SQL Mail, SQL Mail Extended Stored Procedures (XPs) and Database Mail XPs are required and enabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3335	DM0900-SQLServer9	SV-23880r1_rule	DCFA-1	Medium

Description
The SQL Mail, SQL Mail Extended Stored Procedures (XPs) and Database Mail XPs are used by database applications to provide email messages to and from the database. This capability may easily be abused to send malicious messages to remote users or systems. Disabling its use helps to protect the database from generating or receiving malicious email notifications.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-22712r1_chk )
Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), this check is Not Applicable. From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'sql mail xps' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, then confirm in the System Security Plan that email message traffic is required by the database applications. If it is not documented, and required this is a Finding. From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'database mail xps' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, then confirm in the System Security Plan that email message traffic is required by the database applications. If it is not documented, and required this is a Finding.

Check Text ( C-22712r1_chk )

Determine the SQL Server Edition:

From the query prompt:

SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition'))

If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), this check is Not Applicable.

From the query prompt:

SELECT CAST(value AS INT) 'Config_Value'
FROM [master].sys.configurations
WHERE name = 'sql mail xps'

If the value of Config_Value is 0, this is Not a Finding.

If the value of Config_Value is 1, then confirm in the System Security Plan that email message traffic is required by the database applications. If it is not documented, and required this is a Finding.

From the query prompt:

SELECT CAST(value AS INT) 'Config_Value'
FROM [master].sys.configurations
WHERE name = 'database mail xps'

If the value of Config_Value is 0, this is Not a Finding.

If the value of Config_Value is 1, then confirm in the System Security Plan that email message traffic is required by the database applications. If it is not documented, and required this is a Finding.

Fix Text (F-19732r1_fix)
Ensure you properly document SQL Mail, SQL Mail XPs and Database Mail XPs configurations regardless of authorization or use in the System Security Plan. If not approved by the IAO and authorized for use, disable SQL Mail, SQL Mail XPs and Database Mail XPs. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'SQL Mail XPs', 0 RECONFIGURE From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'Database Mail XPs', 0 RECONFIGURE

Fix Text (F-19732r1_fix)

Ensure you properly document SQL Mail, SQL Mail XPs and Database Mail XPs configurations regardless of authorization or use in the System Security Plan.

If not approved by the IAO and authorized for use, disable SQL Mail, SQL Mail XPs and Database Mail XPs.

From the query prompt:

EXEC SP_CONFIGURE 'show advanced options', 1
EXEC SP_CONFIGURE 'SQL Mail XPs', 0
RECONFIGURE

From the query prompt:

EXEC SP_CONFIGURE 'show advanced options', 1
EXEC SP_CONFIGURE 'Database Mail XPs', 0
RECONFIGURE