MSSQL: The Differences Between SAFE, EXTERNAL_ACCESS and UNSAFE Assembly Permissions

I found this useful security tip on

SAFE is the recommended permission setting for assemblies that perform computation and data management tasks without accessing resources outside an instance of SQL Server.

We recommend using EXTERNAL_ACCESS for assemblies that access resources outside of an instance of SQL Server. EXTERNAL_ACCESS assemblies include the reliability and scalability protections of SAFE assemblies, but from a security perspective are similar to UNSAFE assemblies. This is because code in EXTERNAL_ACCESS assemblies runs by default under the SQL Server service account and accesses external resources under that account, unless the code explicitly impersonates the caller. Therefore, permission to create EXTERNAL_ACCESS assemblies should be granted only to logins that are trusted to run code under the SQL Server service account. For more information about impersonation, see CLR Integration Security.

Specifying UNSAFE enables the code in the assembly complete freedom to perform operations in the SQL Server process space that can potentially compromise the robustness of SQL Server. UNSAFE assemblies can also potentially subvert the security system of either SQL Server or the common language runtime. UNSAFE permissions should be granted only to highly trusted assemblies. Only members of the sysadmin fixed server role can create and alter UNSAFE assemblies.

I wondered which was “worse”, EXTERNAL_ACCESS or UNSAFE and now I know.. don’t use UNSAFE unless absolutely necessary.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Security, SQL Server
4 comments on “MSSQL: The Differences Between SAFE, EXTERNAL_ACCESS and UNSAFE Assembly Permissions
  1. I never knew this. Thanks for sharing and helping us to be secure SQL

  2. Nayar says:

    Lovely article..

  3. freedygist says:

    thanks for helping

  4. freedgist says:

    thanks for sharing this…

1 Pings/Trackbacks for "MSSQL: The Differences Between SAFE, EXTERNAL_ACCESS and UNSAFE Assembly Permissions"
  1. […] Read more about safe, unsafe and external access assemblies: here. […]

Leave a Reply

Your email address will not be published. Required fields are marked *