This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 81%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDF%3C/text%3E%3C/svg%3E)
Hi all,
First time I'm facing such a question...
One of my customers wants to know what is the code access security used for CLR Integration on the SQL Server(s) in a SCOM 2016 deployment. From my reading I can see it can be SAFE, EXTERNAL_ACCESS or UNSAFE. I believe it is SAFE but how can i get a confirmation ?
Thanks in advance for any help.
Best regards,
Hi anonymous user,
What SQL Server version are you running?
CLR uses Code Access Security (CAS) in the .NET Framework, which is no longer supported as a security boundary. A CLR assembly created with PERMISSION_SET = SAFE may be able to access external system resources, call unmanaged code, and acquire sysadmin privileges.
Beginning with SQL Server 2017 (14.x), an sp_configure option called clr strict security is introduced to enhance the security of CLR assemblies. clr strict security is enabled by default, and treats SAFE and EXTERNAL_ACCESS assemblies as if they were marked UNSAFE. The clr strict security option can be disabled for backward compatibility, but this is not recommended. Microsoft recommends that all assemblies be signed by a certificate or asymmetric key with a corresponding login that has been granted UNSAFE ASSEMBLY permission in the master database.
----------
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Best regards,
Leon
Hi,
They are using SQL 2016
Do they have the patch mentioned below installed that adds the CLR strict security" feature to SQL Server?
https://support.microsoft.com/en-us/help/4018930/kb4018930-update-adds-the-clr-strict-security-feature-to-sql-server
I will ask them, but is it possible to know if the actual permission set for SCOM is SAFE ?
The assembly permission is not specifically set for SCOM, rather to everything. As far as I know you cannot check it specifically for SCOM.
so this is totally on the SQL server side right ? What I would like to know is for SCOM to work is there a specific permissions to set or it can be any of the 3 options ?
Yes it's on the SQL side, SCOM should work with all by default. There might be cases like Stoyan mentioned in which you have to go ant trust some internal assemblies separately.
Hi anonymous user,
it grants the SAFE permissions to the clr assemblies, but this also depends on the SQL settings (clr strict security). I had the case some days ago, that I had to trust some of the internal SCOM assemblies to get it going. Exactly as described here:
so I had to trust them, using the code fragment, shared by the user in the forums:
USE master;
GO
DECLARE @clrName1 nvarchar(4000) = 'Microsoft.EnterpriseManagement.Sql.DataAccessLayer'
DECLARE @hash1 varbinary(64) = 0xEC312664052DE020D0F9631110AFB4DCDF14F477293E1C5DE8C42D3265F543C92FCF8BC1648FC28E9A0731B3E491BCF1D4A8EB838ED9F0B24AE19057BDDBF6EC;
EXEC sys.sp_add_trusted_assembly @hash = @hash1,
@description = @clrName1;
DECLARE @clrName2 nvarchar(4000) = 'Microsoft.EnterpriseManagement.Sql.UserDefinedDataType'
DECLARE @hash2 varbinary(64) = 0xFAC2A8ECA2BE6AD46FBB6EDFB53321240F4D98D199A5A28B4EB3BAD412BEC849B99018D9207CEA045D186CF67B8D06507EA33BFBF9A7A132DC0BB1D756F4F491;
EXEC sys.sp_add_trusted_assembly @hash = @hash2,
@description = @clrName2;
USE OperationsManager;
GO
SELECT * FROM sys.assemblies
SELECT * FROM sys.trusted_assemblies
I hope I was able to help you!
----------
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Regards,
Stoyan
Thank you for your answers gentlemen