Architecture + system-based How to assign passwords Password Protection of SAS® Enterprise Guide® Projects Thomas E. Billings MUFG Union Bank, N.A., San Francisco, California Abstract More on passwords Architecture + system-based SAS® Enterprise Guide® lets a user assign a password to a project, after which any/all users must enter the correct password to be able to open and run the project. In this paper we test the security of password protected projects against 2 hacks. We first present a sample project that has multiple types of Tasks that will be used for testing. Before assigning a password to the project, we demonstrate a simple hack that facilitates the examination of some of the internal metadata of a SAS Enterprise Guide project, i.e., a .egp file. Then we assign a password to the sample project and repeat the hack on the password-protected project, with the result that the hack does not work. Next, we try another simple hack - viewing the .egp file in a text editor - and find that this does not work either. The tests here provide independent confirmation that password-protected .egp files are secure against the 2 hacks demonstrated. We end with a brief discussion on .egp file metadata and its role in the SAS ecosystem. SAS products: SAS Enterprise Guide. User-level: beginner. To remove password protection from an open, password-protected project, repeat the previous process with a “null” password. Above are manual methods; direct update of metadata via batch may be possible. Hacks #1 & #2 don’t work – and that is good! Password protection of projects is 1 layer in a multi-layer security approach that includes OS and SAS metadata security, encryption, etc. Higher security alternatives: stored process on a server instead of a project scheduled, production batch program on a server Security: Hack #1 Assumption: project file saved on MS Windows system Well-known: .egp project files are zipped directories (Hemedinger 2014). Hack #1 -- unzip a project file: Create a separate directory for the unzip Make a copy of the target project in the new directory Rename the *.egp file to *.zip so it can be unzipped Unzip the project .zip file; extract all files. Hack #1 WORKS for project files that are not password protected Hack #1 FAILS for password protected project files – need password for unzip to succeed Hack #1 and metadata Some SAS users work in environments where metadata has limited use: “PC SAS”, mainframe, batch. It may be informative for some legacy users to use hack #1 on a small project of their own, to see firsthand that their projects are zipped files of metadata that can be xml, srx, sas, log, and possibly other types of files. This may help increase understanding of metadata. How to assign passwords To assign a password to an open SAS ® Enterprise Guide ® project, use the menu: Click: File  Project Properties  Security Enter password Click OK Reenter password (2nd validation step; required) Save the project After the above, project access requires the password. Security: Hack #2 Trademark notice String constants in compiled files may be revealed if the compiled file is opened with an ordinary text editor! This is an issue with compiled, encrypted SAS macros; also some programming languages. Hack #2: use a text editor to open a project file, search for the project password Hack #2 fails -- project password is NOT visible SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. Disclaimer: The contents of the paper herein are solely the author’s thoughts and opinions, which do not represent those of MUFG Union Bank N.A. The bank does not endorse, recommend, or promote any of the computing architectures, platforms, software, programming techniques or styles referenced in this paper.