6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies

Information

Setting CLR Assembly Permission Sets to SAFE_ACCESS will prevent assemblies from accessing external system resources such as files, the network, environment variables, or the registry.

Rationale:

Assemblies with EXTERNAL_ACCESS or UNSAFE permission sets can be used to access sensitive areas of the operating system, steal and/or transmit data and alter the state and other protection measures of the underlying Windows Operating System.

Assemblies which are Microsoft-created (is_user_defined = 0) are excluded from this check as they are required for overall system functionality.

Solution

ALTER ASSEMBLY <assembly_name> WITH PERMISSION_SET = SAFE;

Impact:

The remediation measure should first be tested within a test environment prior to production to ensure the assembly still functions as designed with SAFE permission setting.

Default Value:

SAFE permission set

References:

http://msdn.microsoft.com/en-us/library/ms345101(v=sql.110).aspx

http://msdn.microsoft.com/en-us/library/ms189790(v=sql.110).aspx

http://msdn.microsoft.com/en-us/library/ms186711(v=sql.110).aspx

See Also

https://workbench.cisecurity.org/files/2837

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|18, CSCv7|5.1

Plugin: MS_SQLDB

Control ID: 02e97bd206f1b858cfaaf0054a4a81c059795664d6d8ffc3212da021901212e2