Checklist for a More Secure Deployment :: SAS(R) 9.3 Intelligence Platform: Security Administration Guide

Introduction

You can use this appendix to verify that security issues are being addressed as appropriate for your environment and goals. Not all measures are relevant in all deployments. It is a good practice to review your security configuration on a periodic basis.

General Measures

Make sure that the configuration directories are protected by appropriate operating system permissions. See Recommended Operating System Protections for Windows Machines in SAS Intelligence Platform: System Administration Guide.
Consider disabling concurrent logon sessions to the SAS middle tier. See Disabling Concurrent Logon Sessions in SAS Intelligence Platform: Middle-Tier Administration Guide.
Consider reducing the HTTP Session time-out interval for the SAS Web applications. See Configuring the HTTP Session Time-out Interval in SAS Intelligence Platform: Middle-Tier Administration Guide.
If your deployment includes sensitive data, review host access to SAS data and evaluate the workspace server pooling configuration. See Server Configuration, Data Retrieval, and Risk.
If your deployment includes sensitive data, make sure that the SAS Web Report Studio query cache library (wrstemp) and distribution library (wrsdist) are protected by appropriate operating system permissions. See Improving the Performance of SAS Web Report Studio in SAS Intelligence Platform: Web Application Administration Guide and Verifying Permissions for the Distribution Library in SAS Intelligence Platform: Web Application Administration Guide.
On Windows, minimize availability of the privilege Log on as batch job. See Windows Privileges.
For industry-standard encryption, license SAS/SECURE. See About SAS/SECURE.
If your deployment includes the SAS Anonymous Web user, determine whether it is necessary and appropriate to keep that identity in place. See PUBLIC Access and Anonymous Access.
Consider tracking changes to server logging levels. See Audit Server Logging Level Changes That Originate in Client Applications in SAS Intelligence Platform: System Administration Guide.
Consider limiting the scope of trusted peer connections. See Trusted Peer Connections.

Metadata Layer Measures

Limit the WriteMetadata permission on servers. See Protect Server Definitions.
Limit the WriteMetadata permission on ACTs. In general, only the SAS Administrators group has a grant of the WriteMetadata permission on the Authorization tab of an ACT.
Limit the WriteMetadata permission on custom folders. To reduce the chance of inadvertent or deliberate changes to a custom folder, grant WriteMemberMetadata (instead of WriteMetadata) to users who should contribute only content. See WriteMetadata and WriteMemberMetadata.
Review the WriteMetadata permission on OLAP schemas and libraries. To prevent someone from adding cubes to an OLAP schema or tables to a library, set denials of the WriteMetadata permission on the schema or library. Remember to preserve access for administrators as appropriate.
Review the permission pattern of the predefined ACTs. See Permission Patterns of Selected ACTs.
Review who has privileged user status from metadata memberships. See Distribution of Selected Privileges.
Review who has privileged user status from the adminUsers.txt file. See User IDs in Configuration Files That Convey Privileged Status.
Consider reducing WriteMetadata access to the user definitions for any unrestricted users. This prevents restricted user administrators from updating an unrestricted user's definition and then logging on as that unrestricted user. To add this protection, access the Authorization tab of each unrestricted user and add an explicit denial of the WriteMetadata permission for PUBLIC.
Consider tracking changes to metadata layer permissions and ACTs. See Security Report Macros and Auditing of Security Events.
Consider limiting the locations from which SAS Web Report Studio uses information maps. See Limit the Availability of Relational Information Maps That Implement Row-Level Security in SAS Intelligence Platform: Web Application Administration Guide.

Enhanced Protections for Passwords

If you have SAS/SECURE, upgrade encryption strength for passwords in configuration files (from SASProprietary to AES). See How to Increase Encryption Strength for Passwords at Rest.
If you have SAS/SECURE, upgrade encryption strength for outbound passwords in transit (from SASProprietary to AES). See How to Increase Encryption Strength for Outbound Passwords in Transit.
Consider preventing users from saving their passwords in their desktop connection profiles. See Client-Side Storage of Passwords.
Consider strengthening password policies for internal accounts. See How to Change Internal Account Policies.
Consider removing the SAS Trusted User's password from some configuration files. See How to Reduce Exposure of the SASTRUST Password.