UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Reporting Services Web service requests and HTTP access should be disabled if not required.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15199 DM6120-SQLServer9 SV-25481r1_rule DCFA-1 Low
Description
Where not required, SOAP and URL access to the web service unnecessarily exposes the report server to attack via the SOAP and HTTP protocols.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-04-03

Details

Check Text ( C-13805r1_chk )
If Reporting Services is not installed, this check is Not a Finding.

Note: To detect installation, view Windows Services. If SQL Server Reporting Services ([instance name]) is not listed, then Reporting Services is not installed on this host.

From Surface Area Configuration for Features:
1. Connect to the Report Services instance
2. Expand the instance
3. Expand Report Services
4. Select Web Service Requests and HTTP Access

If checked, verify that Web Service requests are HTTP access are required and the requirement is documented in the System Security Plan. If it is not, this is a Finding.
Fix Text (F-14825r1_fix)
Document requirements for enabling Report Services access via web services and HTTP. If not required, disable Web Service Requests and HTTP access.

From Surface Area Configuration for Features:
1. Connect to the Report Services instance
2. Expand the instance
3. Expand Report Services
4. Select Web Service Requests and HTTP Access
5. Click on Enable Web Service Requests and HTTP access to clear the check box
6. Click OK