Post reply

Security related to DTS/RS

  • September 30, 2004 at 4:30 pm

    #85607

    My company is in the process of implementing a data-warehouse in order to improve reporting capabilities.

    Basically, I'm wondering if anyone is aware of any holes in SQL security, specifically in areas surrounding DTS and Reporting Services. Are there any issues with the ASPNET account used by SQL-RS that I should be aware of? Are there specific sproc permissions that should be revoked in order to better secure the data?

    Any suggestions, however significant, would be appreciated. Thanks.

    Here are some details about my server config:

    - The Reporting Services Components (Report Manager, ReportingServices db) both reside locally on the same machine as the data warehouse.

    - ETL will be handled either via DTS packages or SPROCS pulling data from (remote) Oracle transactional db's.

    - SQL-2000 instance sits behind a firewall, with no exposure to the internet. Additionally, the instance has been configured to listen on a non-standard port, not known to users outside the IT organization.

    - Authentication has been set to windows-only.

    - "Built-in" NTAUTHORITY\Admin account(s) have been removed. SA privs have been assigned to a domain user-group.

    - Additionally, SQLMail has been granted SA authority, in order to have full functionality in DTS Packages (create, truncate tables, etc.)

    - LOCAL\ASPNET account exists (was created as part of SQL-RS installation) for connections from SQL-RS web service and the Report Manager DB.

    Regards,

    jeremy

  • October 4, 2004 at 8:00 am

    This was removed by the editor as SPAM

  • October 4, 2004 at 11:24 pm

    #525319

    Check on these sites which will give you some ideas on securing DTS packages:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dtssql/dts_pkgmng_sec_09dl.asp

    https://www.appsecinc.com/Policy/PolicyCheck2644.html

    I hope these articles will help you.

  • October 4, 2004 at 11:51 pm

    #525321

    More information on how to setup and secure Reporting Services can be found on Microsoft's site:

    Reporting Services Technical Resources

    You'll probably be most interested in the whitepapers at the bottom of the page.

    As far as securing DTS packages, here is another link to look at:

    INF: Managing Permissions for DTS Packages in an Enterprise Environment (282463)

    K. Brian Kelley
    @kbriankelley

  • October 5, 2004 at 2:13 pm

    #525501

    Thanks for the replies.  I'll take a look at the links provided and let you know if I have further questions.

    jeremy

     

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply