BIO 12.06.01 ISO A.12.5.1

Power BI: Restrict R/Python Script Visuals

📅 2025-10-30

•

⏱️ 4 minuten lezen

•

🟢 Should-Have

💼 Management Samenvatting

Restrict R/Python script visuals in Power BI - arbitrary code execution risk (scripts can access data + make external connections).

Aanbeveling

IMPLEMENT (restrict to approved users)

Risico zonder

Medium

Risk Score

7/10

Implementatie

7u (tech: 2u)

Van toepassing op:

✓ Power BI

R/Python visuals = code execution: Power BI R/Python: Custom visuals using R/Python scripts (data science use case), Security risks: Arbitrary code: Script can execute ANY R/Python code (file system access, network calls), Data exfiltration: Script reads Power BI dataset → HTTP POST to external server (steal sensitive data), Malicious visuals: Attacker creates 'helpful' R visual → shared via Power BI → runs on victim's Power BI Service. Attack: Malicious R script in shared report → executes when report viewed → data exfiltration.

PowerShell Modules Vereist

Primary API: Power BI Admin API
Connection: Connect-PowerBIServiceAccount
Required Modules: MicrosoftPowerBIMgmt

Implementatie

Restrict R/Python: Tenant setting: Disable R/Python visuals (strictest - blocks all), OR: Restrict to specific workspaces/users (controlled pilot), Approved users: Data science team only (least privilege), Monitoring: Audit R/Python visual usage, Review scripts: Code review required (no blind execution).

Vereisten

Power BI Pro/Premium
Power BI Admin role
Data science use case: Document business need
Code review process (if allowing R/Python)

Implementatie

Power BI Admin Portal → Tenant settings → R and Python visuals settings → Use R and Python visuals: Disabled (or Specific security groups only - data science team). Monitor: Audit logs for R/Python visual creation.

Compliance

BIO 12.06 (Code execution control), ISO 27001 A.12.5.1, AVG Art. 32 (Data exfiltration prevention).

Monitoring

Gebruik PowerShell-script powerbi-r-python-disabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script powerbi-r-python-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

BIO: 12.06.01 -
ISO 27001:2022: A.12.5.1 -

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell

<#
.SYNOPSIS
    PowerBI R and Python Disabled
.DESCRIPTION
    Disables R and Python visuals in PowerBI for security
.NOTES
    NL Baseline v2.0
    Security concern: R/Python scripts can execute arbitrary code
#>
#Requires -Version 5.1
#Requires -Modules MicrosoftPowerBIMgmt

[CmdletBinding()]
param([switch]$Monitoring)

$ErrorActionPreference = 'Stop'

Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "PowerBI R and Python Disabled" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan

function Invoke-Monitoring {
    try {
        Write-Host "  ⚠️  Manual verification required" -ForegroundColor Yellow
        
        Write-Host "`n  Configuration in PowerBI Admin Portal:" -ForegroundColor Cyan
        Write-Host "    Tenant settings > R and Python visuals settings" -ForegroundColor Gray
        
        Write-Host "`n  Required Settings:" -ForegroundColor Cyan
        Write-Host "    ✓ Interact with and share R and Python visuals: Disabled" -ForegroundColor Gray
        Write-Host "    ✓ Apply to: Entire organization" -ForegroundColor Gray
        
        Write-Host "`n  Security Concerns:" -ForegroundColor Red
        Write-Host "    • R/Python scripts can execute arbitrary code" -ForegroundColor Red
        Write-Host "    • Potential for malicious code execution" -ForegroundColor Red
        Write-Host "    • Data exfiltration risk" -ForegroundColor Red
        Write-Host "    • System compromise possible" -ForegroundColor Red
        
        Write-Host "`n  Security Benefits of Disabling:" -ForegroundColor Cyan
        Write-Host "    • Prevents code injection attacks" -ForegroundColor Gray
        Write-Host "    • Reduces attack surface" -ForegroundColor Gray
        Write-Host "    • Maintains data security" -ForegroundColor Gray
        
        Write-Host "`n  ⚠️  Security Risk: R/Python can execute arbitrary code!" -ForegroundColor Red
        
        exit 0
    }
    catch {
        Write-Host "ERROR: $_" -ForegroundColor Red
        exit 2
    }
}

try {
    if ($Monitoring) { Invoke-Monitoring }
    else { Write-Host "Use: -Monitoring" -ForegroundColor Yellow }
}
catch { throw }
finally {
    Write-Host "`n========================================`n" -ForegroundColor Cyan
}

function Invoke-Remediation {
    <#

    .SYNOPSIS
        Herstelt de configuratie naar de gewenste staat
    .DESCRIPTION
        Dit is een monitoring-only control, remediation delegeert naar monitoring
    #>

    [CmdletBinding()]
    param()
    
    Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow
    Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan
    Invoke-Monitoring
}

Risico zonder implementatie

Medium: Medium: R/Python = arbitrary code execution + data exfiltration risk.

Management Samenvatting

Restrict Power BI R/Python visuals. Disable OR limit to data science team (security group). Code review required. Implementatie: 2-7 uur.

Implementatietijd: 7 uur
FTE required: 0.02 FTE

Power BI: Restrict R/Python Script Visuals

💼 Management Samenvatting

Implementatie

Vereisten

Implementatie

Compliance

Monitoring

Remediatie

Compliance & Frameworks

Automation

Risico zonder implementatie

Management Samenvatting

Share artikel