保护报表和资源Secure Reports and Resources

您可以设置各个报表和资源的安全性,以控制用户对这些项的访问权限。You can set security for individual reports and resources to control the degree of access that users have to these items. 默认情况下,只有是“管理员”内置组的成员的用户,才能运行报表、查看资源、修改属性以及删除项****。By default, only users who are members of the Administrators built-in group can run reports, view resources, modify properties, and delete the items. 所有其他用户必须具有为其创建的角色分配才能访问报表或资源。All other users must have role assignments created for them that allow access to a report or resource.

对报表和资源的基于角色的访问Role-based Access to Reports and Resources

若要授予报表和资源的访问权限,则可以允许用户从父文件夹继承现有的角色分配,也可以针对项本身创建新的角色分配。To grant access to reports and resources, you can allow users to inherit existing role assignments from a parent folder or create a new role assignment on the item itself.

在大多数情况下,您可能需要使用从父文件夹继承的权限。In most cases, you will probably want to use the permissions that are inherited from a parent folder. 只有在需要隐藏报表或资源以防止不需要了解该报表或资源存在与否的用户看到它们,或需要提高报表或项的访问级别时,才有必要对各个报表和资源设置安全性。Setting security on individual reports and resources should only be necessary if you want to hide the report or resource from users who do not need to know that the report or resource exists, or to increase the level of access for a report or item. 这些目标并不相互冲突。These objectives are not mutually exclusive. 您可以限定只有一小部分用户能够访问报表,并向其中的部分用户或全部用户另外授予管理报表的权限。You can restrict access to a report to a smaller set of users, and provide all or some of them with additional privileges to manage the report.

您可能需要创建多个角色分配来实现目标。You may need to create multiple role assignments to achieve your objectives. 例如,假设您希望两个用户 Ann 和 Fernando 以及人力资源经理组可以访问某个报表。For example, suppose you have a report that you want to make accessible to two users, Ann and Fernando, and to the Human Resource Managers group. Ann 和 Fernando 需要能够管理该报表,而人力资源经理组的成员则只需运行该报表。Ann and Fernando must be able to manage the report, but the Human Resource Managers members need only to run it. 为了满足所有这些用户的需要,您可以分别创建三个角色分配,一个角色分配使 Ann 成为报表的内容管理员,另一个使 Fernando 成为报表的内容管理员,第三个则支持人力资源经理组对报表执行只读访问任务。To accommodate all of these users, you would create three separate role assignments: one to make Ann a content manager of the report, one to make Fernando a content manager of the report, and one to support view-only tasks for the Human Resource Managers group.

在您设置了报表或资源的安全性后,即使这些项移至新位置,也会一直保留这些设置。Once you set security on a report or resource, those settings stay with the item even if you move the item to a new location. 例如,如果您移动了只有少数几个人可以访问的报表,那么,即使移动后的新位置是一个安全策略相对开放的文件夹,也只有原来的那几个人才能访问该报表。For example, if you move a report that only a few people are authorized to access, the report continues to be available to just those users even if you move it to a folder that has a relatively open security policy.

减少已发布报表或文档中的 HTML 注入攻击Mitigating HTML Injection Attacks in a Published Report or Document

Reporting ServicesReporting Services中,报表和资源是在运行报表的用户的安全标识下处理的。In Reporting ServicesReporting Services, reports and resources are processed under the security identity of the user who is running the report. 如果报表中包含表达式、脚本、自定义报表项或自定义程序集,则代码将在用户的凭据下运行。If the report contains expressions, script, custom report items, or custom assemblies, the code runs under the user's credentials. 如果资源是包含脚本的 HTML 文档,则当用户在报表服务器中打开文档时,该脚本即会运行。If a resource is an HTML document that contains script, the script will run when the user opens the document on the report server. 尽管运行报表中的脚本或代码的能力是一项强大的功能,但具有一定程度的风险。The ability to run script or code within a report is a powerful feature that comes with a certain level of risk. 如果是恶意代码,则报表服务器和运行报表的用户就很容易受到攻击。If the code is malicious, the report server and the user who is running the report are vulnerable to attack.

授予对以 HTML 格式处理的报表和资源的访问权限时,要注意报表是在完全信任权限下处理的而且可能会将潜在的恶意脚本发送到客户端,这一点非常重要。When granting access to reports and to resources that are processed as HTML, it is important to remember that reports are processed in full trust and that potentially malicious script might be sent to the client. 根据浏览器设置,客户端将在浏览器中指定的信任级别执行 HTML。Depending on browser settings, the client will execute the HTML at the level of trust that is specified in the browser.

可以通过采取以下预防措施来降低运行恶意脚本的风险:You can mitigate the risk of running malicious script by taking the following precautions:

  • 决定谁可以将内容发布到报表服务器时,应慎重选择。Be selective when deciding who can publish content to a report server. 由于存在发布恶意内容的可能性,因此应将可发布内容的用户限制到少数受信任的用户。Because the potential for publishing malicious content exists, you should limit users who can publish content to a small number of trusted users.

  • 所有的发布者都应避免发布来自未知源或不可信源的报表和资源。All publishers should avoid publishing reports and resources that come from unknown or untrusted sources. 如果必要,请在文本编辑器中打开文件并查找可疑脚本和 URL。If necessary, open the file in a text editor and look for suspicious script and URLs.

报表参数和脚本注入Report Parameters and Script Injection

报表参数为报表的总体设计和执行提供灵活性。Report Parameters provide flexibility for the overall report design and execution. 但是,在某些情况下,引诱攻击中的攻击者也可以利用这种灵活性。However, this same flexibility can, in some cases be used by an attacker in luring attacks. 若要降低无意中运行恶意脚本的风险,请仅从可信来源打开呈现的报表。To mitigate the risk of inadvertently running malicious scripts, only open rendered reports from trusted sources. 建议您考虑以下这种潜在 HTML 呈现器脚本注入攻击的情况:It is recommended you consider the following scenario that is a potential HTML Renderer script injection attack:

  1. 报表包含一个文本框,该框有一个超链接操作设置为可能包含恶意文本的参数值。A report contains a text box with the hyperlink action set to the value of a parameter which could contain malicious text.

  2. 报表将发布到报表服务器,或可能通过这样一种方式提供:可从 Web 页的 URL 控制报表参数值。The report is published to a report server or otherwise made available in such a way that the report parameter value can be controlled from the URL of a web page.

  3. 攻击者创建一个链接,该链接指向用于指定参数值(格式为“javascript:<malicious script here>”)的 Web 页或报表服务器,并将此链接发送到引诱攻击中的其他人。An attacker creates a link to the web page or report server specifying the value of the parameter in the form "javascript:<malicious script here>" and sends that link to someone else in a luring attack.

报表可以在报表项或报表项一部分的 Action 属性的值中包含嵌入的超链接。Reports can contain embedded hyperlinks in the value of the Action property on a report item or part of a report item. 在处理报表时,可将超链接绑定到从外部数据源检索的数据。Hyperlinks can be bound to data that is retrieved from an external data source when the report is processed. 如果恶意用户修改基础数据,则超链接可能受到脚本攻击危害。If a malicious user modifies the underlying data, the hyperlink might be at risk for scripting exploits. 如果用户单击已发布或导出的报表中的链接,则可能会运行恶意脚本。If a user clicks the link in the published or exported report, malicious script could run.

若要降低报表中包含无意中运行恶意脚本的链接的风险,请仅将超链接绑定到来自可信来源的数据。To mitigate the risk of including links in a report that inadvertently run malicious scripts, only bind hyperlinks to data from trusted sources. 验证查询结果中的数据和将数据绑定到超链接的表达式没有创建可被用来进行攻击的链接。Verify that data from the query results and the expressions that bind data to hyperlinks do not create links that can be exploited. 例如,不要将超链接基于连接多个数据集字段中的数据的表达式。For example, do not base a hyperlink on an expression that concatenates data from multiple dataset fields. 如有必要,浏览到此报表,然后使用“查看源”以检查可疑脚本和 URL。If necessary, browse to the report and use "View Source" to check for suspicious scripts and URLs.

减少参数化报表中的 SQL 注入攻击Mitigating SQL Injection Attacks in a Parameterized Report

在任何包括 String类型参数的报表中,请务必使用可用值列表(也称为有效值列表),并确保任何运行该报表的用户仅具有查看该报表中数据所需的权限。In any report that includes a parameter of type String, be sure to use an available values list (also known as a valid values list) and ensure that any user running the report has only the permissions required to view the data in the report. 定义 String类型的参数时,系统将向用户显示一个可以使用任何值的文本框。When you define a parameter of type String, the user is presented with a text box that can take any value. 可用值列表限制可以输入的值。An available values list limits the values that can be entered. 如果报表参数与查询参数关联,但您没有使用可用值列表,则报表用户可能会在文本框中键入 SQL 语法,从而导致报表和服务器容易受到 SQL 注入攻击。If the report parameter is tied to a query parameter and you do not use an available values list, it is possible for a report user to type SQL syntax into the text box, potentially opening the report and your server to a SQL injection attack. 如果用户有足够的权限执行新的 SQL 语句,则可能在服务器上产生意外结果。If the user has sufficient permissions to execute the new SQL statement, it may produce unwanted results on the server.

如果报表参数与查询参数无关,并且参数值包含在报表中,则报表用户可以在参数值中键入表达式语法或 URL,并将报表呈现为 Excel 或 HTML 格式。If a report parameter is not tied to a query parameter and the parameter values are included in the report, it is possible for a report user to type expression syntax or a URL into the parameter value and render the report to Excel or HTML. 如果其他用户查看报表并单击呈现的参数内容,则用户可能会无意中执行恶意脚本或链接。If another user then views the report and clicks the rendered parameter contents, the user may inadvertently execute the malicious script or link.

若要降低无意中运行恶意脚本的风险,请仅从可信来源打开呈现的报表。To mitigate the risk of inadvertently running malicious scripts, open rendered reports only from trusted sources.

备注

在早期版本的文档中,包括以表达式形式创建动态查询的示例。In previous releases of the documentation, an example of creating a dynamic query as an expression was included. 此类型的查询会产生 SQL 注入攻击漏洞,因而建议不要使用这类查询。This type of query creates a vulnerability to SQL injection attacks and therefore is not recommended.

保护机密报表Securing Confidential Reports

对于包含机密信息的报表,应通过要求用户在访问敏感数据时提供凭据,在数据访问级别上保护这些报表。Reports that contain confidential information should be secured at the data-access level, by requiring users to provide credentials to access sensitive data. 有关详细信息,请参阅为报表数据源指定凭据和连接信息For more information, see Specify Credential and Connection Information for Report Data Sources. 您也可以对文件夹进行保护,以便只有授权用户才能访问文件夹。You can also secure a folder to make it inaccessible to unauthorized users. 有关详细信息,请参阅 保护文件For more information, see Secure Folders.

另请参阅See Also

创建和管理角色分配 Create and Manage Role Assignments
授予对本机模式报表服务器的权限 Granting Permissions on a Native Mode Report Server
保护共享数据源项 Secure Shared Data Source Items
在 Reporting Services 数据源中存储凭据Store Credentials in a Reporting Services Data Source