BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
MariaD
Barite | Level 11

Hi folks,

 

We have installed SAS 9.4 on Windows Server. We use SAS Studio and SAS EM via browser. Recently Microsoft announce a vulnerability on IIS and we need to implement the following procedure:

 

Disable HTTP DELETE Method for IIS

 

     1. Disable the DELETE method by doing the following in the IIS manager

     2. Select relevent site

     3. Select Request filtering and change to HTTP verb tab

     4. Select Deny Verb from the actions pane

    5. Type DELETE into the provided text box and press OK

 

I understand that this procedure has no impact on SAS Studio o SAS EM via browser. Is that correct?

 

Regards,

1 ACCEPTED SOLUTION

Accepted Solutions
Stefan_Giuros1
SAS Employee

If talking about SAS 9.4, then it comes with its own SAS Web Server. Accordingly with "Usage Note 61334: HTTP request methods that are used by SAS® software" (http://support.sas.com/kb/61/334.html) you should not disable DELETE method in SAS Web Server.

 

You have mentioned IIS, If IIS is completely separated and used for anything else than SAS, then the modification in IIS should be harmless to SAS web applications.

 

However, if the case is that you use IIS as a reverse proxy server (for example following the steps in https://go.documentation.sas.com/?docsetId=bimtag&docsetTarget=p0sxhuco18v167n13dsmnrfqv7yy.htm&docs...) , then IIS will pass to SAS the requests, which leads me to the conclusion that disabling DELETE method at IIS level may impact the SAS web applications,

View solution in original post

4 REPLIES 4
Stefan_Giuros1
SAS Employee

If talking about SAS 9.4, then it comes with its own SAS Web Server. Accordingly with "Usage Note 61334: HTTP request methods that are used by SAS® software" (http://support.sas.com/kb/61/334.html) you should not disable DELETE method in SAS Web Server.

 

You have mentioned IIS, If IIS is completely separated and used for anything else than SAS, then the modification in IIS should be harmless to SAS web applications.

 

However, if the case is that you use IIS as a reverse proxy server (for example following the steps in https://go.documentation.sas.com/?docsetId=bimtag&docsetTarget=p0sxhuco18v167n13dsmnrfqv7yy.htm&docs...) , then IIS will pass to SAS the requests, which leads me to the conclusion that disabling DELETE method at IIS level may impact the SAS web applications,

MariaD
Barite | Level 11

Hi @Stefan_Giuros1 , our customer wants to disable the OPTIONS and DELETE method for SAS Web Application. Is it possible? If not, there is any SAS documentation about it?

 

Regards, 

SimonDawson
SAS Employee
Is the IIS instance a reverse proxy for a SAS 9 based middle tier?
MariaD
Barite | Level 11

Hi, @SimonDawson . No, it's only SAS Web Server. They want to disable OPTIONS and DELETE because of vulnerability issue. They already disable these on other web application (not SAS) that use IIS.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • 7916 views
  • 0 likes
  • 3 in conversation