New to Telerik Report Server? Download free 30-day trial

Security Best Practices

This article covers security practices that are generally applicable to web applications, as well as those specific to Telerik Report Server. The recommendations below should be regarded as security guidance that ensures your information stored in the Telerik Report Server is protected and safe. We recommend consulting with a specialist to provide further assistance on web application safety.

Configuration Settings

Following the recommendations in this section is the responsibility of the implementer who deploys and configures the Telerik Report Server. These recommendations pertain to general security settings for web applications deployed on Windows IIS Servers. Following the principle "safe-by-default", the product installer and the initial setup workflow will configure Telerik Report Server using the safest options where possible. All of the items listed below can be configured through the web application's registration in IIS or the product's Configuration page:

  • Configure your Report Server instance to run under HTTPS protocol. Consider the advice in the article Configuring IIS Website to Work Over HTTPS.
  • Let the user with lowered permissions in IIS and Report Server ServiceAgent be your preferred choice. By default, the MSI installer suggests applying the principle of least privilege and creating a dedicated Windows user named ReportServerUser whose identity will be used by both applications. The user is granted the minimum necessary permissions to operate within the installation folder of Telerik Report Server as explained in Report Server Installation.
  • CORS is disabled by default. Keep the CORS disabled if possible; or enable CORS only for trusted hosts.
  • Configure the Encryption functionality of the Report Server to keep your sensitive assets like connection strings and mail settings safer.
  • Consider the Rate Limiting in your Report Server to restrict the network traffic and prevent malicious agents that can exhaust system resources by conducting Denial-of-Service attacks.

Working with Report Server Assets

After successfully installing and configuring the Telerik Report Server, the user with sufficient rights, for example, the admin user and those with granted permissions for the corresponding resources, may further enhance its security through the administration policy options provided by the server. Check the article section Manage Permissions for the available access modes, scopes, and targets you may provide to Report Server Users. The built-in user roles are listed in the article User Roles.

The admin user and the users with sufficient permissions may control access to all or part of the following Report Server resources:

  • Manage User Permissions Each Report Server User is responsible for the Resources in his/her control.
  • Reports Management Grant users access only to the Reports/Categories they need. Ensure they are entitled to access the corresponding data sources.
  • Data Connections Management Try applying the principle of least privilege to the credentials provided in connection strings in the Data Connections view. The identity used to connect to the database or the web service should be with the lowest permissions possible. Try using a dedicated user account with read-only permissions and access scope including only the tables needed for reporting purposes.
  • Scheduled Tasks Management
  • Data Alerts Management

Extending the Reporting Engine

Telerik Report Server lets you extend its built-in Reporting functionality with custom code, for example by introducing Custom User Functions, Custom Aggregate Functions, Event Handlers and ObjectDataSources. The Reporting Engine invokes the custom functionality with reflection. The allowed assemblies should be whitelisted in the configuration file TelerikReporting.config of the Report Server application as explained in the articles assemblyReferences Element, TypeReferences, and typeValidation. The entire responsibility for registering the custom assemblies and the security of their code is delegated to the developer.

Avoid the Unsafe Code in your ObjectDataSource/User Function/Event Handlers' projects and their references.

Use only trusted assemblies that are signed with a public key token (see Assembly (CLI)) and cannot be replaced when extending the Reporting functionality in your projects, avoiding remote code execution and other malicious actions.

Use the advice in the article Telerik Reporting Security Best Practices to keep your reports and data safer.

See Also

In this article