It sometimes seems impossible to keep everyone happy all the time. The Reporting Services predict team thought it would be a good idea to remove the dependency on IIS in SQL Server 2008, to make it easier to configure and to reduce the attack surface of the report server.
However, there have been some concerns raised about this, e.g. is it secure, how do I know how it’s configured etc.
- SQL Server 2008 uses http.sys to allow you to have total control of the of the URL’s to be used. (http://msdn2.microsoft.com/en-us/library/aa364698.aspx).
- http.sys respect the same security registry settings as IIS6/7 (http://support.microsoft.com/kb/820129) .
- The authentication supported is a subset of what’s available in IIS6/7 – except that anonymous authentication and authentication filters are not supported.
- ASP .Net security is essentially the same.
So what’s not to like?