Reporting Services scheduled events and report delivery should be disabled if not required.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15205 | DM6121-SQLServer9 | SV-25485r1_rule | DCFA-1 | Low |
| Description |
|---|
| Where not required, Scheduled events and report delivery unnecessarily exposes the report server to attack via Report Service event handling and report delivery. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-13806r1_chk ) |
|---|
| If Reporting Services is not installed, this check is Not a Finding. Note: To detect installation, view Windows Services. If SQL Server Reporting Services ([instance name]) is not listed, then Reporting Services is not installed on this host. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Scheduled events and report delivery If checked, verify that Scheduled events and report delivery is required and the requirement is documented in the System Security Plan. If it is not, this is a Finding. |
| Fix Text (F-14826r1_fix) |
|---|
| Document requirements for enabling 'Report Services Scheduled events and report delivery'. If not required, disable Scheduled events and report delivery. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Scheduled events and report delivery 5. Click on the Scheduled events and report delivery to clear the check box 6. Click OK |