Problem Note 30710: Securing a clustered SAS® Web Report Studio configuration
By default, a clustered SAS Web Report Studio configuration can expose a security hole where users can obtain a user ID.
- In a clustered configuration, the users' history/preferences file is stored in the report repository.
- The file (one per user) is stored in a location that is not exposed to users within SAS Web Report Studio. SAS Web Report Studio restricts where a user can navigate.
- For users that have access to the SAS® Information Delivery Portal, this client allows users to navigate anywhere, and it is fairly easy for them to locate these history/preferences files.
- The issue is that it is easy to derive legitimate user names from this information; and this as a security breach because this lets attackers get part way into breaking into a system by knowing user names.
The users' SAS Web Report Studio history/preferences files are now always accessed using the administrator account rather than the individual user's accounts. This means they no longer need to be publicly readable; which was the security concern.
After install of the hot fix and verification that users are operating normally,
you should use SAS® Management Console to change the access rights to the preferences/history folder ( BIP Tree/ReportStudio/Users/Preferences/ ) so that only the admin has read metadata permission. By default, the admin is "saswbadm";. You can verify the actual admin by looking at the SAS Web Report Studio properties file (WebReportStudioProperties.xml) at the entry "<wrs.adminUserUid>".
Assuming the admin is saswbadm, we recommend setting the folder's security to:
PUBLIC DENY READMETADATA
saswbadm GRANT READMETADATA
Other combinations will work. However, without this one manual step, the security concern will not be addressed.
Select the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
| SAS System | SAS Web Report Studio | Microsoft Windows 2000 Professional | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
| Microsoft® Windows® for x64 | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
| HP-UX IPF | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
| 64-bit Enabled Solaris | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
| 64-bit Enabled AIX | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
| Windows Vista | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
| Microsoft Windows XP Professional | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
| Microsoft Windows Server 2003 Standard Edition | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
| Microsoft Windows Server 2003 Enterprise Edition | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
| Microsoft Windows Server 2003 Datacenter Edition | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
| Microsoft Windows NT Workstation | 3.1 | | 9.1 TS1M3 SP4 | |
| Microsoft Windows 2000 Server | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
| Microsoft Windows 2000 Datacenter Server | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
| Microsoft Windows 2000 Advanced Server | 3.1 | 4.2 | 9.1 TS1M3 SP4 | 9.2 TS2M0 |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
| Type: | Problem Note |
| Priority: | high |
| Date Modified: | 2007-12-07 13:24:05 |
| Date Created: | 2007-12-07 10:18:43 |
