https://communities.sas.com/t5/Administration-and-Deployment/security-issues-with-SAS-Internal-ID-s/m-p/603937#M17665 <P><a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/15475">@andreas_lds</a>&nbsp; - Thanks for pointing that out. We use 9.4M2 and expiring internal accounts is possible in M2 as well.</P> Wed, 13 Nov 2019 19:05:40 GMT SASKiwi 2019-11-13T19:05:40Z https://communities.sas.com/t5/Administration-and-Deployment/security-issues-with-SAS-Internal-ID-s/m-p/603738#M17650 <P>Hi,</P> <P>currently we have created some sas internal user id's for a set of associates for special purpose to view few reports on SAS VA, we should not allow them to use external id's ( they are not in our AD group).</P> <P>I would like to know is there any security issues raises when they use internal sas id's? if yes please elaborate them? also advise how to mitigate the risk?</P> <P>Appreciate your help.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Cherry.</P> Wed, 13 Nov 2019 02:37:27 GMT https://communities.sas.com/t5/Administration-and-Deployment/security-issues-with-SAS-Internal-ID-s/m-p/603738#M17650 Cherry 2019-11-13T02:37:27Z https://communities.sas.com/t5/Administration-and-Deployment/security-issues-with-SAS-Internal-ID-s/m-p/603772#M17655 <P>SAS internal IDs must have their passwords stored with them in a SAS metadata repository. These passwords are stored in an encrypted form. OS userids do not normally have passwords stored in SAS metadata, so from that perspective they are more secure.</P> <P>&nbsp;</P> <P>Perhaps the biggest risk with SAS internal IDs is their passwords are static and there is no mechanism to have them expire automatically so they get changed on a regular basis. So to mitigate this risk you could have a policy of updating them on a regular basis. It is advisable to have these IDs stored in your company's password safe, so they aren't lost.</P> Wed, 13 Nov 2019 05:57:20 GMT https://communities.sas.com/t5/Administration-and-Deployment/security-issues-with-SAS-Internal-ID-s/m-p/603772#M17655 SASKiwi 2019-11-13T05:57:20Z https://communities.sas.com/t5/Administration-and-Deployment/security-issues-with-SAS-Internal-ID-s/m-p/603779#M17656 <P>can we get the audit logs of sas internal id's activities? I mean can we track what they ( sas internal id's) are doing on sas?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Cherry.&nbsp;</P> Wed, 13 Nov 2019 06:31:34 GMT https://communities.sas.com/t5/Administration-and-Deployment/security-issues-with-SAS-Internal-ID-s/m-p/603779#M17656 Cherry 2019-11-13T06:31:34Z https://communities.sas.com/t5/Administration-and-Deployment/security-issues-with-SAS-Internal-ID-s/m-p/603783#M17657 <BLOCKQUOTE><HR /><a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/13976">@SASKiwi</a>&nbsp;wrote:<BR /> <P>[...]</P> <P>&nbsp;</P> <P>Perhaps the biggest risk with SAS internal IDs is their passwords are static and there is no mechanism to have them expire automatically so they get changed on a regular basis. So to mitigate this risk you could have a policy of updating them on a regular basis. It is advisable to have these IDs stored in your company's password safe, so they aren't lost.</P> <HR /></BLOCKQUOTE> <P>Automatic password expiration seems to be possible (using 9.4m5):</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="internal_acc_pw_exp.png" style="width: 400px;"><img src="https://communities.sas.com/t5/image/serverpage/image-id/33924i4C6ECD42F0F0AD1F/image-size/medium?v=v2&amp;px=400" role="button" title="internal_acc_pw_exp.png" alt="internal_acc_pw_exp.png" /></span></P> <P>&nbsp;</P> Wed, 13 Nov 2019 07:01:10 GMT https://communities.sas.com/t5/Administration-and-Deployment/security-issues-with-SAS-Internal-ID-s/m-p/603783#M17657 andreas_lds 2019-11-13T07:01:10Z https://communities.sas.com/t5/Administration-and-Deployment/security-issues-with-SAS-Internal-ID-s/m-p/603937#M17665 <P><a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/15475">@andreas_lds</a>&nbsp; - Thanks for pointing that out. We use 9.4M2 and expiring internal accounts is possible in M2 as well.</P> Wed, 13 Nov 2019 19:05:40 GMT https://communities.sas.com/t5/Administration-and-Deployment/security-issues-with-SAS-Internal-ID-s/m-p/603937#M17665 SASKiwi 2019-11-13T19:05:40Z