Händelser
31 mars 23 - 2 apr. 23
Det största utbildningsevenemanget för SQL, Fabric och Power BI. 31 mars – 2 april. Använd koden FABINSIDER för att spara 400 USD.
Anmäl dig i dagServer configuration: clr strict security
Applies to: 
SQL Server
Controls the interpretation of the SAFE, EXTERNAL_ACCESS, or UNSAFE permission in SQL Server. For more information about these permissions, see Designing assemblies.
| Value | Description |
|---|---|
0 |
Disabled. Provided for backward compatibility. Setting this value to 0 isn't recommended. |
1 |
Enabled. Causes the Database Engine to ignore the PERMISSION_SET information on the assemblies, and always interpret them as UNSAFE. In SQL Server 2017 (14.x) and later versions, 1 is the default value. |
CLR uses Code Access Security (CAS) in the .NET Framework, which is no longer supported as a security boundary. A CLR assembly created with PERMISSION_SET = SAFE might be able to access external system resources, call unmanaged code, and acquire sysadmin privileges. In SQL Server 2017 (14.x) and later versions, clr strict security treats SAFE and EXTERNAL_ACCESS assemblies as if they're marked UNSAFE.
We recommend that you sign all assemblies by a certificate or asymmetric key, with a corresponding login that has been granted UNSAFE ASSEMBLY permission in the master database. SQL Server administrators can also add assemblies to a list of assemblies, which the Database Engine should trust. For more information, see sys.sp_add_trusted_assembly.
When enabled, the PERMISSION_SET option in the CREATE ASSEMBLY and ALTER ASSEMBLY statements is ignored at run-time, but the PERMISSION_SET options are preserved in metadata. Ignoring this option minimizes breaking existing code statements.
CLR strict security is an advanced option.
After you enable strict security, any assemblies that aren't signed fail to load. You must either alter or drop and recreate each assembly so that it's signed with a certificate or asymmetric key that has a corresponding login with the UNSAFE ASSEMBLY permission on the server.
Requires CONTROL SERVER permission, or membership in the sysadmin fixed server role.
The following permissions required to create a CLR assembly when CLR strict security is enabled:
The user must have the
CREATE ASSEMBLYpermissionOne of the following conditions must also be true:
The assembly is signed with a certificate or asymmetric key that has a corresponding login with the
UNSAFE ASSEMBLYpermission on the server. Signing the assembly is recommended.The database has the
TRUSTWORTHYproperty set toON, and the database is owned by a login that has theUNSAFE ASSEMBLYpermission on the server. This option isn't recommended.
The following example first displays the current setting of the clr strict security option, and then sets the option value to 1 (enabled).
SQL
EXEC sp_configure 'clr strict security';
GO
EXEC sp_configure 'clr strict security' , '1';
RECONFIGURE;
GO
Ytterligare resurser
Utbildning
Utbildningsväg
Implementera en säker miljö för en databastjänst - Training
Implementera en säker miljö för en databastjänst
Dokumentation
-
Fel när du kör CLR-objekt eller skapar sammansättning - SQL Server
Den här artikeln hjälper dig att lösa två olika problem som uppstår när du arbetar med CLR-objekt på en databas som har flyttats från en annan instans av SQL Server.
-
Åtkomstsäkerhet för CLR-integreringskod - SQL Server
För SQL Server CLR-integrering stöder CLR kodåtkomstsäkerhet för hanterad kod, där behörigheter beviljas till sammansättningar baserat på kodidentitet.
-
Aktivera CLR-integrering - SQL Server
Microsoft SQL Server som är värd för CLR kallas CLR-integrering, vilket är inaktiverat som standard. Använd den sp_configure lagrade proceduren för att aktivera CLR-integrering.