Security implications of running SSRS and an OLTP database on the same server

Posted on

Question :

I am in the process of building a new environment for my company’s Customer Relationship Management (CRM) system. This system is a commercially available product which uses SQL Server as its back end database. The CRM system also uses SQL Server Reporting Services (SSRS) to query the CRM database to provide reports. The database which is queried by SSRS is the live OLTP database – there is no separate reporting database.

There is some debate in my team on whether it is acceptable from a security point of view to run SQL Server Reporting Services on the same server which hosts the CRM database, or whether it must be run on a separate server.

The specific security concern is that running SSRS on the server increases the attack surface, which increases the likelihood that the server will be compromised by a bad guy. If the SSRS server were compromised it would be better if it weren’t also hosting the CRM database with all its valuable data.

The counter argument is that if a bad guy wants the data, they will attack the CRM database server directly and won’t be fooled by the presence of an SSRS server nearby. Also, all of this is on the internal network, so should be at relatively low risk of attack in the first place.

Is running SSRS and an OLTP database on the same server contra-indicated for security reasons?

Answer :

The Moment you add Entry points for a system of course, naturally, you have increased the attack surface.
Besides this purely mathematical reason, you should think about:

  • Who will design reports
  • For designing reports someone, maybe the same person, will craft queries
  • Preferably you use stored procedures at least inside a separate, code-only, database
  • There you have the first permissions you will have to give inside your system for selecting data and creating objects. If done with care the risk is extremely low to zero. So keep it simple.
  • Above that on the server level you have the Reporting Services Service. Here you are strongly advised to keep to established security best practices such an “use dedicated service accounts”, especially since SSRS has a Login on the SQL Server box for accessing its system databases. Again, no problem if you isolate all that.
  • And then you of course have the Data Source Credentials which will be a Windows or even SQL Login with just the permissions necessary for running the above queries – at best only prepared stored procedures for mitigating the risk of elevating privileges.

So, long story quick answer: mixing services initially creates a higher risk for taking over the other one, but by following security best practices very strictly, in my opinion, the risk is not higher than if on a separate server where one could still make similar mistakes. In high security environments there will for that very reason be very strict overall rules to rule out such scenarios.

Leave a Reply

Your email address will not be published. Required fields are marked *