cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
MariaD
Barite | Level 11 MariaD
Barite | Level 11
Go to Solution

IIS Delete Method Enable

Posted 04-03-2019 02:15 AM (7246 views)

Hi folks,

 

We have installed SAS 9.4 on Windows Server. We use SAS Studio and SAS EM via browser. Recently Microsoft announce a vulnerability on IIS and we need to implement the following procedure:

 

Disable HTTP DELETE Method for IIS

 

     1. Disable the DELETE method by doing the following in the IIS manager

     2. Select relevent site

     3. Select Request filtering and change to HTTP verb tab

     4. Select Deny Verb from the actions pane

    5. Type DELETE into the provided text box and press OK

 

I understand that this procedure has no impact on SAS Studio o SAS EM via browser. Is that correct?

 

Regards,

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
Stefan_Giuros1
SAS Employee Stefan_Giuros1
SAS Employee

Re: IIS Delete Method Enable

Posted 04-03-2019 08:43 AM (7223 views)  |   In reply to MariaD

If talking about SAS 9.4, then it comes with its own SAS Web Server. Accordingly with "Usage Note 61334: HTTP request methods that are used by SAS® software" (http://support.sas.com/kb/61/334.html) you should not disable DELETE method in SAS Web Server.

 

You have mentioned IIS, If IIS is completely separated and used for anything else than SAS, then the modification in IIS should be harmless to SAS web applications.

 

However, if the case is that you use IIS as a reverse proxy server (for example following the steps in https://go.documentation.sas.com/?docsetId=bimtag&docsetTarget=p0sxhuco18v167n13dsmnrfqv7yy.htm&docs...) , then IIS will pass to SAS the requests, which leads me to the conclusion that disabling DELETE method at IIS level may impact the SAS web applications,

View solution in original post

0 Likes
4 REPLIES 4
Stefan_Giuros1
SAS Employee Stefan_Giuros1
SAS Employee

Re: IIS Delete Method Enable

Posted 04-03-2019 08:43 AM (7224 views)  |   In reply to MariaD

If talking about SAS 9.4, then it comes with its own SAS Web Server. Accordingly with "Usage Note 61334: HTTP request methods that are used by SAS® software" (http://support.sas.com/kb/61/334.html) you should not disable DELETE method in SAS Web Server.

 

You have mentioned IIS, If IIS is completely separated and used for anything else than SAS, then the modification in IIS should be harmless to SAS web applications.

 

However, if the case is that you use IIS as a reverse proxy server (for example following the steps in https://go.documentation.sas.com/?docsetId=bimtag&docsetTarget=p0sxhuco18v167n13dsmnrfqv7yy.htm&docs...) , then IIS will pass to SAS the requests, which leads me to the conclusion that disabling DELETE method at IIS level may impact the SAS web applications,

0 Likes
MariaD
Barite | Level 11 MariaD
Barite | Level 11

Re: IIS Delete Method Enable

Posted 05-06-2019 06:19 PM (7103 views)  |   In reply to Stefan_Giuros1

Hi @Stefan_Giuros1 , our customer wants to disable the OPTIONS and DELETE method for SAS Web Application. Is it possible? If not, there is any SAS documentation about it?

 

Regards, 

0 Likes
SimonDawson
SAS Employee SimonDawson
SAS Employee

Re: IIS Delete Method Enable

Posted 05-06-2019 10:41 PM (7090 views)  |   In reply to MariaD
Is the IIS instance a reverse proxy for a SAS 9 based middle tier?
0 Likes
MariaD
Barite | Level 11 MariaD
Barite | Level 11

Re: IIS Delete Method Enable

Posted 05-09-2019 08:36 AM (7057 views)  |   In reply to SimonDawson

Hi, @SimonDawson . No, it's only SAS Web Server. They want to disable OPTIONS and DELETE because of vulnerability issue. They already disable these on other web application (not SAS) that use IIS.

0 Likes

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • ‎04-03-2019 02:15 AM
  • 7247 views
  • 0 likes
  • 3 in conversation