March 30, 2009 at 10:57 pm
Comments posted to this topic are about the item Reporting Services Security
March 31, 2009 at 9:04 am
Also see: http://msdn.microsoft.com/en-us/library/ms143736.aspx
Setup provides a Server Configuration page in the Installation Wizard so that you can configure the services that are part of the current installation. The installation does not select a default service account, so you must explicitly specify the service account that you want to use. It is recommended that you use a least-privilege domain user account with network connection permissions. If possible, specify an account that is used exclusively by the report server so that you can audit login activity for this account.
March 31, 2009 at 11:27 am
See also: http://msdn.microsoft.com/en-us/library/ms189964.aspx
SQL Server 2008 Books Online (March 2009)
Service Account (Reporting Services Configuration)
A least privileged account obviously.
The account you specify for the Report Server service requires permission to access the registry, report server program files, and the report server database. All permissions are configured for the account automatically when you use the Reporting Services Configuration tool to set the account. If you use the service account to connect to the report server database, the tool creates a database login for the account and configures database permissions by assigning the account to the RSExecRole on the SQL Server instance that hosts the report server database. The report server database is the only data store that a report server writes to. The service account does not require permissions to any other data stores.
Use a built-in account
Select Network Service, Local System, or Local Service from the list. Only Network Service is recommended; however, you can configure the account to use any account that is available.
Network Service is a built-in least-privilege account that has network logon permissions. This account is recommended if you do not have a domain user account available or if you want to avoid any service disruptions that might occur as a result of password expiration policies.
December 7, 2010 at 7:31 am
Nice question, and explanation.
But: although the correct answer genuinely IS teh correct answer, the BoL reference given doesn't support it: that reference says "There is no single best approach for choosing an account type." and talks about the trade-off of having to register the service with the user account if you have network security, effectively suggesting that there are reasons why using the network account might be a better option (perhaps it would be if there were no other services on this server running under the network account, so that's not as silly as it sounds) - so in my view it would have been better to refer to http://msdn.microsoft.com/en-us/library/ms189964.aspx which is about the specific topic of SSRS service accounts and is much clearer in its reccomendations (in the "Choosing an account" section) and provides important information about circumstances in which there is no other useful option than a domain user account (Sharepoint integrated mode, constrained delegation).
Tom
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply