2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0'

Information

The clr enabled option specifies whether user assemblies can be run by SQL Server.

Rationale:

Enabling use of CLR assemblies widens the attack surface of SQL Server and puts it at risk from both inadvertent and malicious assemblies.

Impact:

If CLR assemblies are in use, applications may need to be rearchitected to eliminate their usage before disabling this setting. Alternatively, some organizations may allow this setting to be enabled 1 for assemblies created with the SAFE permission set, but disallow assemblies created with the riskier UNSAFE and EXTERNAL_ACCESS permission sets. To find user-created assemblies, run the following query in all databases, replacing <database_name> with each database name:

USE [<database_name>]

GO

SELECT name AS Assembly_Name, permission_set_desc

FROM sys.assemblies

WHERE is_user_defined = 1;

GO

Solution

Run the following T-SQL command:

EXECUTE sp_configure 'clr enabled', 0;
RECONFIGURE;

Default Value:

By default, this option is disabled (0).

See Also

https://workbench.cisecurity.org/files/3308