SQL Server Agent email notification usage if enabled should be documented and approved by the IAO.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3336	DM0901-SQLServer9	SV-23958r1_rule	DCBP-1	Medium

Description
SQL Mail accepts incoming database commands via email. This can introduce malicious codes or viruses into the SQL server environment.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-04-03

Details

Check Text ( C-22809r1_chk )
Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), this check is Not Applicable. From the SQL Server Management Studio GUI: 1. Right click on SQL Server Agent 2. Select Properties 3. Select Alert System If the box next to "Enable mail profile" is checked, documentation for this function should exist with the IAO in the System Security Plan and AIS Functional Architecture documentation. If this function is not documented, this is a Finding.

Check Text ( C-22809r1_chk )

Determine the SQL Server Edition:

From the query prompt:

SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition'))

If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), this check is Not Applicable.

From the SQL Server Management Studio GUI:

1. Right click on SQL Server Agent
2. Select Properties
3. Select Alert System

If the box next to "Enable mail profile" is checked, documentation for this function should exist with the IAO in the System Security Plan and AIS Functional Architecture documentation.

If this function is not documented, this is a Finding.

Fix Text (F-14799r1_fix)
Ensure you properly document Agent Email Alert configurations regardless of authorization or use in the System Security Plan. Where not required and authorized for use, disable Email notification for SQL Server Agent.