Reporting Services Web service requests and HTTP access should be disabled if not required.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15199 | DM6120-SQLServer9 | SV-25481r1_rule | DCFA-1 | Low |
| Description |
|---|
| Where not required, SOAP and URL access to the web service unnecessarily exposes the report server to attack via the SOAP and HTTP protocols. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-13805r1_chk ) |
|---|
| If Reporting Services is not installed, this check is Not a Finding. Note: To detect installation, view Windows Services. If SQL Server Reporting Services ([instance name]) is not listed, then Reporting Services is not installed on this host. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Web Service Requests and HTTP Access If checked, verify that Web Service requests are HTTP access are required and the requirement is documented in the System Security Plan. If it is not, this is a Finding. |
| Fix Text (F-14825r1_fix) |
|---|
| Document requirements for enabling Report Services access via web services and HTTP. If not required, disable Web Service Requests and HTTP access. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Web Service Requests and HTTP Access 5. Click on Enable Web Service Requests and HTTP access to clear the check box 6. Click OK |