Question about Notifications (SQL Server 2000)
-
Hi, I am looking for some advice really. I have just started working with SQL servers but I have a question about email notifications with backups.
At the moment we have a SQL server job that once it completes a backup it emails through Outlook 2003 (setup using "Notifications"). The job used to have an extra step in the job which would send the email, however people kept on changing the maintenance plans on the database which would wipe out the step. This is why the server now sends it through an Outlook mailbox (all this was setup before I was there). Now the Information Security Officer is all worried that Outlook is installed on the server as it needs ports opening, its extra work patching the server and he said its another Microsoft product that could hang the server.
Now I am not too sure where to go with this, do we carry on using Outlook (is the security risk really that bad?) or go back to the extra step in the job? I know the internal procedures within this company are not the best at the moment and people tend to do things without thinking about the consequences.... (hence why they had the issues before - and to be honest I can see it happening again).
Could anyone out there give me some advice?
-
>> Could anyone out there give me some advice?
Yeah. Keep your resume updated.
Seriously (although that is not bad advice), I understand the security officer's position on the server configuration. Ideally you would not have anything on a server that isn't needed for the server. This would include help files, BOL, any "readers" like Adobe, etc., and yes, it would include Outlook... although I think Outlook Express is part of a default installation - depending on what OS you are using. At least it is not "configured" and there is no "profile" by default.
Different businesses, different industries, have different security requirements. My current client customer is concerned with "DITSCAP" requirements - and the current interpertation of that is that SQLMail and xp_cmdshell are both violations. From my reading, they are not; but they are areas to be especially concerned with.
If I was in your shoes I would attempt to make a business case for a solution, and try to present that with "reason" to management. If they won't go for it, suggest alternatives, and if they won't accept the alternatives, disable notification. We don't have notification here - which is partially why I was hired as a consultant... because things were not working, and nobody knew
Thank-you,
David Russell
Any Cloud, Any Database, Oracle since 1982 -
Tom,
I have a doubt!! I understood that u r using SQL Mail [ie. MAPI profile] to send mail now. How u were sending mail from a job step? It must be wither using xp_sendmail [That is again using MAPI] or using SMTP? In both cases.. u r using some mail provider and u need to use them and SQL Server is not a mail server
If your organazation is not happy with MAPI, you can use SMTP and use the box as a loop back SMTP to minimize the threat. You need to use a stored procedure than.
But personally I think using MAPI is secured enough. You may need to take it up with security for an exception. If it is an issue with your entire environment and all the boxes, try to get approval for at least one SMTP only and start using that SMTP for all the mails.
Please let me know if u need any more help on this
Regards
Utsab Chattopadhyay
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply