SSRS 2005 questions
in [Reports]
|
From: Bruce L-C [MVP] on 18 Dec 2009 12:57 IIS configuration and integration were the biggest support calls on RS for Microsoft. Another benefit is without IIS installed you have a lot less security issues in the first place. Also, lots of DBAs just did not want IIS installed on their server. -- Bruce Loehle-Conger MVP SQL Server Reporting Services "Scho" <Schodoodles(a)hotmail.com> wrote in message news:ccc23c8a-0328-49e9-a96b-97dbc5573ace(a)m16g2000yqc.googlegroups.com... > I don't think so, as far as I'm aware it was moved 'into' SSRS 2008 as > people were having issues installing RS on servers without IIS > installed/enabled on and as such took a lot more effort than normal to > get things working. > I believe the security is fairly good although it's all co-dependent > on various issues; I'd check the BOL as I'm sure it will be outlined > there. > > Scho
From: Mecn on 18 Dec 2009 13:32 Thanks for responses. The security issues for us is the PCI standard. SSRS 2005 and 2008 are meet PCI compliance standard? Thanks "Bruce L-C [MVP]" <bruce_lcNOSPAM(a)hotmail.com> wrote in message news:erOZNuAgKHA.3552(a)TK2MSFTNGP06.phx.gbl... > IIS configuration and integration were the biggest support calls on RS for > Microsoft. Another benefit is without IIS installed you have a lot less > security issues in the first place. Also, lots of DBAs just did not want > IIS installed on their server. > > -- > Bruce Loehle-Conger > MVP SQL Server Reporting Services > > "Scho" <Schodoodles(a)hotmail.com> wrote in message > news:ccc23c8a-0328-49e9-a96b-97dbc5573ace(a)m16g2000yqc.googlegroups.com... >> I don't think so, as far as I'm aware it was moved 'into' SSRS 2008 as >> people were having issues installing RS on servers without IIS >> installed/enabled on and as such took a lot more effort than normal to >> get things working. >> I believe the security is fairly good although it's all co-dependent >> on various issues; I'd check the BOL as I'm sure it will be outlined >> there. >> >> Scho >
From: Bruce L-C [MVP] on 18 Dec 2009 14:17 I read up on this some and here are a couple of links about SQL Server itself: http://www.parentebeard.com/lib/pdf/Deploying_SQL_Server_2008_Based_on_PCI_DSS.pdf http://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx http://www.microsoft.com/sqlserver/2008/en/us/Security.aspx OK, so that gets the database secure. Now, RS support ssl so you would need to configure it to use it: http://msdn.microsoft.com/en-us/library/ms345223.aspx Now remember, RS is a reporting solution. The key to PCI standard seems to be a need to know. The reports would need to be designed that way. Using the User!UserID to pass the user to your stored procedure that retrieves data. This is not a parameter and cannot be spoofed. It seems to me that RS can be used in compliance with the DCI standards IF your organization does everything else it requires. -- Bruce Loehle-Conger MVP SQL Server Reporting Services "Mecn" <mecn(a)yahoo.com> wrote in message news:#jT7CCBgKHA.5564(a)TK2MSFTNGP06.phx.gbl... > Thanks for responses. > The security issues for us is the PCI standard. > SSRS 2005 and 2008 are meet PCI compliance standard? > > Thanks > > > "Bruce L-C [MVP]" <bruce_lcNOSPAM(a)hotmail.com> wrote in message > news:erOZNuAgKHA.3552(a)TK2MSFTNGP06.phx.gbl... >> IIS configuration and integration were the biggest support calls on RS >> for Microsoft. Another benefit is without IIS installed you have a lot >> less security issues in the first place. Also, lots of DBAs just did not >> want IIS installed on their server. >> >> -- >> Bruce Loehle-Conger >> MVP SQL Server Reporting Services >> >> "Scho" <Schodoodles(a)hotmail.com> wrote in message >> news:ccc23c8a-0328-49e9-a96b-97dbc5573ace(a)m16g2000yqc.googlegroups.com... >>> I don't think so, as far as I'm aware it was moved 'into' SSRS 2008 as >>> people were having issues installing RS on servers without IIS >>> installed/enabled on and as such took a lot more effort than normal to >>> get things working. >>> I believe the security is fairly good although it's all co-dependent >>> on various issues; I'd check the BOL as I'm sure it will be outlined >>> there. >>> >>> Scho >> > >
From: Mecn on 18 Dec 2009 14:44 the link is for SQL 2008 not SSRS2008 with PCI "Bruce L-C [MVP]" <bruce_lcNOSPAM(a)hotmail.com> wrote in message news:%23qrQ4aBgKHA.2104(a)TK2MSFTNGP05.phx.gbl... >I read up on this some and here are a couple of links about SQL Server >itself: > http://www.parentebeard.com/lib/pdf/Deploying_SQL_Server_2008_Based_on_PCI_DSS.pdf > http://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx > http://www.microsoft.com/sqlserver/2008/en/us/Security.aspx > > OK, so that gets the database secure. Now, RS support ssl so you would > need to configure it to use it: > http://msdn.microsoft.com/en-us/library/ms345223.aspx > > Now remember, RS is a reporting solution. The key to PCI standard seems to > be a need to know. The reports would need to be designed that way. Using > the User!UserID to pass the user to your stored procedure that retrieves > data. This is not a parameter and cannot be spoofed. > > It seems to me that RS can be used in compliance with the DCI standards IF > your organization does everything else it requires. > > > -- > Bruce Loehle-Conger > MVP SQL Server Reporting Services > > "Mecn" <mecn(a)yahoo.com> wrote in message > news:#jT7CCBgKHA.5564(a)TK2MSFTNGP06.phx.gbl... >> Thanks for responses. >> The security issues for us is the PCI standard. >> SSRS 2005 and 2008 are meet PCI compliance standard? >> >> Thanks >> >> >> "Bruce L-C [MVP]" <bruce_lcNOSPAM(a)hotmail.com> wrote in message >> news:erOZNuAgKHA.3552(a)TK2MSFTNGP06.phx.gbl... >>> IIS configuration and integration were the biggest support calls on RS >>> for Microsoft. Another benefit is without IIS installed you have a lot >>> less security issues in the first place. Also, lots of DBAs just did not >>> want IIS installed on their server. >>> >>> -- >>> Bruce Loehle-Conger >>> MVP SQL Server Reporting Services >>> >>> "Scho" <Schodoodles(a)hotmail.com> wrote in message >>> news:ccc23c8a-0328-49e9-a96b-97dbc5573ace(a)m16g2000yqc.googlegroups.com... >>>> I don't think so, as far as I'm aware it was moved 'into' SSRS 2008 as >>>> people were having issues installing RS on servers without IIS >>>> installed/enabled on and as such took a lot more effort than normal to >>>> get things working. >>>> I believe the security is fairly good although it's all co-dependent >>>> on various issues; I'd check the BOL as I'm sure it will be outlined >>>> there. >>>> >>>> Scho >>> >> >>
From: Mecn on 18 Dec 2009 14:48
Got it, Thanks. "Bruce L-C [MVP]" <bruce_lcNOSPAM(a)hotmail.com> wrote in message news:%23qrQ4aBgKHA.2104(a)TK2MSFTNGP05.phx.gbl... >I read up on this some and here are a couple of links about SQL Server >itself: > http://www.parentebeard.com/lib/pdf/Deploying_SQL_Server_2008_Based_on_PCI_DSS.pdf > http://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx > http://www.microsoft.com/sqlserver/2008/en/us/Security.aspx > > OK, so that gets the database secure. Now, RS support ssl so you would > need to configure it to use it: > http://msdn.microsoft.com/en-us/library/ms345223.aspx > > Now remember, RS is a reporting solution. The key to PCI standard seems to > be a need to know. The reports would need to be designed that way. Using > the User!UserID to pass the user to your stored procedure that retrieves > data. This is not a parameter and cannot be spoofed. > > It seems to me that RS can be used in compliance with the DCI standards IF > your organization does everything else it requires. > > > -- > Bruce Loehle-Conger > MVP SQL Server Reporting Services > > "Mecn" <mecn(a)yahoo.com> wrote in message > news:#jT7CCBgKHA.5564(a)TK2MSFTNGP06.phx.gbl... >> Thanks for responses. >> The security issues for us is the PCI standard. >> SSRS 2005 and 2008 are meet PCI compliance standard? >> >> Thanks >> >> >> "Bruce L-C [MVP]" <bruce_lcNOSPAM(a)hotmail.com> wrote in message >> news:erOZNuAgKHA.3552(a)TK2MSFTNGP06.phx.gbl... >>> IIS configuration and integration were the biggest support calls on RS >>> for Microsoft. Another benefit is without IIS installed you have a lot >>> less security issues in the first place. Also, lots of DBAs just did not >>> want IIS installed on their server. >>> >>> -- >>> Bruce Loehle-Conger >>> MVP SQL Server Reporting Services >>> >>> "Scho" <Schodoodles(a)hotmail.com> wrote in message >>> news:ccc23c8a-0328-49e9-a96b-97dbc5573ace(a)m16g2000yqc.googlegroups.com... >>>> I don't think so, as far as I'm aware it was moved 'into' SSRS 2008 as >>>> people were having issues installing RS on servers without IIS >>>> installed/enabled on and as such took a lot more effort than normal to >>>> get things working. >>>> I believe the security is fairly good although it's all co-dependent >>>> on various issues; I'd check the BOL as I'm sure it will be outlined >>>> there. >>>> >>>> Scho >>> >> >> |