SQL Server must maintain a separate execution domain for each executing process.

From MS SQL Server 2016 Instance Security Technical Implementation Guide

Associated with: CCI-002530

SV-93949r1_rule SQL Server must maintain a separate execution domain for each executing process.

Vulnerability discussion

Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication between processes is controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces.

Check content

Review the server documentation to determine whether use of CLR assemblies is required. Run the following query to determine whether CLR is enabled for the instance: SELECT name, value, value_in_use FROM sys.configurations WHERE name = 'clr enabled' If "value_in_use" is a "1" and CLR is not required, this is a finding.

Fix text

Disable CLR support in SQL Server by executing the following query: EXEC sp_configure 'clr enabled', 0 GO RECONFIGURE GO

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.