Sharing: Feature Restrictions in SQL Server 2019 – a warning

Posted by paschott in Security, SQL Server On October 25, 2019

Solomon Rutzky posted some thoughts on the new “Feature Restrictions” in SQL Server 2019, which some have said might help with SQL Injection. He writes up a lot of details about what Feature Restrictions were intended to do and how they just miss the mark. He includes several examples as well on how this can be circumvented or in some cases just not applied the way we’d like.

Feature Restrictions in SQL Server 2019 are Worse Than Useless: a False Sense of Security And Wasted Opportunity

He concludes with a link to a bug report asking that this be removed lest people use it, think their system is secured, and are hacked because they didn’t do anything else.  This is well worth reading if you have to secure your SQL servers and are moving towards SQL Server 2019.

About Author

paschott

I’ve been working with SQL Server for quite some time. Along the way, I’ve learned quite a few things and realized that I won’t ever know everything about SQL Server. I intended to keep growing and learning to be able to do my job well and share my experiences with others. I currently work for a Health-related non-profit based in Boise as a Database Architect.

Comments
  1. Solomon Rutzky

    Hi there. Just to follow up on this, “Feature Restrictions” have been disabled as of the RTM release of SQL Server 2019. The system procs and view are still there, but executing the procs returns an error. I have this documented at the end of my post:

    https://sqlquantumleap.com/2019/08/05/feature-restrictions-in-sql-server-2019-are-worse-than-useless-a-false-sense-of-security-and-wasted-opportunity/#update_20191028

    Take care,
    Solomon….

    Reply

Leave a Reply to Solomon Rutzky Cancel reply

Your email address will not be published. Required fields are marked *