Reporting Services doesn t create its own user account

The report data source is configured to use integrated security and the user running the report is logged on as an administrator. The report data source is configured to prompt for credentials and the user types his or her administrator credentials to run the report. To mitigate the threat of an elevation of privileges attack, follow one or more of these recommended security practices: Use least-privilege accounts to access the external data sources that provide data to a report. You can configure report data sources to always use the stored credentials of a least-privilege account. Use shared data sources in your reports to specify dataset connection information. You can use role assignments on the shared data source to control access to the connection string and settings that define how credentials are obtained at run time. Use role assignments to ensure that only trustworthy reports are published to a report server. Through role assignments, you can restrict report publication to specific folders, and then require administrators to inspect the RDL file (and the query) of a newly published report before moving it to a final location. There is no functionality in Reporting Services to enforce an inspection requirement prior to publication. This must become a standard operating procedure. Disable integrated security as a report data source credential option. The use of integrated security to access external data sources poses a special concern for report users who may not know that their security token is being passed to an external data source (users are not warned in advance of running a report that the report is configured to use integrated security). In addition, users may not have the same concerns about opening a report as they would if they were opening an e-mail attachment from an unknown source. However, the security risks are the same in both scenarios. A malicious query can damage or compromise a server in the same way a malicious script that is exposed through a hyperlink or hidden in an e-mail attachment can damage or compromise a workstation. Note that if you disable integrated security, any report data source that is currently configured to use integrated security (or configured to use integrated security after the feature is disabled) will no longer run. The error returned when running such a report is: This data source is configured to use Microsoft Windows NT integrated security but Windows NT integrated security is disabled for this server. To disable integrated security, you must use script or code to modify the EnableIntegratedSecurity system property. 254 Part IV: Maintaining Your Reports

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost JSP Web Hosting services

Bookmark the permalink.

Comments are closed.