July 14, 2011 at 1:37 pm
Hello,
I am dong some security testing and getting some unexpected results. Perhaps I am not understanding the security model properly....
I create a user called TestUser. I add this user to the group TestGroup.
Under my admin account I browse to report manager. I See 3 folders, Data Sources, Folder1, and Folder2.
Still under my account I review the folder security. Folder1 shows the group TestGroup added as browser. Folder2 does not have the group TestGroup added. Folder2 has NT AUTHORITY\Authenticated Users and some other groups that TestUser is not a part of.
I log in as TestUser. I still see Folder2 and can run the report in it as well.
Isn't this unexpected behavior?
July 15, 2011 at 2:04 pm
Chances are that you are still getting access because TestUser is getting permissions through the System Group NT Authority\Authenticated Users (this group basically includes everyone that logs on). Log back in with the administrator account and try removing the Autheticated Users group from the permission list for Folder2 and the underlying report and see if you still have access with TestUser. I am pretty sure Authenticated Users gets added to all folders and reports by default so tighen up security you will have to manually adjust this or create a script to go through each item and remove that group.
Good luck,
Steve
July 18, 2011 at 12:58 pm
Thank you for your response. I removed Autheticated Users group from the permission list for Folder2 and now when logging in as TestUser I don't even see Folder2.
I hadd previously added Autheticated Users to rectify this error:
User 'MYDOMAIN\TestUser' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
Now Autheticated Users is only in my root folder. I believe this is the correct configuration since testuser can now access Folder1 but not Folder2.
July 18, 2011 at 1:28 pm
Sounds correct. If the user does not have permissions to the root either through the Authenticated Users group or another group (like TestGroup), you would get the error you mentioned above. So if you wanted to further lock down the Report Server you could remove Authenticated Users from root in favor of a more restrictive group or groups, but then management becomes more complicated. It depends what you are trying to do. Good luck.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply