October 23, 2008 at 6:20 am
Hi everyone,
Can u tell me how can I restrict access for BUILTIN\Administrators group to Reporting Services 2005.
October 23, 2008 at 6:41 am
October 24, 2008 at 1:41 am
Thanks for the article but it's about adding rights.
I need to restrict access for local admins to my RS.
I drop this group from systems administrator role and content managers role but they still have access.
October 30, 2008 at 11:58 am
At the home level you can click properties and delete the BUILTIN Admins from the list. Also click on the Site Setting (top left) and the "Site Wide Settings" and remove them from the Sysadmin list there.
HTH
November 5, 2008 at 6:07 pm
We implemented this same thing. Just make sure that you're in a group that still has access to the reporting environment. We added an administrator group that was IT Reporting and then removed Built In Admins from the system.
November 14, 2008 at 7:29 am
Hi Guys,
I've exactly same problem and have removed Builtin admins from all the possible areas including site wide security settings but still having issues. Any more ideas. Is it that I should be removing rights from the ReportServer database also?
Any help is appreciated.
November 21, 2008 at 3:18 am
Well, I initially created other Windows Login on Report Server with all permission and after that i deleted the Builtin/Administrator from everywhere and able to restrict unwanted users to access reports Server.
However they can open the reportserver link. I want restrict that as well for unwanted users...How can I?
Note that deleting Builtin/Administratorfrom SQL Server does not do anythnig regarding restricting access on Report Server.
March 23, 2009 at 1:19 pm
I am also having the same issue, running SQL 2005 Ent SP2.
here is what I've done:
- builtin\administrators has been removed from root node of SSRS, but instead using a local server group which has "system administrator" permissions within root node of SSRS.
- builtin\administrators has been removed from "home" node permissions of SSRS and does not have "content manager" permisssions.
- note that builtin\administrators does not appear in the site-wide settings anywhere either.
I'm thinking this might come down to NTFS or IIS permissions, but not 100% sure. If this does come down to permissions outside of SQL, a network admin with enough knowledge would be able to go into the NTFS or IIS permissions and change, so I'm hoping this isn't the solution.
I've read the previous link "http://www.odetocode.com/Articles/215.aspx" which does not apply in this situation, and, as mentioned, removing or disabling builtin\administrators from the actual sql server instance doesn't work either.
Any thoughts or resolutions? We do not require the Network Admins to have permissions into our SQL systems, but everything I've tried allows the local builtin\administrators group SSRS permissions.
March 24, 2009 at 4:24 am
I have looked at this on SSRS for SQL Server 2008, hopefully it will not be too much different for SSRS 2005.
As other people have said, you can add another group or user to SSRS with admin rights, then delete the BUILTIN/ADMINISTRATORS login. However, SSRS is written so that anyone in the local Administrators role can grant themselves rights if they want.
This means that if the BUILTIN/Administrators login is not present, someone with local Administror rights cannot access anything in SSRS by virture of their local Administrator rights, but they can re-instate the BUILTIN/Administrator login or add their own login with whatever rights they wish. After they have set up their rights, they can do what they want.
This means you cannot block local administrators from doing things in SSRS, but you can have a site standard to say they should not access SSRS. If you get management backing for this and someone with local Administrator rights forces their way into SSRS then it becomes a company disiplinary task to deal with it.
The SSRS 2008 Configuration Manager GUI woks slightly differently. The GUI can only be run by someone with local Administrator rights, regardless of the rights local Administrators have in SSRS.
IMHO SSRS security is a bit broken but still workable.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
March 24, 2009 at 4:30 am
hmmm thats very intersting EdVassie
kind of defeats the purpose of removing BUILTIN\Admin from SSRS! I will have to test that in SQL 2005
March 24, 2009 at 4:37 am
Yes, you cannot totally block local Administrators, but you can tell by the smell if they have been around. A DBA can check if unexpected logins are present, and maybe set up some monitoring to warn of security changes.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
March 24, 2009 at 5:26 am
Thanks EdVassie.
Kind of what I feared, and yes, it seems counter-productive to have this "backdoor" when time was taken to ensure builtin\admins don't have 'sa' permissions to the core of the SQL engine.
I may have to do other things at the NTFS level to deter access, though not 100% secure.
Best Regards.
March 24, 2009 at 5:55 am
The situation with NTFS restrictions is similar to what is happening in SSRS. You can deny the local Administrators from accessing your files, but you cannot prevent them adding their own access afterwards. All you can do is monitor to see if this happens. And have site standards to say that for a local Administrators to force access is a disiplinary offense.
BTW, there is also a back door for local Administrators to get into SQL Server. If SQL Server is started in single user mode, anyone in the local Administrators group has access to SQL Server as a Sysadmin. This back door is there because a) starting SQL in single user mode is a traceable event and b) it gives you a way in if you accidentally drop your last Sysadmin login.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
April 7, 2009 at 11:14 pm
Hello All, I have ssrs hosted in different server. i used to call the report server link from my application via aspx page. now tell me, how can i provide the access to reports from the application.
My application is though user-role based one. but still i can able to view the link to access the reports.
Regards,
KarthikShanth.
Viewing 14 posts - 1 through 13 (of 13 total)
You must be logged in to reply to this topic. Login to reply