2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0'

Information

The clr enabled option specifies whether user assemblies can be run by SQL Server.

Rationale:

Enabling use of CLR assemblies widens the attack surface of SQL Server and puts it at risk from both inadvertent and malicious assemblies.

Solution

Run the following T-SQL command:

EXECUTE sp_configure 'clr enabled', 0;
RECONFIGURE;

Impact:

If CLR assemblies are in use, applications may need to be rearchitected to eliminate their usage before disabling this setting. Alternatively, some organizations may allow this setting to be enabled 1 for assemblies created with the SAFE permission set, but disallow assemblies created with the riskier UNSAFE and EXTERNAL_ACCESS permission sets. To find user-created assemblies, run the following query in all databases, replacing <database_name> with each database name:

USE [<database_name>]

GO

SELECT name AS Assembly_Name, permission_set_desc

FROM sys.assemblies

WHERE is_user_defined = 1;

GO

Default Value:

By default, this option is disabled.

References:

https://docs.microsoft.com/en-us/sql/t-sql/statements/create-assembly-transact-sql

See Also

https://workbench.cisecurity.org/files/2834

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, CSCv6|9.1, CSCv7|18.11

Plugin: MS_SQLDB

Control ID: a50dd58ed3c2fcaf67fc87b8f8fcde887a16ab7d5c894c0d890b54167300c6fa