topic Re: IIS Delete Method Enable in Administration and Deployment

IIS Delete Method Enable

MariaD — Wed, 03 Apr 2019 06:15:06 GMT

Hi folks,

We have installed SAS 9.4 on Windows Server. We use SAS Studio and SAS EM via browser. Recently Microsoft announce a vulnerability on IIS and we need to implement the following procedure:

Disable HTTP DELETE Method for IIS

1. Disable the DELETE method by doing the following in the IIS manager

2. Select relevent site

3. Select Request filtering and change to HTTP verb tab

4. Select Deny Verb from the actions pane

5. Type DELETE into the provided text box and press OK

I understand that this procedure has no impact on SAS Studio o SAS EM via browser. Is that correct?

Regards,

Re: IIS Delete Method Enable

Stefan_Giuros1 — Wed, 03 Apr 2019 12:43:14 GMT

If talking about SAS 9.4, then it comes with its own SAS Web Server. Accordingly with "Usage Note 61334: HTTP request methods that are used by SAS® software" (http://support.sas.com/kb/61/334.html) you should not disable DELETE method in SAS Web Server.

You have mentioned IIS, If IIS is completely separated and used for anything else than SAS, then the modification in IIS should be harmless to SAS web applications.

However, if the case is that you use IIS as a reverse proxy server (for example following the steps in https://go.documentation.sas.com/?docsetId=bimtag&docsetTarget=p0sxhuco18v167n13dsmnrfqv7yy.htm&docsetVersion=9.4&locale=en) , then IIS will pass to SAS the requests, which leads me to the conclusion that disabling DELETE method at IIS level may impact the SAS web applications,

Re: IIS Delete Method Enable

MariaD — Mon, 06 May 2019 22:19:46 GMT

Hi @Stefan_Giuros1 , our customer wants to disable the OPTIONS and DELETE method for SAS Web Application. Is it possible? If not, there is any SAS documentation about it?

Regards,

Re: IIS Delete Method Enable

SimonDawson — Tue, 07 May 2019 02:41:50 GMT

Is the IIS instance a reverse proxy for a SAS 9 based middle tier?

Re: IIS Delete Method Enable

MariaD — Thu, 09 May 2019 12:36:40 GMT

Hi, @SimonDawson . No, it's only SAS Web Server. They want to disable OPTIONS and DELETE because of vulnerability issue. They already disable these on other web application (not SAS) that use IIS.