|
TS-717
SAS Products Support for Windows XP Service
Pack 2
Introduction
On August 6, 2004, Microsoft released
Windows XP Service Pack 2 (SP2) in response to the ever-growing need for
increased security on the Windows platform.
SAS supports Microsoft’s security efforts and seeks to ensure a safer
computing environment. The new service
pack release adds several new security features and bundles together all of the
applicable security patches since Windows XP SP1 in August 2002. This service pack, unlike other service packs
from Microsoft, should be treated as an OS upgrade rather than the typical
service pack update. This paper
discusses how these security changes affect the installation, configuration,
and use of SAS products.
The security
changes implemented by SP2 that will affect SAS products can be categorized in
3 different areas:
·
data execution prevention
·
network protection
·
notification of the launching or installation of software
that lacks a digital signature.
These changes
along with other security enhancements provide you with the tools to view, understand, and control the security
aspects of your computer.
Overview
Windows XP Service Pack 2 provides Data
Execution Prevention (DEP), an operating system mechanism that does not allow
certain programs to run. Software-enforced
DEP runs on any processor that supports Windows XP but can only protect limited
system binaries. The security checks
provided with software-enforced DEP block malicious code that invade your
system through viruses, spyware, and other unwanted
programs.
Another type of DEP is implemented via
hardware. Hardware-enforced DEP currently
available from two vendors: Advanced Micro Devices™ (AMD) and Intel® Corporation. Non-executable
memory regions are identified by the hardware.
The combination of hardware and software-enforced DEP forces software
exceptions or bugchecks if an application attempts to
insert and execute code from non-executable memory locations. Following are versions of SAS (for Windows 32-bit)
that run on extended 64 bits
systems, referenced herein as
X86-64bit, (that is systems using the AMD64 architecture-based (for example Opteron Athlon64)
processors or Intel’s EM64T architecture-based processors (for example Xeon)) that
are affected by DEP:
·
SAS® 6.12
·
SAS® 8.0
·
SAS® 8.1
·
SAS® 8.2
·
SAS® 9.0
·
SAS® 9.1 TS1M0
·
SAS® 9.1 TS1M2
SAS® 9.1 TS1M3
does not require any Windows system modifications because it appropriately
allocates memory for use during code generation. The details on how to set proper Windows
Systems settings for earlier releases of SAS are covered later in this paper.
Network protection, the second security
focal area, includes an improved Windows Firewall and additional restrictions
made on DCOM access control. The Windows Firewall available with
SP2 is turned on by default and blocks inbound connections and applications
that attempt to listen to the network.
The implementation of this improved security comes in the form of
notification of the security violation as well as the functionality to block
programs accessing certain ports or resources on your system. Here is an example of the notification, the
Windows Security Alert dialog box:
In the above dialog box, you have several
choices. The selection of “Keep
Blocking” instructs the Windows Firewall to keep the program from operating or
listening to a port. This program is added to the list of “blocked applications”
that is stored on the computer for future reference by the Windows
Firewall. Conversely, “Unblock” allows the program to
run or listen on a port and this is added to the “acceptable program”
list. Finally, “Ask Me Later” blocks
this program for the current event in question but will not add the program to
the list of “blocked applications.” You are
asked again if you want to block the application the next time the application
attempts to run or use other resources on the system.
The new Windows
Firewall also blocks DCOM functionality by default
because of the potential malicious results possible from anonymous callbacks
via DCOM. The exception: administrators are not restricted from
making remote connections to DCOM. The administrator might choose to reenable DCOM access
through the DCOMCNFG utility, but this action is strongly discouraged. Refer to “Configuration of SAS Products on Windows
XP Service Pack 2” for more information on DCOM connectivity.
The third area of improved security of SP2
that affects SAS products is the heightened alert to software that does not
contain a digital signature. Digital signatures verify the authenticity of the
software that is provided by software publishers. Even without a digital signature, you can
click to confirm that you want to install your software and proceed with the
installation. Below is the Security Warning dialog box that appears for software
applications that do not have digital signatures:
Installation of SAS Products on
Windows XP Service Pack 2
During the installation of the SAS
Foundation, SAS hot fixes, and associated third-party products, security
warnings appear, similar to the one that is documented at the end of the
previous section, if you have SP2 installed on your Windows XP system. These warnings are illustrated in the
overview and alert you that the applications do not have digital signatures or that
they require certain network access which requires that they are not blocked by
the operating system.
The following SAS notes detail the
security warnings generated due to missing digital signatures:
If you have received the SAS media or the
installation files from a reliable source, you can ignore the security warning
and select “RUN.”
The following SAS notes detail the
security warnings that are generated when Windows is verifying the need to
block a program from executing during an installation of SAS:
·
Windows Security Alert
messages if requesting SID from the internet during the installation of SAS 9.1 or 9.1.2:
http://support.sas.com/techsup/unotes/SN/013/013461.html
The appropriate action to take in this situation is to allow Installshield or SAS to execute to ensure a complete and
proper installation.
A conflict created by Windows XP Service
Pack 2 involves a client installation problem with SAS Activity-Based
Management and is documented in the SAS note below:
Configuration of SAS Products on
Windows XP Service Pack 2
Once the installation of the SAS
Foundation and associated software to support SAS solutions is complete (server
tier, mid tier, client tier), security warnings might appear during the configuration
of these software tiers. In particular, you
need to focus on two configuration categories: DCOM configuration and execution of .bat files for the automated
configuration of SAS’ Business Intelligence architecture.
As noted above, Windows XP SP2 has further
restricted the use of DCOM connectivity such that only administrators are
allowed remote DCOM access. This
can affect the SAS Integration Technologies product that uses standards-based
communication mechanisms and application programming interfaces (APIs) for
integrating a variety of software systems and operating systems. Integration Technologies is most widely used
in conjunction with Enterprise Guide when the SAS server is located on a platform
other than the Enterprise Guide client.
In the situation where the SAS server is another Microsoft Windows-based
system, a DCOM communication path is one of the options available
to connect the Enterprise Guide client to the SAS server.
When you attempt to connect to a DCOM server with Enterprise Guide, the following error
messages might appear:
The
connection to server <Servername> has been
reset.
Not enough storage is available to
complete this operation
The preferred connection method for
Enterprise Guide is the IOM Bridge which establishes a more secure connection and avoids other DCOM restrictions/instabilities. Refer to http://support.sas.com/techsup/technote/ts675/ts675.pdf for more information on setting up this type of
communication server. If you must use a DCOM connection, contact SAS Technical Support for more
information.
The configuration of the
SAS9 Platform or SAS9 technology offerings (ie. SAS Business Intelligence bundle) is defined in the
Configuration Wizard and documented in the instructions.html, a product of the
Configuration Wizard. The
instructions.html file describes the steps necessary for defining metadata,
configuring both IOM and web servers, and setting the default
authorization for the solution.
Typically, most of these tasks are done by .bat files that are created
by the Configuration Wizard, based on input you give while executing the
Configuration Wizard. The execution of
.bat files on a Windows XP Service Pack 2 system generates security warnings. See the following SAS note for details:
Execution of SAS Products on
Windows XP Service Pack 2
SAS products can execute on Intel-based
32-bit processors or on 64-bit extended processors such as AMD’s Opteron or Intel’s EM64T processor. Data Execution Prevention is a noteworthy concern only on systems that
use a x86-64 bit processor. SAS fails to
invoke (no error message is displayed) when you attempt to run SAS (SAS 9.1 TS
1M2 or earlier version) on a x86-64 bit processor that runs Windows XP SP2:
You must disable DEP to execute any SAS
software that was released before SAS 9.1 TS1M3. SAS recommends that you disable DEP on a
per-application basis. Use the following
instructions to dictate how DEP is implemented on your system:
1.
Start > Control
Panel, and then double-click System.
2.
Click
on the Advanced tab. Under
Performance, click Settings.
3.
Click
on the Data Execution Prevention tab.
4.
Now choose your
DEP configuration:
o
Click Turn on
DEP for essential Windows programs and services.
or
o
Click Turn on
DEP for all programs and services except those I select. Click Add and add the
applications (such as SAS) that you do not want DEP-enabled
For more information on configuring DEP on
your system, refer to
The execution of SAS products on all Windows-based
systems might encounter the warnings and errors described in the following
paragraphs when executing SAS or associated products under Windows XP Service
Pack 2.
Similar to the warnings that appear during
the installation of SAS, Windows security alerts you when an application is
attempting to use a port or requiring access to the network. These warnings are particularly common when you
use SAS/CONNECT, the Xythos WebFile Server, and SAS Management Console. A Windows Security Alert notifies you that
the Window Firewall has blocked some features of the program and asks if you
want to keep blocking this program. To
ensure full functionality of SAS software, choose to unblock the program. This action instructs the Windows Firewall to
add the program to the “acceptable program” list. See the SAS notes below for details:
New
content controls in Internet Explorer provide improved security of viewed
active content that could interact with resources on your computer. SAS/Online Tutor and graphs created by
SAS/GRAPH contain ActiveX or JAVA controls that could display a warning similar
to the following:
The
following SAS Notes document how this security feature affects SAS/Online Tutor
and SAS/GRAPH graphs:
Another conflict created by Windows XP
Service Pack 2 occurs when you connect to a SAS/CONNECT session via the
SAS/CONNECT spawner.
The following SAS note documents the error and corrective action:
Conclusion
This
document covers all known issues you might encounter when you use SAS products
on Windows XP Service Pack 2. SAS
strives to ensure that the SAS products you use support the extra security
measures incorporated by software environments such as Windows XP SP2. Because security measures need to constantly
be improved and software features are frequently changing, this paper will be
updated to keep you abreast of changes and enhancements.
Updated
14DEC2004
|
