AFAIK, this Pivotal thing is based on apache, so the principal rules and configuration options should be the same.

FWIW, I have no idea why SAS subjects us customers once again to a change in the middleware. AFAIK jboss/apache is alive and kicking.

You're Microsofting more and more, SAS!

I would suggest you start out with the Checklist for a More Secure Deployment section of the SAS 9.4 Intelligence Platform: Security Administration Guide, Second Edition. That will direct you off to other SAS documents for more information on those items you decide to implement. Hardening the web server is just one aspect of maintaining a secure SAS platform so that checklist will get you thinking about some of the other aspects too.

You might also want to be aware of the SAS Security Bulletins page. It has some statements that explain how SAS software may or may not be impacted by some of general web/software security issues that have had high profile appearences in the media recently.

If you want to keep up to date with hotfixes/patches take a look at the SAS Technical Support Hot Fixes page. From there you can subscribe to find out about hotfixes as the are released (of which which many may be for products you don't have), or use the Hot Fix Analysis, Download and Deployment Tool (HFADD) to get tailored reports for your specific deployments. I wrote some blog posts about HFADD and hotfixes a while ago that may help: http://platformadmin.com/blogs/paul/tag/sas-hotfixes/

As the SAS platform doesn't stand in isolation you would also want to discuss general platform/network security with the appropriate team within your organization (and perhaps in combination with SAS Professional Services or a local SAS Partner too). They can advise, based on the intended use of, and access to, the SAS platform, any organizational requirements for firewalls, web application firewalls, secure reverse proxies, SSL server/client certificates, identity management, single signon etc.

I hope this helps.

Paul, the checklist for a more secure deployment is a SAS view of that direction not the common accepted view how the security should be reviewed (iso27k cobit sox) and surely not the ones for common hardening guidelines (OS webserver) as being very technical.

Kurts remark on getting microsoftical has some real reasons I can agree with him. 

Jaap, if you re-read my reply you might notice that I said the checklist was something to "start out with" and I advised that it would be good to "discuss general platform/network security" with others in the organization. The SAS bias in my reply was on the basis that if someone was asking about "SAS Web Server Security Configuration and Setup" in a SAS software forum then they might want a "SAS view" as a starting point.

Yes I understand And Have seen  "discuss general platform/network security" with others in the organization. That is good.
and in a SAS software forum then they might want a "SAS view" as a starting point.

My ongoing frustration is those are not aligned. Going to those general platform/network security guys wiht the starting point of a "SAS view" you are quickly seen as the one that is doing dangerous things ans should be blocked or isolated in some dedicated area.
That is not a nice situation.     

Jaap, that's a bold negative statement that really should be debated, but I have other activities that need my attention more.  My intention was to point the original poster in the direction of some resources that might be of help to them in the SAS software task they have ahead of them, so I'm going to leave this thread here. 

I appreciate the views of all in helping @zennigan with this question. For someone new to a SAS set up, a variety of resources can be helpful. Let's keep this in mind as we reply to questions in the community...you never know what one person will find helpful. 

Thanks,

Shelley

Online Community Manager