2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0'

Information

The clr enabled option specifies whether user assemblies can be run by SQL Server.

Rationale:

Enabling use of CLR assemblies widens the attack surface of SQL Server and puts it at risk from both inadvertent and malicious assemblies.

Impact:

If CLR assemblies are in use, applications may need to be rearchitected to eliminate their usage before disabling this setting. Alternatively, some organizations may allow this setting to be enabled 1 for assemblies created with the SAFE permission set, but disallow assemblies created with the riskier UNSAFE and EXTERNAL_ACCESS permission sets. To find user-created assemblies, run the following query in all databases, replacing <database_name> with each database name:

USE [<database_name>]

GO

SELECT name AS Assembly_Name, permission_set_desc

FROM sys.assemblies

WHERE is_user_defined = 1;

GO

Solution

For AWS RDS Instances, please refer to the documentation for using Parameter Groups here:
Working with parameter groups
Run the following T-SQL command:

EXECUTE sp_configure 'clr enabled', 0;
RECONFIGURE;

Default Value:

By default, this option is disabled (0).

See Also

https://workbench.cisecurity.org/benchmarks/7201

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|18.11

Plugin: MS_SQLDB

Control ID: 4fa147b879cf76c4427c878d9135340fd42ee41f66663b3f4f8e6cb5b83be68c