Security Overview for Reporting Services in Native Mode

To effectively secure a Reporting Services installation, you must evaluate your security needs from end-to-end, taking. into account the environment in which the server is deployed, the types of reports you are hosting, user access requirements, and distribution.

Reporting Services provides an authentication subsystem and a role-based authorization model that determines access to the report server and to items that are managed by the report server. Authentication is based on Windows Authentication or a custom authentication module that you provide. Authorization is based on roles that you assign to users or groups in your organization.

All report server deployments must include authentication and authorization, but most organizations can benefit by adopting security features and technologies that are external to Reporting Services, such as firewalls, encrypted channels, and database security features.

The following list summarizes built-in and external security features that you should consider when developing a defense-in-depth strategy for securing a report server deployment:

  • Reduce surface area by turning off features you do not need.

  • Secure connections between the client and the report server by binding an SSL certificate to the report server and Report Manager virtual directories.

  • Secure transmissions from the report server to database servers by using IPSEC to encrypt the channel.

  • Secure content and operations by defining and following robust authentication and authorization policies.

  • Restrict access to confidential data through database permissions, model item security, or both.

  • Understand and configure subscription features based on your needs to control report distribution.

  • Audit report server access by monitoring report server execution logs and application event logs.