How to restrict access for BUILTIN\Administrators.

  • evgkushnir

    Old Hand

    Points: 384

    Hi everyone,

    Can u tell me how can I restrict access for BUILTIN\Administrators group to Reporting Services 2005.

  • Glen Sidelnikov

    SSCertifiable

    Points: 6727

  • evgkushnir

    Old Hand

    Points: 384

    Thanks for the article but it's about adding rights.

    I need to restrict access for local admins to my RS.

    I drop this group from systems administrator role and content managers role but they still have access.

  • schwizla

    SSCrazy

    Points: 2668

    At the home level you can click properties and delete the BUILTIN Admins from the list. Also click on the Site Setting (top left) and the "Site Wide Settings" and remove them from the Sysadmin list there.

    HTH

  • checkai

    Hall of Fame

    Points: 3041

    We implemented this same thing. Just make sure that you're in a group that still has access to the reporting environment. We added an administrator group that was IT Reporting and then removed Built In Admins from the system.

  • Ashwani Nanda-588774

    SSC Veteran

    Points: 219

    Hi Guys,

    I've exactly same problem and have removed Builtin admins from all the possible areas including site wide security settings but still having issues. Any more ideas. Is it that I should be removing rights from the ReportServer database also?

    Any help is appreciated.

  • Virender Jain

    SSC Veteran

    Points: 232

    Well, I initially created other Windows Login on Report Server with all permission and after that i deleted the Builtin/Administrator from everywhere and able to restrict unwanted users to access reports Server.

    However they can open the reportserver link. I want restrict that as well for unwanted users...How can I?

    Note that deleting Builtin/Administratorfrom SQL Server does not do anythnig regarding restricting access on Report Server.

  • Sodtke

    SSC Eights!

    Points: 901

    I am also having the same issue, running SQL 2005 Ent SP2.

    here is what I've done:

    - builtin\administrators has been removed from root node of SSRS, but instead using a local server group which has "system administrator" permissions within root node of SSRS.

    - builtin\administrators has been removed from "home" node permissions of SSRS and does not have "content manager" permisssions.

    - note that builtin\administrators does not appear in the site-wide settings anywhere either.

    I'm thinking this might come down to NTFS or IIS permissions, but not 100% sure. If this does come down to permissions outside of SQL, a network admin with enough knowledge would be able to go into the NTFS or IIS permissions and change, so I'm hoping this isn't the solution.

    I've read the previous link "http://www.odetocode.com/Articles/215.aspx" which does not apply in this situation, and, as mentioned, removing or disabling builtin\administrators from the actual sql server instance doesn't work either.

    Any thoughts or resolutions? We do not require the Network Admins to have permissions into our SQL systems, but everything I've tried allows the local builtin\administrators group SSRS permissions.

  • EdVassie

    SSC Guru

    Points: 60260

    I have looked at this on SSRS for SQL Server 2008, hopefully it will not be too much different for SSRS 2005.

    As other people have said, you can add another group or user to SSRS with admin rights, then delete the BUILTIN/ADMINISTRATORS login. However, SSRS is written so that anyone in the local Administrators role can grant themselves rights if they want.

    This means that if the BUILTIN/Administrators login is not present, someone with local Administror rights cannot access anything in SSRS by virture of their local Administrator rights, but they can re-instate the BUILTIN/Administrator login or add their own login with whatever rights they wish. After they have set up their rights, they can do what they want.

    This means you cannot block local administrators from doing things in SSRS, but you can have a site standard to say they should not access SSRS. If you get management backing for this and someone with local Administrator rights forces their way into SSRS then it becomes a company disiplinary task to deal with it.

    The SSRS 2008 Configuration Manager GUI woks slightly differently. The GUI can only be run by someone with local Administrator rights, regardless of the rights local Administrators have in SSRS.

    IMHO SSRS security is a bit broken but still workable.

    Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.

    When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara

  • schwizla

    SSCrazy

    Points: 2668

    hmmm thats very intersting EdVassie

    kind of defeats the purpose of removing BUILTIN\Admin from SSRS! I will have to test that in SQL 2005

  • EdVassie

    SSC Guru

    Points: 60260

    Yes, you cannot totally block local Administrators, but you can tell by the smell if they have been around. A DBA can check if unexpected logins are present, and maybe set up some monitoring to warn of security changes.

    Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.

    When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara

  • Sodtke

    SSC Eights!

    Points: 901

    Thanks EdVassie.

    Kind of what I feared, and yes, it seems counter-productive to have this "backdoor" when time was taken to ensure builtin\admins don't have 'sa' permissions to the core of the SQL engine.

    I may have to do other things at the NTFS level to deter access, though not 100% secure.

    Best Regards.

  • EdVassie

    SSC Guru

    Points: 60260

    The situation with NTFS restrictions is similar to what is happening in SSRS. You can deny the local Administrators from accessing your files, but you cannot prevent them adding their own access afterwards. All you can do is monitor to see if this happens. And have site standards to say that for a local Administrators to force access is a disiplinary offense.

    BTW, there is also a back door for local Administrators to get into SQL Server. If SQL Server is started in single user mode, anyone in the local Administrators group has access to SQL Server as a Sysadmin. This back door is there because a) starting SQL in single user mode is a traceable event and b) it gives you a way in if you accidentally drop your last Sysadmin login.

    Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.

    When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara

  • msbi.afaik

    SSC Enthusiast

    Points: 109

    Hello All, I have ssrs hosted in different server. i used to call the report server link from my application via aspx page. now tell me, how can i provide the access to reports from the application.

    My application is though user-role based one. but still i can able to view the link to access the reports.

    Regards,
    KarthikShanth.

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic. Login to reply