Power BI: Restrict R/Python Script Visuals

πŸ’Ό Management Samenvatting

Restrict R/Python script visuals in Power BI - arbitrary code execution risk (scripts can access data + make external connections).

Aanbeveling
IMPLEMENT (restrict to approved users)
Risico zonder
Medium
Risk Score
7/10
Implementatie
7u (tech: 2u)
Van toepassing op:
βœ“ Power BI

R/Python visuals = code execution: Power BI R/Python: Custom visuals using R/Python scripts (data science use case), Security risks: Arbitrary code: Script can execute ANY R/Python code (file system access, network calls), Data exfiltration: Script reads Power BI dataset β†’ HTTP POST to external server (steal sensitive data), Malicious visuals: Attacker creates 'helpful' R visual β†’ shared via Power BI β†’ runs on victim's Power BI Service. Attack: Malicious R script in shared report β†’ executes when report viewed β†’ data exfiltration.

PowerShell Modules Vereist
Primary API: Power BI Admin API
Connection: Connect-PowerBIServiceAccount
Required Modules: MicrosoftPowerBIMgmt

Implementatie

Restrict R/Python: Tenant setting: Disable R/Python visuals (strictest - blocks all), OR: Restrict to specific workspaces/users (controlled pilot), Approved users: Data science team only (least privilege), Monitoring: Audit R/Python visual usage, Review scripts: Code review required (no blind execution).

Vereisten

  1. Power BI Pro/Premium
  2. Power BI Admin role
  3. Data science use case: Document business need
  4. Code review process (if allowing R/Python)

Implementatie

Power BI Admin Portal β†’ Tenant settings β†’ R and Python visuals settings β†’ Use R and Python visuals: Disabled (or Specific security groups only - data science team). Monitor: Audit logs for R/Python visual creation.

Compliance

BIO 12.06 (Code execution control), ISO 27001 A.12.5.1, AVG Art. 32 (Data exfiltration prevention).

Monitoring

Gebruik PowerShell-script powerbi-r-python-disabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script powerbi-r-python-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS PowerBI R and Python Disabled .DESCRIPTION Disables R and Python visuals in PowerBI for security .NOTES NL Baseline v2.0 Security concern: R/Python scripts can execute arbitrary code #> #Requires -Version 5.1 #Requires -Modules MicrosoftPowerBIMgmt [CmdletBinding()] param([switch]$Monitoring) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "PowerBI R and Python Disabled" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host " ⚠️ Manual verification required" -ForegroundColor Yellow Write-Host "`n Configuration in PowerBI Admin Portal:" -ForegroundColor Cyan Write-Host " Tenant settings > R and Python visuals settings" -ForegroundColor Gray Write-Host "`n Required Settings:" -ForegroundColor Cyan Write-Host " βœ“ Interact with and share R and Python visuals: Disabled" -ForegroundColor Gray Write-Host " βœ“ Apply to: Entire organization" -ForegroundColor Gray Write-Host "`n Security Concerns:" -ForegroundColor Red Write-Host " β€’ R/Python scripts can execute arbitrary code" -ForegroundColor Red Write-Host " β€’ Potential for malicious code execution" -ForegroundColor Red Write-Host " β€’ Data exfiltration risk" -ForegroundColor Red Write-Host " β€’ System compromise possible" -ForegroundColor Red Write-Host "`n Security Benefits of Disabling:" -ForegroundColor Cyan Write-Host " β€’ Prevents code injection attacks" -ForegroundColor Gray Write-Host " β€’ Reduces attack surface" -ForegroundColor Gray Write-Host " β€’ Maintains data security" -ForegroundColor Gray Write-Host "`n ⚠️ Security Risk: R/Python can execute arbitrary code!" -ForegroundColor Red exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } else { Write-Host "Use: -Monitoring" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat .DESCRIPTION Dit is een monitoring-only control, remediation delegeert naar monitoring #> [CmdletBinding()] param() Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan Invoke-Monitoring }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: R/Python = arbitrary code execution + data exfiltration risk.

Management Samenvatting

Restrict Power BI R/Python visuals. Disable OR limit to data science team (security group). Code review required. Implementatie: 2-7 uur.