Skip to content

Set CLR Assemblies Permission To Safe Access

Description

Microsoft SQL Server can host CLR runtime assemblies (typically C# modules). Using CLR assemblies should be done with care.

There are three permission buckets available:

SAFE - only minimal access is allowed. Code executed by an assembly with SAFE permissions cannot access external system resources such as files, the network, environment variables, or the registry. This is the recommended setting.

EXTERNAL_ACCESS - assemblies have the additional ability to access external system resources such as files, networks, environmental variables, and the registry. If the assembly is not very robustly written, these additional capabilities can result in a security breach.

UNSAFE - Unsafe assemblies can do all of the above, and call into unmanaged code, which is very risky.

For additional details on this setting, see CLR Integration Code Access Security

Rationale

External access or unsafe assemblies can allow a compromised database to become a launching point for attacks against the rest of the network, and/or the local system.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine sqlserver

Default Rule

const { isEmptyArray } = module
const { checkServerExtension } = module
/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if safe_access is set for every user defined extension
 */
function validate(databaseSettings) {
    var success = true
    if (databaseSettings.serverExtensions && databaseSettings.serverExtensions.extensions) {
        let extensionList = Object.values(databaseSettings.serverExtensions.extensions)
        success = extensionList.filter(extension =>
            extension.type === 'user-defined').every(extension => extension.status === 'safe_access')
    }
    return {
        success,
    }
}

validate(databaseSettings)