topic SAS 9.4 Web Server Hardening in Administration and Deployment

SAS 9.4 Web Server Hardening

zennigan — Fri, 29 Jan 2016 08:27:25 GMT

Hi,

I'm very new to SAS 9.4 setup. Anyone can point me to information how I can know more on the SAS Web Server Security Configuration and Setup? Thanks!

What I know is the server is based on Pivotal WS. How should I proceed with Server Hardedning in this case.

Regards,
Nelson

Re: SAS 9.4 Web Server Hardening

Kurt_Bremser — Fri, 29 Jan 2016 09:17:02 GMT

AFAIK, this Pivotal thing is based on apache, so the principal rules and configuration options should be the same.

FWIW, I have no idea why SAS subjects us customers once again to a change in the middleware. AFAIK jboss/apache is alive and kicking.

You're Microsofting more and more, SAS!

Re: SAS 9.4 Web Server Hardening

Timmy2383 — Fri, 29 Jan 2016 12:58:08 GMT

In 9.4 you can configure HTTPS for the web server with the deployment wizard during installation and configuration. Its recommended you set up SSL with the deployment wizard so that the SSL configuration with be retained if and when you implement a maintenance release (if you configure manually on the backend the configuration would be reverted during an upgrade).

As Kurt said, though, most techniques for hardening Apache would apply here.

Check this out: http://www.tecmint.com/apache-security-tips/

The web server config files you're looking for are usually here: <sasconfig>/Lev1/Web/WebServer/conf and <sasconfig>/Lev1/Web/WebServer/conf/extra

Re: SAS 9.4 Web Server Hardening

PaulHomes — Sat, 30 Jan 2016 01:38:09 GMT

I would suggest you start out with the Checklist for a More Secure Deployment section of the SAS 9.4 Intelligence Platform: Security Administration Guide, Second Edition. That will direct you off to other SAS documents for more information on those items you decide to implement. Hardening the web server is just one aspect of maintaining a secure SAS platform so that checklist will get you thinking about some of the other aspects too.

You might also want to be aware of the SAS Security Bulletins page. It has some statements that explain how SAS software may or may not be impacted by some of general web/software security issues that have had high profile appearences in the media recently.

If you want to keep up to date with hotfixes/patches take a look at the SAS Technical Support Hot Fixes page. From there you can subscribe to find out about hotfixes as the are released (of which which many may be for products you don't have), or use the Hot Fix Analysis, Download and Deployment Tool (HFADD) to get tailored reports for your specific deployments. I wrote some blog posts about HFADD and hotfixes a while ago that may help: http://platformadmin.com/blogs/paul/tag/sas-hotfixes/

As the SAS platform doesn't stand in isolation you would also want to discuss general platform/network security with the appropriate team within your organization (and perhaps in combination with SAS Professional Services or a local SAS Partner too). They can advise, based on the intended use of, and access to, the SAS platform, any organizational requirements for firewalls, web application firewalls, secure reverse proxies, SSL server/client certificates, identity management, single signon etc.

I hope this helps.

Re: SAS 9.4 Web Server Hardening

jakarman — Sun, 31 Jan 2016 08:54:19 GMT

Paul, the checklist for a more secure deployment is a SAS view of that direction not the common accepted view how the security should be reviewed (iso27k cobit sox) and surely not the ones for common hardening guidelines (OS webserver) as being very technical.

Kurts remark on getting microsoftical has some real reasons I can agree with him.

Re: SAS 9.4 Web Server Hardening

PaulHomes — Sun, 31 Jan 2016 09:32:16 GMT

Jaap, if you re-read my reply you might notice that I said the checklist was something to "start out with" and I advised that it would be good to "discuss general platform/network security" with others in the organization. The SAS bias in my reply was on the basis that if someone was asking about "SAS Web Server Security Configuration and Setup" in a SAS software forum then they might want a "SAS view" as a starting point.

Re: SAS 9.4 Web Server Hardening

jakarman — Sun, 31 Jan 2016 09:43:37 GMT

Yes I understand And Have seen "discuss general platform/network security" with others in the organization. That is good.
and in a SAS software forum then they might want a "SAS view" as a starting point.

My ongoing frustration is those are not aligned. Going to those general platform/network security guys wiht the starting point of a "SAS view" you are quickly seen as the one that is doing dangerous things ans should be blocked or isolated in some dedicated area.
That is not a nice situation.

Re: SAS 9.4 Web Server Hardening

PaulHomes — Sun, 31 Jan 2016 21:32:06 GMT

Jaap, that's a bold negative statement that really should be debated, but I have other activities that need my attention more. My intention was to point the original poster in the direction of some resources that might be of help to them in the SAS software task they have ahead of them, so I'm going to leave this thread here.

Re: SAS 9.4 Web Server Hardening

ShelleySessoms — Mon, 01 Feb 2016 14:56:49 GMT

I appreciate the views of all in helping @zennigan with this question. For someone new to a SAS set up, a variety of resources can be helpful. Let's keep this in mind as we reply to questions in the community...you never know what one person will find helpful.

Thanks,

Shelley

Online Community Manager