Sharing: Feature Restrictions in SQL Server 2019 – a warning
Solomon Rutzky posted some thoughts on the new “Feature Restrictions” in SQL Server 2019, which some have said might help with SQL Injection. He writes up a lot of details about what Feature Restrictions were intended to do and how they just miss the mark. He includes several examples as well on how this can be circumvented or in some cases just not applied the way we’d like.
He concludes with a link to a bug report asking that this be removed lest people use it, think their system is secured, and are hacked because they didn’t do anything else. This is well worth reading if you have to secure your SQL servers and are moving towards SQL Server 2019.
Comments
Hi there. Just to follow up on this, “Feature Restrictions” have been disabled as of the RTM release of SQL Server 2019. The system procs and view are still there, but executing the procs returns an error. I have this documented at the end of my post:
https://sqlquantumleap.com/2019/08/05/feature-restrictions-in-sql-server-2019-are-worse-than-useless-a-false-sense-of-security-and-wasted-opportunity/#update_20191028
Take care,
Solomon….