A Fine Slice Of SQL Server
Rob Sewell does a bit of testing:
A contained user can create a Windows login as its own account, although as it cannot grant connect permissions it is then is unable to connect at all.
So if your vendor application is running as a contained user and during an upgrade it tries to create a login for itself, it will succeed in the creation but then be unable to connect to the SQL Server instance and the upgrade will fail.
Click through for the context and the proof.
Comments closedArun Sirpal doesn’t want to generate a SAS token:
I do believe most people know about the ability to backup your SQL server databases to URL (from Azure VMs). If you recall you would use the storage key ( ideally not) or a SAS token, from there you would create a SQL credential that is bound to the SAS token (as a secret). Lots of moving parts especially when it comes to rotation time. So now, if you are on the newer versions of SQL server (SQL Server 2022 Cumulative Update 17 ) start thinking about backups via managed identities.
Click through to learn how and why.
Comments closedVamshidhar Morusu writes on vulnerabilities:
Although open-source Java libraries are essential for contemporary software development, they frequently introduce serious security flaws that put systems at risk. The risks are highlighted by recent examples:
- Deep Java Library (CVE-2025-0851): Attackers can write files outside of designated directories due to a path traversal vulnerability in DJL’s archive extraction tools. Versions 0.1.0 through 0.31.0 are affected by this vulnerability, which may result in data corruption or illegal system access. Version 0.31.1 has a patch for it.
- CVE-2022-42003, Jackson Library: Unsafe serialization/deserialization configurations in the well-known JSON parser cause a high-severity problem (CVSS 7.5) that could result in denial-of-service attacks.
These illustrations highlight how crucial it is for open-source libraries to have careful dependency management, frequent updates, and security audits. Companies should enforce stringent validation and use automated vulnerability scanning tools.
Click through for a more detailed view of a third CVE, as well as tips to protect your data.
Comments closedStefan Miklosovic walks us through a new feature in Apache Cassandra:
Here’s the problem: while users have always had the ability to create whatever password they wanted in Cassandra–from straightforward to incredibly complex and everything in between–this ultimately created a noticeable security vulnerability.
While organizations might have internal processes for generating secure passwords that adhere to their own security policies, Cassandra itself did not have the means to enforce these standards. To make the security vulnerability worse, if a password initially met internal security guidelines, users could later downgrade their password to a less secure option simply by using “ALTER ROLE” statements.
Read on to see how CEP-24 helps with this. It looks like CEP-24 will be released in Apache Cassandra 5.1.
Comments closedChad Callihan fixes a mismatch:
Just as you can’t judge a book by its cover, you can’t judge a SQL Server login by its name.
With availability groups, you may notice a login on a primary replica and a “matching” login on the secondary replica. But just because the login is named the same on each replica doesn’t mean they’re the same to SQL Server.
Click through for the explanation and how you can fix it. The other way to fix it is to use Active Directory (or Entra ID) logins, though that’s not always in the cards.
Comments closedRebecca Lewis runs into a permissions error:
I received an email from a customer yesterday regarding their Replication, which began failing with this error after Windows updates were applied:
Message Replication-Replication Transaction-Log Reader Subsystem: agent servername-xxx2 failed. Executed as user: domainname\svcaccount. A required privilege is not held by the client. The step failed.
Slightly dummied, but the important content is in red. What does that mean? ‘A required privilege is not held by the client’… he didn’t change anything, I didn’t change anything – why is Replication suddenly failing with permissions problems?
Click through for the answer.
Comments closedThom Brown shares some advice:
As you may have heard, there are reportedly over 1,500 PostgreSQL servers that have been exploited to mine Bitcoin. And your server could be next if you haven’t taken precautions. Firstly, you need to update to the latest minor release, just so no known exploitable bugs exist on your system. But regardless of whether you update, your PostgreSQL instance could still be misconfigured in a way that would allow unwelcome visitors access, so you need to make sure you shore up your defenses. Here are some steps you should take.
Click through for some solid guidance.
Comments closedChristophe Pettus shares some good advice:
Sometimes, we run into a client who has port 5432 exposed to the public Internet, usually as a convenience measure to allow remote applications to access the database without having to go through an intermediate server appllication.
Do not do this.
This is the equivalent of exposing port 1433 on a SQL Server instance to the broader internet, and is a bad idea for many of the same reasons.
Comments closedDenny Cherry shares sound advice:
When setting up linked servers, the selection of the accounts that are used for the linked server logins should have the lowest permissions needed to get what the users on the source side of the linked server need to do. Over time, this will mean changing the permissions of the linked server or even setting up multiple linked servers that all point to the same target server so that different applications don’t have permission to access each other’s databases over the linked server. The one thing that you never want to do is to use a login for the linked server that has sysadmin rights on the target instance, especially if that linked server is available for everyone on the server to use.
Click through to understand why.
Comments closedAaron Merrill announces some upcoming changes:
This evolution of OneLake security is still in development. Over the next few months, we will be expanding OneLake security’s integration across the platform, adding even more robust capabilities, and boosting performance. Customers wishing to get an early look at these capabilities and provide feedback before the broad public preview, can sign up for the early access preview. Once we’ve enabled your workspaces, these new features will show up as new capabilities within OneLake data access roles.
Click through to see what’s on the list. The original promise of a single security model covering all data in Microsoft Fabric is still quite a ways away, though this is a step in the right direction.
Comments closed