SharePoint 2010 CU 12/2011
SSRS 2008R2
If I log in as a lowest of low priv user, and navigate to /vti_bin/reportserver, I see a complete list of site collections in the application.
I'm testing the ramifications of putting the following in web.config, but wondered if there's something fundamentally wrong here. Does SSRS not security-trim based on current user? Are there other methods or services we should be concerned about?
<location path="vti_bin/reportserver">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="_vti_bin/reportserver">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="_layouts/_vti_bin/reportserver">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>