Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Reporting Services Security Expand / Collapse
Author
Message
Posted Monday, March 30, 2009 10:57 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 3:06 PM
Points: 33,169, Visits: 15,304
Comments posted to this topic are about the item Reporting Services Security






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #686726
Posted Tuesday, March 31, 2009 9:04 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Yesterday @ 1:35 PM
Points: 413, Visits: 399
Also see: http://msdn.microsoft.com/en-us/library/ms143736.aspx

Setup provides a Server Configuration page in the Installation Wizard so that you can configure the services that are part of the current installation. The installation does not select a default service account, so you must explicitly specify the service account that you want to use. It is recommended that you use a least-privilege domain user account with network connection permissions. If possible, specify an account that is used exclusively by the report server so that you can audit login activity for this account.

Post #687134
Posted Tuesday, March 31, 2009 11:27 AM
SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Monday, December 27, 2010 6:55 AM
Points: 636, Visits: 67
See also: http://msdn.microsoft.com/en-us/library/ms189964.aspx

SQL Server 2008 Books Online (March 2009)
Service Account (Reporting Services Configuration)

A least privileged account obviously.

The account you specify for the Report Server service requires permission to access the registry, report server program files, and the report server database. All permissions are configured for the account automatically when you use the Reporting Services Configuration tool to set the account. If you use the service account to connect to the report server database, the tool creates a database login for the account and configures database permissions by assigning the account to the RSExecRole on the SQL Server instance that hosts the report server database. The report server database is the only data store that a report server writes to. The service account does not require permissions to any other data stores.

Use a built-in account

Select Network Service, Local System, or Local Service from the list. Only Network Service is recommended; however, you can configure the account to use any account that is available.

Network Service is a built-in least-privilege account that has network logon permissions. This account is recommended if you do not have a domain user account available or if you want to avoid any service disruptions that might occur as a result of password expiration policies.
Post #687271
Posted Tuesday, December 7, 2010 7:31 AM


SSCrazy Eights

SSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy Eights

Group: General Forum Members
Last Login: Today @ 4:54 PM
Points: 8,689, Visits: 9,223
Nice question, and explanation.

But: although the correct answer genuinely IS teh correct answer, the BoL reference given doesn't support it: that reference says "There is no single best approach for choosing an account type." and talks about the trade-off of having to register the service with the user account if you have network security, effectively suggesting that there are reasons why using the network account might be a better option (perhaps it would be if there were no other services on this server running under the network account, so that's not as silly as it sounds) - so in my view it would have been better to refer to http://msdn.microsoft.com/en-us/library/ms189964.aspx which is about the specific topic of SSRS service accounts and is much clearer in its reccomendations (in the "Choosing an account" section) and provides important information about circumstances in which there is no other useful option than a domain user account (Sharepoint integrated mode, constrained delegation).


Tom
Post #1031209
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse