Sharing: Feature Restrictions in SQL Server 2019 – a warning

Solomon Rutzky posted some thoughts on the new “Feature Restrictions” in SQL Server 2019, which some have said might help with SQL Injection. He writes up a lot of details about what Feature Restrictions were intended to do and how they just miss the mark. He includes several examples as well on how this can be circumvented or in some cases just not applied the way we’d like.

Feature Restrictions in SQL Server 2019 are Worse Than Useless: a False Sense of Security And Wasted Opportunity

He concludes with a link to a bug report asking that this be removed lest people use it, think their system is secured, and are hacked because they didn’t do anything else.  This is well worth reading if you have to secure your SQL servers and are moving towards SQL Server 2019.

  1. Solomon Rutzky

    Hi there. Just to follow up on this, “Feature Restrictions” have been disabled as of the RTM release of SQL Server 2019. The system procs and view are still there, but executing the procs returns an error. I have this documented at the end of my post:

    Take care,

Leave a Reply

Your email address will not be published. Required fields are marked *