SharePoint 2010 CU 12/2011

SSRS 2008R2

If I log in as a lowest of low priv user, and navigate to /vti_bin/reportserver, I see a complete list of site collections in the application.

I'm testing the ramifications of putting the following in web.config, but wondered if there's something fundamentally wrong here. Does SSRS not security-trim based on current user? Are there other methods or services we should be concerned about?

  <location path="vti_bin/reportserver">
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="_vti_bin/reportserver">
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="_layouts/_vti_bin/reportserver">
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

Hi FosterHardie,

Thank you for your question.

I am trying to involve someone more familiar with this topic for a further look at this issue. Sometime delay might be expected from the job transferring. Your patience is greatly appreciated.

Thank you for your understanding and support.

Thanks,
Mike Yin

If you have any feedback on our support, please click here

Hello FosterHardie,

Please clarify with the below questions:

1. What is the Authentication provider, option chosen for the application?
Details can be found under Central Administration -> Application Management -> Manage Web Applications -> Authentication Providers

2. What is the permission for the low privileged user in SharePoint?

3. Details of patches installed with Build number for SSRS -> 10.50.XXXX

Thanks

Regards
Durai Murugan

1. Claims based authentication

2. No group membership or other permissions granted to the root site. Read-only to one of many site collections in a managed path

3. 10.50.2550.0

Thanks.