you’re on the latest CU or GDR for SQL Server.

Also, the fact that there are fixes going back to 2016 doesn’t mean that 2014 and earlier are fine. It just means that Microsoft is serious about not patching versions 10+ years out of date.

Leave a Comment

Dynamic Data Masking Isn’t Security

Published 2026-03-11 by Kevin Feasel

John Sterrett provides a reminder:

SQL Server Dynamic Data Masking (DDM) is one of those SQL Server features that is commonly misused as a primary security feature used in production. Since it landed in SQL Server 2016, I’ve seen teams throw it at compliance requirements and call it a day, only to find out later that their “masked” data was completely readable by anyone willing to spend 20 minutes in SSMS.

Let me show you some data masking limitations in SQL Server when used for security, and what you should be doing instead (or alongside it) if you’re serious about Zero Trust data security.

I think John is a bit kinder to the value of Dynamic Data Masking than I am. Even so, this article shows several major problems it brings to the fore.

Leave a Comment

Kerberos Error: It’s Always SPNs

Published 2026-03-02 by Kevin Feasel

Mike Lynn shares a story:

We were setting up a brand-new SQL Server 2022 instance and couldn’t connect remotely using valid Windows credentials. Every attempt gave us the same error: “Login is from an untrusted domain and cannot be used with Windows authentication.” The client only has one domain. Permissions and firewalls checked out. Local connections with domain accounts worked fine. So why was the server rejecting us from every remote machine, no matter how we connected? The answer turned out to be a change in Windows Server 2025 that more and more DBAs are going to run into.

My advice for every DBA is as follows: make sure you have at least a rudimentary understanding of SPNs, including what they are, what can go wrong when they aren’t set correctly, what “set correctly” even means, and how to set them. You don’t need to be an expert on Kerberos, but I think you do need to be a technician who can note a specific error code and troubleshoot the issue from there.

If you ever had to deal with SSRS or SSIS double-hop issues, you’ve likely already dealt with SPNs in some fashion. Just bite the bullet and spend a few hours boning up on the topic.

Leave a Comment

Linked Servers in SQL Server 2025 and Strict TLS

Published 2026-02-26 by Kevin Feasel

Rebecca Lewis notes a common failure point:

If you upgrade to SQL Server 2025 and your linked servers stop working, you are not alone. This is the single most common post-upgrade failure I am seeing right now, and it hits almost every environment that has linked servers configured from an older version. SQLNCLI is gone. The replacement driver has different defaults. Your connections will fail unless you explicitly tell them how to encrypt.

Read on for the correct solution, the mostly-correct solution, and the solution that a lot of people will take but will probably burn them in a few years.

Leave a Comment

Tips on a Post-NTLM Future

Published 2026-02-13 by Kevin Feasel

Rebecca Lewis wants to save you later heartache:

‘Informational message’ and ‘Further action is only required if Kerberos authentication is required’… For years, we could ignore this, but not anymore. Microsoft published a three-phase roadmap on January 28, 2026 to disable NTLM by default in upcoming Windows releases — and phase one is already live. That ‘informational message’ is about to become an action-item.

In most environments I audit, somewhere between 40 and 60 percent of Windows Authentication connections to SQL Server are running on NTLM — and nobody knew until we looked. If you have not checked yours, now is the time.

Read on to learn how you can check this, the kinds of problems that can prevent Kerberos authentication, and how you can fix them.

Comments closed

Farewell, Purview Access Policies

Published 2026-02-13 by Kevin Feasel

Andreas Wolter gives us the behind-the-scenes view of things:

SQL Server 2025 was released at the end of last year. While most attention has gone to new features, this release also discontinued several existing ones—a notable first in recent SQL Server versions.

The full list is available here: Discontinued services and deprecated features

One item deserves particular attention: Purview access policies.

Read on to learn the intent behind this, the struggle that led to using Purview instead of Azure RBAC, and why there isn’t a solid alternative currently available.

Comments closed

Interoperability and OneLake Security

Published 2026-02-10 by Kevin Feasel

Aaron Merrill introduces a new whitepaper:

In our whitepaper, The future of data security is interoperability, we make the case for a different data foundation: interoperable security that’s defined once and enforced everywhere your data is used. Using OneLake security as the lens, it walks through the core concepts and architectural choices behind centralized policy definition with distributed, engine-level enforcement, and explores how fine-grained access controls and enterprise governance fit into a multi-engine world.   

Click through for Aaron’s summary and check out the link for the whitepaper itself, in PDF format.

Comments closed