Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
yoshihirok
Post Prodigy
Post Prodigy

What risk are there on .pbix files ?

‎02-11-2016 06:26 PM

I want to protect our data, our PC.

What risk are there on .pbix files ?

 

RISKs.

1. Malicious R data source code.

  R data source code can access file system/databases.

2. Malicious Custom Visual.

 Custom Visual's JavaScript code can access out of oranizations.

 

RISK senario:

  Attacker send malicious pbix file to Targets.

  Targets open malicious pbix file.

 

I want to share Power BI Desktop pbix files with my co-wokers, partners, customers.

I need to build policy for save usage of Power BI Desktop.

At some case, I need to disable un-trusted R code, Custome Visuals.

 

Regards,

Yoshihiro Kawabata

  

 

Labels:
Message 1 of 8
5,663 Views
0
1 ACCEPTED SOLUTION
pqian
Employee
Employee
In response to yoshihirok

‎02-12-2016 11:52 AM

@yoshihirok if the PBIX file contains R that's not authored by you, you will get a challenge window to approve the script for running. Similarily with Native Database Query (queries with a custom SQL statement).

For Custom Visuals, you will get a prompt about file containing custom visuals, and you must explicitly enable them.

 

We take privacy and security very seriously at PowerBI. However, the recommended way to share reports is still through PowerBI.com, unless you are coauthoring the reports together.

View solution in original post

Message 4 of 8
6,851 Views
7 REPLIES 7
Greg_Deckler
Super User
Super User

‎02-11-2016 07:41 PM

Sounds like something that you should post to Ideas if you have not already done so.


@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: The Definitive Guide to Power Query (M)

DAX is easy, CALCULATE makes DAX hard...
Message 2 of 8
5,654 Views
0
yoshihirok
Post Prodigy
Post Prodigy
In response to Greg_Deckler

‎02-11-2016 07:51 PM

Hello, smoupre.

 

I posted one idea: "Protect PC from R code"

 

and I live in Japan.
Some companies intrest to Power BI Desktop, and need to using it safe.

 

Regards,
Yoshihiro Kawabata

 

Message 3 of 8
5,650 Views
0
pqian
Employee
Employee
In response to yoshihirok

‎02-12-2016 11:52 AM

@yoshihirok if the PBIX file contains R that's not authored by you, you will get a challenge window to approve the script for running. Similarily with Native Database Query (queries with a custom SQL statement).

For Custom Visuals, you will get a prompt about file containing custom visuals, and you must explicitly enable them.

 

We take privacy and security very seriously at PowerBI. However, the recommended way to share reports is still through PowerBI.com, unless you are coauthoring the reports together.

Message 4 of 8
6,852 Views
yoshihirok
Post Prodigy
Post Prodigy
In response to pqian

‎02-12-2016 04:34 PM

 Thank you, @pqian.

 

I add Native Direct Query to Power BI Risks.

 

Risk 3: malicious Native Direct Query.

  The malicious Power BI Desktop .pbix file can access Databases, like delete/insert/update instead of select.

 

I need to know the sharing through Power BI service protect from Power BI Risks.

Even if Power BI gateway.

 

and,

About Custom Visuals risk, There are prompt about file containing custom visuals, and need enable them.

For users, How can they know that the Custom Visuals in file is safe, or not.

Which Custom Visuals verified by trusted company, or organizations.

 

About EXE, DLL, XLS files, Users can know safe file by sign of Certificate.

 

Regards,

Yoshihiro Kawabata

 

 

 

Message 5 of 8
5,609 Views
0
pqian
Employee
Employee
In response to yoshihirok

‎02-12-2016 05:18 PM

@yoshihirok It's not native Direct Query, it's ANY native query. For example, in the get data dialog for database servers, you can enter any SQL statement there. PowerQuery will execute it during data refresh, providing that the current user on the current machine has approved it for running. (You can see the full SQL statement and inspect it)

 

Custom Visual is a bit problematic since you can't really inspect the visual without running it. PowerBI team maintains a list of visuals ourselves that are sanitized: https://app.powerbi.com/visuals/

but anyone can create these and distribute through their channel. Your IT/BI department should be maintaining the approved list of visuals to use and prevent all others from running. The signing part isn't implemented, so you may also consider disallowing custom visuals from running all together.

 

The Gateway doesn't support CRUD (yet), so there isn't any problem there. When we do, we'll respect similar privacy and security guidelines there.

Message 6 of 8
5,600 Views
yoshihirok
Post Prodigy
Post Prodigy
In response to pqian

‎02-13-2016 12:49 AM

@pqian, Thank you for your reply.

 

SQL statement is the risk of Power BI. I understand and verify it.

Custom Visual's code can view/modify by unzip the pkviz, etc.
So, Power BI Desktop users need to consider to use Custom Visual at Power BI Desktop.

and I need to waiting signing function of .pbix file.

 

'The Gateway does't support CRUD' is safe.

 

I hope to signing standard Visuals and Gallery's Visuals, and

allowing signing Visuals by trusted certificate by option and by Group Policy.

 

Best Regards,
Yoshihiro Kawabata

Message 7 of 8
5,591 Views
ericOnline
Post Patron
Post Patron
In response to yoshihirok

‎10-26-2018 11:09 AM

Hello @yoshihirok. Can you share more details about the security practices/policy your organization implemented for Power BI? There are some great details in your earlier posts. I'm curious if you found other items to add to your policy.


Thank you

Message 8 of 8
4,076 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All