2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0'

Information

The clr enabled option specifies whether user assemblies can be run by SQL Server.

Rationale:

Enabling use of CLR assemblies widens the attack surface of SQL Server and puts it at risk from both inadvertent and malicious assemblies.

Solution

Run the following T-SQL command:

EXECUTE sp_configure 'clr enabled', 0;
RECONFIGURE;

Impact:

If CLR assemblies are in use, applications may need to be rearchitected to eliminate their usage before disabling this setting. Alternatively, some organizations may allow this setting to be enabled 1 for assemblies created with the SAFE permission set, but disallow assemblies created with the riskier UNSAFE and EXTERNAL_ACCESS permission sets. To find user-created assemblies, run the following query in all databases, replacing <database_name> with each database name:

USE [<database_name>]

GO

SELECT name AS Assembly_Name, permission_set_desc

FROM sys.assemblies

WHERE is_user_defined = 1;

GO

Default Value:

By default, this option is disabled.

References:

https://docs.microsoft.com/en-us/sql/t-sql/statements/create-assembly-transact-sql

See Also

https://workbench.cisecurity.org/files/2837

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, CSCv6|18.9, CSCv7|18.11

Plugin: MS_SQLDB

Control ID: cf06ed8979583a047e0da3397fcd37f49e2452afbe49ca2a85f2d14805713e19