Securing Reporting Services

Security in Reporting Services is provided by ASP.NET security, Microsoft Internet Information Services (IIS) security, Microsoft Windows security, and a built-in role-based authorization model. The following security systems help to ensure that only authorized users have access to a Reporting Services deployment:

  • ASP.NET security provides application-level security for the report server and Report Manager. You can lock down both the server and Report Manager using best practices for ASP.NET security.
  • IIS security controls access to the report server virtual directory (the SOAP endpoints of the report server) and Report Manager. IIS also authenticates user connections to a report server instance. Reporting Services configures the report server virtual directories to use Windows security by default. For more information, see Configuring Authentication for Reporting Services.
  • Authorization is provided through a role-based security model that is specific to Reporting Services. All user connections to a report server must be made within the context of a role assignment that maps a user account to a role that describes the operations that a user can perform. For more information about role-based access, see Managing Permissions and Security for Reporting Services and Creating, Modifying, and Deleting Role Assignments.
  • Secure Sockets Layer (SSL) is strongly recommended for production servers and Internet-facing report servers. You can specify SSL connection levels for report server virtual directories through the Reporting Services Configuration tool or by modifying the configuration settings. For more information about the connection levels, see Using Secure Web Service Methods and Configuring a Report Server for Secure Sockets Layer (SSL) Connections.

Under certain circumstances, using integrated security introduces an elevation-of-privileges security threat. For more information about the threat and mitigation strategies, see Integrated Security and Elevated Permissions.

See Also

Concepts

Connections and Accounts in a Reporting Services Deployment
Configuring Service Accounts and Passwords in Reporting Services
Administering Reporting Services
Setting Data Source Properties in Reporting Services
Specifying Credential and Connection Information
Managing Permissions and Security for Reporting Services

Other Resources

Deploying Reporting Services

Help and Information

Getting SQL Server 2005 Assistance