| title | TRUSTWORTHY Database Property | Microsoft Docs | |
|---|---|---|
| description | Learn about the TRUSTWORTHY database property, which indicates whether the instance of SQL Server trusts the database and its contents. The default is OFF. | |
| ms.custom | ||
| ms.date | 03/14/2017 | |
| ms.prod | sql | |
| ms.prod_service | security | |
| ms.reviewer | ||
| ms.technology | security | |
| ms.topic | conceptual | |
| helpviewer_keywords |
|
|
| ms.assetid | 64b2a53d-4416-4a19-acc0-664a61b45348 | |
| author | VanMSFT | |
| ms.author | vanto |
[!INCLUDE SQL Server]
The TRUSTWORTHY database property is used to indicate whether the instance of [!INCLUDEssNoVersion] trusts the database and the contents within it. By default, this setting is OFF, but can be set to ON by using the ALTER DATABASE statement. For example, ALTER DATABASE AdventureWorks2012 SET TRUSTWORTHY ON;.
Note
To set this option, you must be a member of the sysadmin fixed server role.
This property can be used to reduce certain threats that can exist as a result of attaching a database that contains one of the following objects:
-
Malicious assemblies with an EXTERNAL_ACCESS or UNSAFE permission setting. For more information, see CLR Integration Security.
-
Malicious modules that are defined to execute as high privileged users. For more information, see EXECUTE AS Clause (Transact-SQL).
Both of these situations require a specific degree of privileges and are protected against by appropriate mechanisms when they are used in the context of a database that is already attached to an instance of [!INCLUDEssNoVersion]. However, if the database is taken offline, a user that has access to the database file can potentially attach it to an instance of [!INCLUDEssNoVersion] of his or her choice and add malicious content to the database. When databases are detached and attached in [!INCLUDEssNoVersion], certain permissions are set on the data and log files that restrict access to the database files.
Because a database that is attached to an instance of [!INCLUDEssNoVersion] cannot be immediately trusted, the database is not allowed to access resources beyond the scope of the database until the database is explicitly marked trustworthy. Therefore, if you backup or detach a database that has the TRUSTWORTHY option ON and you attach or restore the database to the same or another SQL Server instance, the TRUSTWORTHY property will be set to OFF upon attach/restore completion. Also, modules that are designed to access resources outside the database, and assemblies with either the EXTERNAL_ACCESS and UNSAFE permission setting, have additional requirements in order to run successfully.
Security Center for SQL Server Database Engine and Azure SQL Database