August 26, 2016 at 2:43 pm
The current server that holds the ReportServer database is Windows Server 2012 R2 running SQL server 2012 (11.0.6020) and ReportServer TempDB call it Server A.
The new VM server call it Server B. We are virtualizing a server to run report services. After creating the VM and loading only report services I went into Reporting Services Configuration Manager but was forced to use a domain account that had sysadmin rights in Server A in the database Credential.
To me this seems like overkill permissions for a report server accessing the databases on another server. All the articles that I could find from Microsoft (and google) said to use an account with sysadmin permissions.
Is this true that the service account and credentialing account have to have sysadmin rights? This seems like a potential back door hack on my reporting server to get to an account that now has unlimited access to my entire instance?:w00t:
Any help in trying to plug this security hole would be appreciated.
I either need an explanation to cover security questions or what is the least amount of permissions I can give an account?
Thanks,
August 26, 2016 at 9:53 pm
Afraid I do not understand your concerns. Can you provide some references? Perhaps start with references from https://msdn.microsoft.com/en-us/library/bb522824(v=sql.110).aspx and its cross-references, and perhaps best to quote sentences which are leading you to your conclusions. I believe an SSRS System Administrator does not need to be (and probably should not be) a member of SQL Server's sysadmin role, and, and an SSRS System Administrator does not need to be (and probably should not be) a local administrator in Windows. Setting up SSRS has different requirements.
August 29, 2016 at 8:17 am
It doesnt need sysadmin, but you do need to give the account you setup in SSRS configuration manager access to the virtual directory for the web service calls that SSRS 2012 makes. If you plan on using the ReportServer default site then you will also need to give this account file system access that holds the web.configuration file for that site.
August 29, 2016 at 8:32 am
Thank you for the suggestion. I will try looking into giving permission to the web directory and see if that resolves the issue. Unfortunately, that is not how we would like to set up reporting services. The ideal was to have a sql account that had no domain account access that would only be able to go from report services to the single database for reports.
Now I have to add another security issue by using a domain account, get permissions to a directory, and deal with another auditing issue.
Thank you Microsoft for again (not) helping with security!:-P
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply