V-276311
SV-276311r1149842_rule
CAT II
Azure SQL Managed Instance must maintain a separate execution domain for each executing process.
From: Microsoft Azure SQL Managed Instance Security Technical Implementation Guide (V1R1)
Description
<VulnDiscussion>Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space.
Each process has a distinct address space so that communication between processes is controlled through the security functions, and one process cannot modify the executing code of another process.
Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Review the server documentation to determine whether use of CLR assemblies is required.
To determine if CLR is enabled, execute the following command:
SELECT name, value, value_in_use
FROM sys.configurations
WHERE name = 'clr enabled'
If "value_in_use" is a "1", review the system documentation to determine whether the use of CLR code is approved. If it is not approved, this is a finding.
Fix Text
Disable use of or remove any CLR code that is not authorized.
To disable the use of CLR, from the query prompt:
EXEC SP_CONFIGURE 'clr enabled', 0;
RECONFIGURE WITH OVERRIDE;
CCI Reference
CCI-002530- Created
- 2026-04-07 20:08:22
- Last Updated
- 2026-04-07 20:08:22