cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
yoshihirok Member
Member

What risk are there on .pbix files ?

I want to protect our data, our PC.

What risk are there on .pbix files ?

 

RISKs.

1. Malicious R data source code.

  R data source code can access file system/databases.

2. Malicious Custom Visual.

 Custom Visual's JavaScript code can access out of oranizations.

 

RISK senario:

  Attacker send malicious pbix file to Targets.

  Targets open malicious pbix file.

 

I want to share Power BI Desktop pbix files with my co-wokers, partners, customers.

I need to build policy for save usage of Power BI Desktop.

At some case, I need to disable un-trusted R code, Custome Visuals.

 

Regards,

Yoshihiro Kawabata

  

 

1 ACCEPTED SOLUTION

Accepted Solutions
pqian Senior Member
Senior Member

Re: What risk are there on .pbix files ?

@yoshihirok if the PBIX file contains R that's not authored by you, you will get a challenge window to approve the script for running. Similarily with Native Database Query (queries with a custom SQL statement).

For Custom Visuals, you will get a prompt about file containing custom visuals, and you must explicitly enable them.

 

We take privacy and security very seriously at PowerBI. However, the recommended way to share reports is still through PowerBI.com, unless you are coauthoring the reports together.

View solution in original post

7 REPLIES 7
Super User
Super User

Re: What risk are there on .pbix files ?

Sounds like something that you should post to Ideas if you have not already done so.


I have book! Learn Power BI from Packt


Did I answer your question? Mark my post as a solution!

Proud to be a Datanaut!

yoshihirok Member
Member

Re: What risk are there on .pbix files ?

Hello, smoupre.

 

I posted one idea: "Protect PC from R code"

 

and I live in Japan.
Some companies intrest to Power BI Desktop, and need to using it safe.

 

Regards,
Yoshihiro Kawabata

 

pqian Senior Member
Senior Member

Re: What risk are there on .pbix files ?

@yoshihirok if the PBIX file contains R that's not authored by you, you will get a challenge window to approve the script for running. Similarily with Native Database Query (queries with a custom SQL statement).

For Custom Visuals, you will get a prompt about file containing custom visuals, and you must explicitly enable them.

 

We take privacy and security very seriously at PowerBI. However, the recommended way to share reports is still through PowerBI.com, unless you are coauthoring the reports together.

View solution in original post

Highlighted
yoshihirok Member
Member

Re: What risk are there on .pbix files ?

 Thank you, @pqian.

 

I add Native Direct Query to Power BI Risks.

 

Risk 3: malicious Native Direct Query.

  The malicious Power BI Desktop .pbix file can access Databases, like delete/insert/update instead of select.

 

I need to know the sharing through Power BI service protect from Power BI Risks.

Even if Power BI gateway.

 

and,

About Custom Visuals risk, There are prompt about file containing custom visuals, and need enable them.

For users, How can they know that the Custom Visuals in file is safe, or not.

Which Custom Visuals verified by trusted company, or organizations.

 

About EXE, DLL, XLS files, Users can know safe file by sign of Certificate.

 

Regards,

Yoshihiro Kawabata

 

 

 

pqian Senior Member
Senior Member

Re: What risk are there on .pbix files ?

@yoshihirok It's not native Direct Query, it's ANY native query. For example, in the get data dialog for database servers, you can enter any SQL statement there. PowerQuery will execute it during data refresh, providing that the current user on the current machine has approved it for running. (You can see the full SQL statement and inspect it)

 

Custom Visual is a bit problematic since you can't really inspect the visual without running it. PowerBI team maintains a list of visuals ourselves that are sanitized: https://app.powerbi.com/visuals/

but anyone can create these and distribute through their channel. Your IT/BI department should be maintaining the approved list of visuals to use and prevent all others from running. The signing part isn't implemented, so you may also consider disallowing custom visuals from running all together.

 

The Gateway doesn't support CRUD (yet), so there isn't any problem there. When we do, we'll respect similar privacy and security guidelines there.

yoshihirok Member
Member

Re: What risk are there on .pbix files ?

@pqian, Thank you for your reply.

 

SQL statement is the risk of Power BI. I understand and verify it.

Custom Visual's code can view/modify by unzip the pkviz, etc.
So, Power BI Desktop users need to consider to use Custom Visual at Power BI Desktop.

and I need to waiting signing function of .pbix file.

 

'The Gateway does't support CRUD' is safe.

 

I hope to signing standard Visuals and Gallery's Visuals, and

allowing signing Visuals by trusted certificate by option and by Group Policy.

 

Best Regards,
Yoshihiro Kawabata

ericOnline Member
Member

Re: What risk are there on .pbix files ?

Hello @yoshihirok. Can you share more details about the security practices/policy your organization implemented for Power BI? There are some great details in your earlier posts. I'm curious if you found other items to add to your policy.


Thank you

Helpful resources

Announcements
Ask Amir Anything

Exclusive LIVE Community Event No. 2 – Ask Amir Anything

Next in our Triple A series: Ask Amir Netz questions about the latest updates, features and future.

October 2019 Community Highlights

October 2019 Community Highlights

October was a busy month in the community. Read the recap article to learn about some of the events and content.

New Solution Badges

New Solution Badges

Two waves of brand new solution badges are coming! Read the article for more information on our new community badges.

Analytics in Azure virtual event

Analytics in Azure virtual event

Experience a limitless analytics service built to ingest, prep, manage, and serve data for immediate use in Power BI.

Users Online
Currently online: 56 members 882 guests
Please welcome our newest community members: