Authentication

Authentication (Security Enforcement) Overview

Authentication enables PC Files Server system administrators to secure the server and enforce security. You can configure PC Files Server so that a user ID and a password are required to connect to a server and access files. You can also configure PC Files Server on specific hosts to require a user ID and password.
All the commands that allow server access support user authentication. The credentials supplied to PC Files Server are verified against the Windows login database. These are the same credentials that are required to interactively log on to a PC.
SERVERUSER=, SERVERPASS=, and SSPI= options have been added to the LIBNAME statement, and the IMPORT and EXPORT procedures. Use these options with PC Files engine to supply credentials to the PC Files Server.
See LIBNAME Statement Syntax.
Note: If the client PC is on a domain, the credentials are compared to the domain data, instead of the local data.

Access to PC Files Server

If the “bitness” of SAS on Microsoft Windows conflicts with the “bitness” of the ACE ODBC driver installed and therefore the “bitness” of PC Files Server (such as running 64-bit SAS on a machine with a 32-bit ACE driver) SAS cannot directly access PC files (EXCEL or ACCESS engines), but must rather use PC Files Server to bridge the “bitness” gap (PCFILES engine).
Access to the server is granted only if the credentials supplied are valid on the target PC. When connecting from a UNIX workstation to the PC, the UNIX credentials (User ID and password) can be different from the credentials used to access the PC files.

Access to Individual Files

After the server is secured, server administrators can enable security settings at the file level. When a server connection is established, access to individual files is secured using the credentials specified by the user. File access is administered as if the client is logged on to that PC.

System Administrator Tasks

To enforce a security policy, the system administrator should ensure that the following configurations and settings are implemented:
  • Local security policy is configured, see Local Security Policy Configuration.
  • Server authentication is configured, with PC Files Server desktop application. Startthen select All Programs then selectSAS then selectPC Files Server. Select Authentication Required. See Service Options for additional information.
  • Set PC-to-PC Connections option to Allow Integrated Windows Authentication (SSPI). This option is for clients on PCs running Windows connecting to PC Files Server. Credentials are exchanged between the server and the client. The client PC does not have to explicitly set credentials. See Service Options.
  • Access to the server requires a user ID and password using the SERVERUSER= and SERVERPASS= options. For the Windows environment, you can also use the SSPI= option.

Security Model for Microsoft Windows Vista and Above

The enhanced Microsoft Windows Security Model, beginning with Microsoft Windows Vista, is designed to make it more difficult for viruses, and other software that interferes with computer functions, to install themselves on the PC. When logged in as “Administrator” or part of the “Administrators Group,” certain privileges are temporarily not available to the operating system. The privileges are returned when needed and confirmed by a “Windows needs your permission to continue” dialog box. This guarantees that the user is aware of potential security risks.
When starting the server on Windows Vista and later, manual intervention is required to enable permissions. The confirmation is not required when running the server as a Windows service or if the Windows security features have been disabled for Windows Vista and above.
Copyright © SAS Institute Inc. All rights reserved.