9.1.5 Ensure 'Interact with and share R and Python' visuals is 'Disabled'

Information

Power BI allows the integration of R and Python scripts directly into visuals. This feature allows data visualizations by incorporating custom calculations, statistical analyses, machine learning models, and more using R or Python scripts. Custom visuals can be created by embedding them directly into Power BI reports. Users can then interact with these visuals and see the results of the custom code within the Power BI interface.

Rationale:

Disabling this feature can reduce the attack surface by preventing potential malicious code execution leading to data breaches, or unauthorized access. The potential for sensitive or confidential data being leaked to unintended users is also increased with the use of scripts.

Impact:

Use of R and Python scripting will require exceptions for developers, along with more stringent code review.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the recommended state:

Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal

Select Tenant settings.

Scroll to R and Python visuals settings.

Set Interact with and share R and Python visuals to Disabled

Default Value:

Enabled

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7

Plugin: microsoft_azure

Control ID: 7b1f72048272306935e2b772dc49c855ec042f07c310bfb97269aa2c19d34e0d