Data Security for SAS/CONNECT or SAS/SHARE Servers

Client Authentication

Authentication is the act of verifying the identity of the user who is attempting to access a machine—that is, the machine that either the client session or the server session runs on. Authentication is performed so that a machine can use the identity information to make decisions about the user's authority to access protected resources. Under Windows, the user ID, password, and access permissions make up a user context.
Resources on a SAS/CONNECT or a SAS/SHARE server are considered to be protected when both of the following conditions are met:
  • The server requires that the client provide its identity.
  • The client presents an identity that is successfully authenticated.
After the client's identity is authenticated, the client is given the appropriate permissions to access the server's resources.
Under Windows, two methods are available for authenticating a client's identity:
  • Simulated logon

Simulated Logon Method

Overview of Simulated Logon Method

The simulated logon method is the most commonly used method of authentication and is available in all SAS supported operating environments. In a simulated logon, the client provides a user ID and password that are checked by the server.
You use a simulated logon in the following situations:
  • The client or the server (or both) does not run on a Windows machine.
  • The user who runs the client machine is not a trusted user at the server machine.
  • The user who runs the client machine wants to log on by using a different user context.

Requirements for Using Simulated Logon with SAS/CONNECT or SAS/SHARE

To authenticate user credentials (user ID and password) of SAS/CONNECT or SAS/SHARE clients, the administrator of the computers that the SAS/CONNECT client and server sessions or the SAS/SHARE client and server sessions run on must assign the appropriate rights to users.
Here are the requirements for SAS/CONNECT and SAS/SHARE:
  • assignment of the “Log on as batch job” right to users in client sessions that access SAS/CONNECT server sessions.
  • assignment of the “Act as part of the operating system” right to users who start SAS/SHARE servers or SAS/CONNECT spawners.
Here are the requirements for SAS/CONNECT only:
  • assignment of the “Increase quotas” right to users who start a SAS/CONNECT spawner.
  • assignment of the “Replace a process level token” right to users who start a SAS/CONNECT spawner.
    Note: Because the SAS/CONNECT spawner usually runs as a service under the LocalSystem account, these permissions are already set by default and user rights do not need to be changed.
Here are the requirements for SAS/SHARE only:
  • specification of the system option TCPSEC=_SECURE_ in the server session.
  • specification of the AUTHENTICATE=REQUIRED option in the PROC SERVER statement that is used to start a SAS/SHARE server session. REQUIRED is the default value.

SSPI

Overview of SSPI

Security Support Provider Interface (SSPI), also referred to as Integrated Windows Authentication (IWA), enables transparent authentication for connections between Windows computers. Users that are members of a trusted domain are authenticated automatically, and user context information is transferred to the server.
Windows attempts to use SSPI for authentication whenever a user ID is not explicitly supplied.
SSPI is available only when the client and the server sessions both run on Windows computers, and the user who runs the client computer is a member of a domain that is trusted at the server computer.
For more information, see “Integrated Windows Authentication” in SAS Intelligence Platform: Security Administration Guide, available at: http://support.sas.com/documentation/onlinedoc/intellplatform/index.html.

SSPI Requirement for SAS/CONNECT

In versions prior to SAS 9.4, SSPI is enabled by default. To disable it, specify -NOSSPI on the spawner command. In SAS 9.4 and later, -SSPI is not enabled by default, and you must specify -SSPI on the spawner start-up command to enable it.
If you use SAS Deployment Wizard to configure and deploy SAS, the -SSPI option is automatically added to the ConnectSpawner.bat and ConnectSpawner.sh script files. To disable it, edit the script files by adding -NOSSPI or removing -SSPI.

SSPI Requirement for SAS/SHARE

In order to use SSPI for authentication, the SAS/SHARE server administrator must do the following:
  • specify the option TCPSEC=_SECURE_
  • specify the option AUTHENTICATE=REQUIRED in the PROC SERVER statement. REQUIRED is the default value.