SQL Server 2025 Security Modernization: What DBAs Need to Know

Leave a Comment / Articles, Operations, Scripts / By
SQL Server 2025 Security Modernization: What DBAs Need to Know – SQLYARD
Leave a Comment / Articles, DBA Checklist, Scripts / By SQLYARD

SQL Server 2025 Security Modernization: What DBAs Need to Know

By David Yard · SQLYARD.com · April 2026 · Estimated read: 20–25 min
Table of Contents
  1. Security Changes at a Glance
  2. TDS 8.0 and TLS 1.3: Encryption by Default
  3. PBKDF2 Password Hashing
  4. Login-Specific Security Cache Invalidation
  5. Modern Authentication with Microsoft Entra
  6. Managed Identity for Outbound Connections
  7. Zero Trust Principles in Practice
  8. Finer-Grained Access Control
  9. Auditing, Monitoring, and Compliance
  10. Breaking Changes to Plan For
  11. Hands-On Workshop: Modern Security from Beginner to Advanced
  12. Security Baseline Checklist
  13. References

Security has always been a core strength of SQL Server, but SQL Server 2025 makes a meaningful shift — not just adding features, but changing defaults. For the first time, encryption is enforced from the first byte of every connection. Password hashing meets NIST standards. Managed identities replace stored credentials for Azure-connected workloads. These are not optional hardening steps you apply after deployment — they are the new baseline.

This article walks through exactly what changed, why it matters, the breaking changes DBAs need to plan for, and a hands-on workshop covering beginner through advanced implementation.

Security Changes at a Glance

TDS 8.0 + TLS 1.3

Encryption enforced from the first packet — no negotiation phase. Applies to all connections including replication, Always On, linked servers, and log shipping.

PBKDF2 Password Hashing

SQL login passwords hashed with PBKDF2/SHA-512 at 100,000 iterations — up from a single-pass SHA-512 hash. Meets NIST SP 800-63b. Brute-force attacks are orders of magnitude slower.

Login-Specific Cache Invalidation

Permission changes now invalidate only the affected login’s cache — not the entire server-wide cache. On servers with 20,000+ connections, this eliminates CPU spikes during routine user provisioning.

Microsoft Entra Managed Identity

Arc-connected SQL Server 2025 instances authenticate to Azure Storage, Key Vault, and Fabric using managed identities — no passwords or secrets stored anywhere.

RSA OAEP Padding

Certificates and asymmetric keys can now use OAEP (Optimal Asymmetric Encryption Padding), strengthening encryption for key-based operations.

Expanded Audit Actions

New audit action groups for REST calls, AI function invocations, and vector operations. Support for cold and archived audit logs.

TDS 8.0 and TLS 1.3: Encryption by Default New in 2025

Previous versions of SQL Server negotiated encryption after the initial connection setup — the TDS prelogin phase was optionally encrypted depending on client and server settings. TDS 8.0 changes the model entirely.

TCP Handshake TLS 1.3 Handshake Encrypted from this point — no negotiation phase TDS Prelogin (encrypted) Authentication (encrypted) Data Exchange (encrypted)

TDS 8.0 applies not just to client connections but also to internal SQL Server communication paths: Always On, replication, linked servers, log shipping, and SQL Agent. All of these paths now require encryption by default.

Breaking change on upgrade: If your linked servers, replication distributors, or Always On replicas are not configured with trusted certificates, they will fail to connect after upgrading to SQL Server 2025. Ensure OLE DB Driver 19 is deployed and certificates are properly installed across your topology before upgrading. The old “Trust Server Certificate” workaround is no longer the default behavior.

PBKDF2 Password Hashing New in 2025

From SQL Server 2012 through 2022, SQL login passwords were hashed using SHA-512 with a 32-bit random salt — a single-pass hash. This was strong for its time but does not hold up well against modern GPU-accelerated offline attacks.

SQL Server 2025 replaces this with PBKDF2 (RFC2898) using SHA-512 with 100,000 iterations. The same password that took milliseconds to check now takes seconds per attempt when being brute-forced — making offline attacks against stolen hash databases orders of magnitude more expensive.

VersionAlgorithmIterationsNIST SP 800-63b
SQL Server 2012–2022SHA-512 + 32-bit salt1Non-compliant
SQL Server 2025PBKDF2/SHA-512100,000Compliant

This improvement is automatic for new passwords. Existing SQL login password hashes are not retroactively upgraded — they are upgraded to PBKDF2 the next time the password is changed. For compliance environments, this is a reason to enforce a password rotation after upgrading to SQL Server 2025.

Login-Specific Security Cache Invalidation New in 2025

SQL Server maintains a security cache that stores permission lookups for users and logins. Before SQL Server 2025, any permission change on the server triggered a global cache invalidation — every current session’s permissions were flushed and had to be re-evaluated from scratch.

On servers with high connection counts (20,000–25,000 active sessions), this caused significant CPU spikes every time a DBA added a user, changed a role, or updated permissions. SQL Server 2025 makes cache invalidation login-specific — only the affected login’s cache entries are invalidated, leaving all other sessions unaffected.

-- Verify security cache behavior -- SQL Server 2025
-- This DMV shows cached permission entries per login
SELECT
    login_name,
    COUNT(*) AS cached_permission_entries
FROM sys.dm_exec_sessions s
JOIN sys.dm_exec_connections c ON s.session_id = c.session_id
WHERE s.is_user_process = 1
GROUP BY login_name
ORDER BY cached_permission_entries DESC;

Modern Authentication with Microsoft Entra

SQL Server 2025 continues the shift away from traditional SQL authentication by strengthening Microsoft Entra (formerly Azure Active Directory) integration. With Entra authentication, access to SQL Server is tied directly to corporate identity controls — MFA, device compliance, sign-in risk evaluation, and conditional access policies all apply automatically.

-- Create a Microsoft Entra login
-- Requires the instance to be Arc-connected or Azure-hosted
CREATE LOGIN [user@yourcompany.com] FROM EXTERNAL PROVIDER;

-- Verify login type
SELECT name, type_desc, is_disabled
FROM sys.server_principals
WHERE type_desc = 'EXTERNAL_LOGIN'
ORDER BY name;

-- Create a corresponding database user
USE YourDatabase;
CREATE USER [user@yourcompany.com] FOR LOGIN [user@yourcompany.com];

When a user leaves the organization, their Entra account is disabled or deleted by HR — and access to SQL Server is automatically revoked without any DBA action. This eliminates one of the most common audit findings: active SQL logins belonging to former employees.

User / Application ↓ authenticates via Microsoft Entra ID MFA · Conditional Access · Device Compliance ↓ token issued to SQL Server 2025 Validates Entra token — no password stored in SQL Server ↓ permissions evaluated against Database Role

Managed Identity for Outbound Connections New in 2025

For SQL Server 2025 instances connected to Azure via Arc, managed identities replace stored credentials for all outbound connections to Azure services. This means SQL Server can authenticate to Azure Storage (for backups), Azure Key Vault (for encryption keys), and Microsoft Fabric (for mirroring) without any password or secret stored anywhere on the server.

-- Backup directly to Azure Blob Storage using managed identity
-- No storage account key or SAS token required
BACKUP DATABASE [YourDatabase]
TO URL = 'https://yourstorageaccount.blob.core.windows.net/backups/YourDatabase_Full.bak'
WITH COMPRESSION, CHECKSUM, STATS = 5,
     CREDENTIAL = 'ManagedIdentityCredential';

-- Verify managed identity is configured
SELECT name, type_desc
FROM sys.server_principals
WHERE type_desc = 'EXTERNAL_LOGIN'
AND name LIKE '%managed%';

Zero Trust Principles in Practice

SQL Server 2025 aligns with zero trust security — access is never implicitly trusted, even inside the network perimeter. Every connection, query, and permission evaluation is treated as potentially hostile unless explicitly verified. In practice this means:

  • No implicit trust from network location — encryption is required regardless of whether traffic is internal or external
  • Explicit authentication — Entra MFA and conditional access apply to all human logins
  • Least-privilege by design — no broad roles like sysadmin for application accounts; permissions granted explicitly through roles
  • Continuous verification — auditing and Defender for SQL provide ongoing visibility into access patterns
  • Assume breach — PBKDF2 hashing ensures that even a stolen credential database is not immediately exploitable

Finer-Grained Access Control

SQL Server 2025 makes it easier to combine role-based security, row-level security, and dynamic data masking into a cohesive access model at scale.

Role-Based Security

-- Grant permissions to roles, not directly to users
CREATE ROLE reporting_role;
GRANT SELECT ON SCHEMA::Sales TO reporting_role;
GRANT SELECT ON SCHEMA::Reporting TO reporting_role;

-- Add users to roles -- permissions follow automatically
ALTER ROLE reporting_role ADD MEMBER [analyst@yourcompany.com];
ALTER ROLE reporting_role ADD MEMBER [manager@yourcompany.com];

Row-Level Security

-- Predicate function: users only see rows matching their login
CREATE FUNCTION dbo.fn_SalesRegionAccess (@RegionId INT)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN
    SELECT 1 AS fn_access
    WHERE @RegionId IN
    (
        SELECT RegionId
        FROM dbo.UserRegionMap
        WHERE UserName = USER_NAME()
    );
GO

-- Bind the security policy to the table
CREATE SECURITY POLICY SalesRegionPolicy
ADD FILTER PREDICATE dbo.fn_SalesRegionAccess(RegionId)
ON dbo.Sales
WITH (STATE = ON);
GO

-- Verify the policy is active
SELECT name, is_enabled
FROM sys.security_policies
WHERE name = 'SalesRegionPolicy';

Dynamic Data Masking

-- Mask sensitive columns for non-privileged users
ALTER TABLE dbo.Customers
ALTER COLUMN Email
ADD MASKED WITH (FUNCTION = 'email()');

ALTER TABLE dbo.Customers
ALTER COLUMN PhoneNumber
ADD MASKED WITH (FUNCTION = 'partial(0,"XXX-XXX-",4)');

-- Grant UNMASK to privileged roles only
GRANT UNMASK TO reporting_role;

Auditing, Monitoring, and Compliance

SQL Server 2025 expands audit action groups to cover REST calls, AI function invocations, and vector operations — keeping pace with the new capabilities the engine offers. Audit logs can now be stored in cold or archived storage, reducing the cost of long-term compliance retention.

-- Create a server audit writing to the file system
CREATE SERVER AUDIT SecurityAudit
TO FILE
(
    FILEPATH          = 'C:\SQLAudit\',
    MAX_FILE_SIZE     = 100 MB,
    MAX_ROLLOVER_FILES = 20
)
WITH (ON_FAILURE = CONTINUE);
GO

ALTER SERVER AUDIT SecurityAudit WITH (STATE = ON);
GO

-- Capture login activity (both successful and failed)
CREATE SERVER AUDIT SPECIFICATION SecurityAuditSpec
FOR SERVER AUDIT SecurityAudit
ADD (FAILED_LOGIN_GROUP),
ADD (SUCCESSFUL_LOGIN_GROUP),
ADD (LOGOUT_GROUP),
ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP);  -- Catch privilege escalation

ALTER SERVER AUDIT SPECIFICATION SecurityAuditSpec WITH (STATE = ON);
GO

-- Query the audit log for failed logins in the last 24 hours
SELECT
    event_time,
    action_id,
    server_principal_name,
    client_ip,
    statement
FROM sys.fn_get_audit_file('C:\SQLAudit\*', NULL, NULL)
WHERE action_id = 'LGF'  -- Failed login
AND event_time >= DATEADD(HOUR, -24, GETDATE())
ORDER BY event_time DESC;

Breaking Changes to Plan For

These are the security changes in SQL Server 2025 most likely to break existing configurations during upgrade. Address them before deploying in production.

Breaking ChangeImpactResolution
TDS 8.0 default encryptionLinked servers, replication, Always On replicas using self-signed certs or no cert will fail to connectDeploy OLE DB Driver 19, install trusted certificates on all nodes before upgrading
System.Data.SqlClient deprecatedSSIS packages, PowerShell scripts, and custom monitoring tools using the old provider will failMigrate to Microsoft.Data.SqlClient; update connection strings to include Encrypt=True
Default Encrypt=TrueApplications not specifying encryption settings will now require a trusted certificateAdd TrustServerCertificate=True temporarily, then replace with proper certificates
RSA OAEP paddingExisting certificates using PKCS#1 padding may behave differentlyTest certificate operations in non-production before upgrading

Hands-On Workshop: Modern Security from Beginner to Advanced

Beginner: Identify and Migrate Legacy SQL Logins

1
Beginner

Identify Existing Authentication Types

Before changing anything, understand what you have. SQL_LOGIN entries are the modernization targets.

-- Identify all SQL logins and external (Entra) logins
SELECT
    name,
    type_desc,
    is_disabled,
    create_date,
    modify_date
FROM sys.server_principals
WHERE type IN ('S', 'U', 'E')  -- SQL login, Windows login, External login
ORDER BY type_desc, name;

-- Find SQL logins that are NOT disabled -- active legacy auth
SELECT name, create_date
FROM sys.server_principals
WHERE type = 'S'       -- SQL authentication
AND is_disabled = 0
AND name NOT IN ('sa', '##MS_PolicyEventProcessingLogin##',
                 '##MS_PolicyTsqlExecutionLogin##')
ORDER BY name;
2
Beginner

Create a Microsoft Entra Login

-- Create Entra login (requires Arc-connected instance or Azure hosting)
CREATE LOGIN [analyst@yourcompany.com] FROM EXTERNAL PROVIDER;

-- Create corresponding database user
USE SecurityLab;
CREATE USER [analyst@yourcompany.com] FOR LOGIN [analyst@yourcompany.com];

-- Assign to role -- never grant permissions directly to users
ALTER ROLE db_datareader ADD MEMBER [analyst@yourcompany.com];

-- Verify the user's role membership
SELECT dp.name AS user_name, rp.name AS role_name
FROM sys.database_role_members drm
JOIN sys.database_principals dp ON dp.principal_id = drm.member_principal_id
JOIN sys.database_principals rp ON rp.principal_id = drm.role_principal_id
WHERE dp.name = 'analyst@yourcompany.com';

Intermediate: Least Privilege with Roles and Row-Level Security

3
Intermediate

Replace Direct Permissions with Roles

-- Create purpose-specific roles
CREATE ROLE role_sales_read;
CREATE ROLE role_sales_write;
CREATE ROLE role_reporting;

-- Grant at schema level -- all objects in the schema inherit
GRANT SELECT                  ON SCHEMA::Sales     TO role_sales_read;
GRANT SELECT, INSERT, UPDATE  ON SCHEMA::Sales     TO role_sales_write;
GRANT SELECT                  ON SCHEMA::Reporting TO role_reporting;

-- Add users to roles
ALTER ROLE role_sales_read  ADD MEMBER [analyst@yourcompany.com];
ALTER ROLE role_sales_write ADD MEMBER [salesapp@yourcompany.com];

-- Verify no direct permissions exist on sensitive tables
SELECT
    dp.name      AS principal_name,
    dp.type_desc AS principal_type,
    o.name       AS object_name,
    p.permission_name,
    p.state_desc
FROM sys.database_permissions p
JOIN sys.database_principals  dp ON dp.principal_id = p.grantee_principal_id
JOIN sys.objects               o  ON o.object_id    = p.major_id
WHERE dp.type NOT IN ('R')  -- Exclude roles themselves
AND p.class = 1             -- Object-level permissions
ORDER BY principal_name, object_name;
4
Intermediate

Apply Row-Level Security

-- Create a user-to-region mapping table
CREATE TABLE dbo.UserRegionMap
(
    UserName NVARCHAR(128) NOT NULL,
    RegionId INT           NOT NULL,
    CONSTRAINT PK_UserRegionMap PRIMARY KEY (UserName, RegionId)
);

-- Populate with initial mappings
INSERT dbo.UserRegionMap VALUES
    ('analyst@yourcompany.com', 1),
    ('analyst@yourcompany.com', 2);

-- Create the filter predicate
CREATE FUNCTION dbo.fn_SalesAccess (@RegionId INT)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN
    SELECT 1 AS fn_access
    WHERE @RegionId IN
    (
        SELECT RegionId FROM dbo.UserRegionMap
        WHERE UserName = USER_NAME()
    )
    OR IS_MEMBER('role_sales_write') = 1;  -- Write role sees all rows
GO

-- Apply the policy
CREATE SECURITY POLICY SalesPolicy
ADD FILTER PREDICATE dbo.fn_SalesAccess(RegionId)
ON dbo.Sales
WITH (STATE = ON);
GO

-- Test: impersonate the analyst and confirm row filtering
EXECUTE AS USER = 'analyst@yourcompany.com';
SELECT COUNT(*) AS visible_rows FROM dbo.Sales;  -- Should be subset only
REVERT;

Advanced: Zero Trust Auditing and Baseline

5
Advanced

Enable Full Auditing

-- Server audit to file system
CREATE SERVER AUDIT SecurityAudit
TO FILE
(
    FILEPATH           = 'C:\SQLAudit\',
    MAX_FILE_SIZE      = 100 MB,
    MAX_ROLLOVER_FILES = 20
)
WITH (ON_FAILURE = CONTINUE);
ALTER SERVER AUDIT SecurityAudit WITH (STATE = ON);
GO

-- Comprehensive audit specification
CREATE SERVER AUDIT SPECIFICATION SecurityAuditSpec
FOR SERVER AUDIT SecurityAudit
ADD (FAILED_LOGIN_GROUP),
ADD (SUCCESSFUL_LOGIN_GROUP),
ADD (LOGOUT_GROUP),
ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),
ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP);

ALTER SERVER AUDIT SPECIFICATION SecurityAuditSpec WITH (STATE = ON);
GO

-- Query for suspicious patterns: multiple failed logins
SELECT
    server_principal_name,
    client_ip,
    COUNT(*) AS failed_attempts,
    MIN(event_time) AS first_attempt,
    MAX(event_time) AS last_attempt
FROM sys.fn_get_audit_file('C:\SQLAudit\*', NULL, NULL)
WHERE action_id  = 'LGF'
AND event_time >= DATEADD(HOUR, -1, GETDATE())
GROUP BY server_principal_name, client_ip
HAVING COUNT(*) >= 5
ORDER BY failed_attempts DESC;
6
Advanced

Verify TDS 8.0 Encryption and Connection Security

-- Confirm all connections are encrypted
SELECT
    session_id,
    encrypt_option,
    auth_scheme,
    net_transport,
    client_net_address
FROM sys.dm_exec_connections
WHERE session_id > 50  -- Skip system sessions
ORDER BY encrypt_option;

-- Any row showing encrypt_option = 'FALSE' is a compliance risk
-- On SQL Server 2025 with TDS 8.0, all rows should show TRUE

-- Check which authentication methods are in use
SELECT
    auth_scheme,
    COUNT(*) AS connection_count
FROM sys.dm_exec_connections
WHERE session_id > 50
GROUP BY auth_scheme
ORDER BY connection_count DESC;

Security Baseline Checklist

Use this checklist as a repeatable standard for every SQL Server 2025 production deployment:

  • Microsoft Entra authentication required for all human access — no SQL logins without documented exception and business justification
  • All SQL logins in use reviewed — disable any that are unused or belong to former employees
  • No sysadmin or db_owner for application service accounts
  • All permissions granted through roles at schema level — no direct object-level grants to individual users
  • Row-level security applied to all tables containing customer or sensitive data
  • TDS 8.0 verified — all active connections show encrypt_option = TRUE
  • Linked server and replication configurations tested with new encryption defaults before production upgrade
  • System.Data.SqlClient inventory completed — all affected scripts and SSIS packages migrated to Microsoft.Data.SqlClient
  • Server audit enabled and capturing at minimum: failed logins, successful logins, role membership changes
  • Defender for SQL enabled for threat detection if licensed
  • Managed identity configured for all Azure-connected workloads via Arc — no static credentials in configuration files
  • Quarterly access review process documented and scheduled

SQL Server 2025 security modernization is less about one-time configuration and more about alignment — alignment with modern identity systems, zero trust models, and the way organizations actually manage access today. The defaults have shifted significantly. A fresh SQL Server 2025 installation is more secure out of the box than any previous version. The work is making sure your existing estate catches up to the new standard.

References

SQLYARD.com  ·  Articles, DBA Checklist, Scripts  ·  SQL Server 2025

Discover more from SQLYARD

Subscribe to get the latest posts sent to your email.

Related Posts

Leave a Reply

Contact us
Contact us

Discover more from SQLYARD

Subscribe now to keep reading and get access to the full archive.

Continue reading