SAP NetWeaver 2004s SPS 4 Security Guide SAP NetWeaver Application Server ABAP Security Guide Document Version 1.00 – October 24, 2005 SAP AG Neurottstraße 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com © Copyright 2005 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and The information contained herein may be changed without prior other SAP products and services mentioned herein as well as their notice. respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other Some software products marketed by SAP AG and its distributors product and service names mentioned are the trademarks of their contain proprietary software components of other software vendors. respective companies. Data contained in this document serves informational purposes only. National product specifications may Microsoft, Windows, Outlook, and PowerPoint are registered vary. trademarks of Microsoft Corporation. These materials are subject to change without notice. These materials IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, are provided by SAP AG and its affiliated companies ("SAP Group") MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, for informational purposes only, without representation or warranty of xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, any kind, and SAP Group shall not be liable for errors or Tivoli, and Informix are trademarks or registered trademarks of IBM omissions with respect to the materials. The only warranties for SAP Corporation in the United States and/or other countries. Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Oracle is a registered trademark of Oracle Corporation. Nothing herein should be construed as constituting an additional warranty. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Disclaimer Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, Some components of this product are based on Java™. Any code VideoFrame, and MultiWin are trademarks or registered trademarks of change in these components may cause unpredictable and severe Citrix Systems, Inc. malfunctions and is therefore expressively prohibited, as is any decompilation of these components. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Any Java™ Source Code delivered with this product is only to be used Institute of Technology. by SAP’s Support Services and may not be modified or altered in any way. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used Documentation in the SAP Service Marketplace under license for technology invented and implemented by Netscape. You can find this documentation at the following Internet address: service.sap.com/securityguide MaxDB is a trademark of MySQL AB, Sweden. Typographic Conventions Icons Type Style Description Icon Meaning Example Text Words or characters quoted Caution from the screen. These include field names, screen titles, Example pushbuttons labels, menu names, menu paths, and menu options. Note Cross-references to other documentation Recommendation Example text Emphasized words or phrases Syntax in body text, graphic titles, and table titles EXAMPLE TEXT Technical names of system objects. These include report Additional icons are used in SAP names, program names, Library documentation to help you transaction codes, table identify different types of information at names, and key concepts of a a glance. For more information, see programming language when Help on Help → General Information they are surrounded by body Classes and Information Classes for text, for example, SELECT and Business Information Warehouse on INCLUDE. the first page of any version of SAP Library. Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. <Example Variable user entry. Angle text> brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER. SAP NetWeaver Application Server ABAP Security Guide Contents Contents SAP NetWeaver Application Server ABAP Security Guide.................6 1 User Authentication............................................................................7 1.1 Authentication and Single Sign-On......................................................8 1.1.1 Logon and Password Security in the SAP System.......................................................8 Password Rules................................................................................................................11 Security Measures Related to Password Rules................................................................14 Password Storage and Transport.....................................................................................15 Profile Parameters for Logon and Password (Login Parameters)....................................15 1.1.2 Secure Network Communications (SNC)...................................................................21 1.1.3 Client Certificates........................................................................................................22 1.1.4 SAP Logon Tickets.....................................................................................................23 1.1.5 Pluggable Authentication Services.............................................................................24 1.2 User Types............................................................................................26 1.3 Protecting Standard Users..................................................................26 1.3.1 Defining a New Superuser and Deactivating SAP*....................................................28 1.4 Preventing Unauthorized Logons.......................................................29 1.5 Recognizing and Preventing Multiple Dialog User Logons..............30 1.6 Security Measures When Using SAP Shortcuts................................31 1.7 Additional Information on User Authentication.................................31 2 SAP Authorization Concept.............................................................32 2.1 Overview...............................................................................................35 2.2 Organizing Authorization Administration..........................................35 2.2.1 Organization if You Are Using the Profile Generator..................................................36 Setting Up Administrators..................................................................................................37 Setting Up Role Maintenance...........................................................................................39 Authorization Objects Checked in Role Maintenance.......................................................39 2.2.2 Organization without the Profile Generator................................................................41 Creating and Maintaining Authorizations/Profiles Manually..............................................43 2.3 Authorization Checks ..........................................................................43 2.3.1 Reducing the Scope of Authorization Checks............................................................46 Searching for Deactivated Authority Checks.....................................................................48 2.3.2 Globally Deactivating Authorization Checks...............................................................48 2.4 Protective Measures for Special Profiles...........................................49 2.4.1 Authorization Profile SAP_ALL...................................................................................49 2.4.2 Authorization Profile SAP_NEW.................................................................................49 2.5 User Information System.....................................................................50 2.6 Central User Administration................................................................52 2.6.1 Security Aspects of the CUA......................................................................................53 2.7 Additional Information About the SAP Authorization Concept........53 3 Network Security for SAP Web AS ABAP.......................................54 3.1 SAP Web AS ABAP Ports....................................................................55 4 October 2005 SAP NetWeaver Application Server ABAP Security Guide Contents 4 Protecting Your Productive System (Change & Transport System).................................................................................................57 4.1 The SAP System Landscape...............................................................58 4.1.1 The Three-Tier System Landscape............................................................................59 4.1.2 The Common Transport Directory..............................................................................59 4.1.3 Using the TMS Quality Assurance Approval Procedure.............................................60 4.2 Configuring the System Landscape for Changes.............................62 4.2.1 Release 3.1.................................................................................................................62 4.2.2 As of Release 4.0........................................................................................................62 4.3 Defining the Transport Process..........................................................63 4.3.1 Transport Routes........................................................................................................63 4.3.2 The Transport Process...............................................................................................64 4.4 Responsibilities and Their Corresponding Authorizations..............65 4.4.1 Roles and Responsibilities..........................................................................................65 4.4.2 Authorizations.............................................................................................................66 4.5 Security for the RFC Connections......................................................66 4.5.1 Default.........................................................................................................................66 4.5.2 TMS Trusted Services................................................................................................67 4.5.3 Secure Network Communications..............................................................................67 4.6 Protecting Security-Critical Objects...................................................68 4.6.1 Protecting the System Profile Parameter Files...........................................................68 4.6.2 Protecting the Table for Maintaining System Clients (Table T000)............................68 4.6.3 Protecting Other Security-Critical Objects..................................................................69 4.7 Emergency Changes in the Productive System................................69 4.8 Additional Information on the Change and Transport System.........70 5 Security Aspects When Using Business Objects..........................71 5.1 SAP Business Partner Security..........................................................71 5.2 SAP Product Security..........................................................................72 6 Secure Store & Forward Mechanisms (SSF) and Digital Signatures.............................................................................................73 6.1 General Information.............................................................................73 6.2 Protecting Keys....................................................................................74 6.3 Protecting the Application Server’s Keys..........................................75 6.4 Additional Information on SSF and Digital Signatures.....................76 7 Special Topics...................................................................................77 7.1 Logical Operating System Commands...............................................77 7.1.1 Restrict Authorizations for Maintaining External Commands.....................................77 7.1.2 Restrict Authorizations for Executing External Commands........................................78 7.1.3 Additional Information on Logical Operating System Commands..............................78 7.2 Batch Input ...........................................................................................79 7.2.1 An Overview of the Batch Input Process....................................................................79 7.2.2 Protecting the Batch Input Sessions...........................................................................80 7.3 Protecting Disclosure of the SAPconnect RFC User........................81 7.4 Preventing or Logging List Downloads..............................................81 7.5 Internet Graphics Service Security.....................................................83 7.6 Virus Protection and SAP GUI Integrity Checks................................84 October 2005 5 SAP NetWeaver Application Server ABAP Security Guide Contents SAP NetWeaver Application Server ABAP Security Guide Purpose This guide is to provide you with an overview of the security aspects and recommendations when using the SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP for your applications. Integration There is also a SAP NetWeaver Application Server Java Security Guide [SAP Library]. Constraints This guide does not describe the administration or development functions for security on the SAP NetWeaver AS ABAP. Such information is provided in the corresponding documentation. It only provides the additional information that applies to specific application types. How to Use This Guide This guide is divided into the following sections: • User Authentication [Page 7] This section describes security aspects involved with user authentication, for example, logon security, password rules and preventing unauthorized logons. In addition, it describes how to protect the standard users SAP*, DDIC, and EARLYWATCH. • SAP Authorization Concept [Page 32] This section provides a brief overview of the SAP authorization concept and how you can use it to protect your applications from misuse. • Network Security for SAP NetWeaver AS ABAP [Page 54] This section provides an overview of the protocols used by the SAP NetWeaver AS ABAP and the mechanisms to use to provide security for connections at the network transport layer. • Protecting Your Productive System (Change & Transport System) [Page 57] This section describes how to prevent undesirable changes from being made in your productive system by using the Change and Transport System (CTS) and the Transport Management System (TMS). • Secure Store & Forward Mechanisms (SSF) and Digital Signatures [Page 73] This section describes the security aspects involved when using public-key technology for digital signature and encryption functions. 6 October 2005 SAP NetWeaver Application Server ABAP Security Guide 1 User Authentication • Special Topics [Page 77] Security aspects that apply to additional topics are also included. Such topics are: (cid:123) Executing logical operating system commands in SAP systems (cid:123) Batch input (cid:123) Preventing disclosure of the SAPconnect RFC user (cid:123) Internet Graphics Service security • Virus Protection and SAP GUI Integrity Checks [Page 84] This section provides information on virus protection using the virus scan interface as well as information about how SAP GUI ensures its own integrity using checks. In addition, see the topic Security Aspects for BSP [SAP Library] and Security Aspects for Web Dynpro for ABAP [SAP Library] in the Security Aspects for Usage Type DI and Other Development Technologies section of the SAP NetWeaver Security Guide: 1 User Authentication An unauthorized user, who manages to access a system under a known user in the system, can proceed to do whatever is possible under this known user. If the known user happens to have access to critical information, then the impersonator also has access to the same information. Therefore, providing secure authentication protects the availability, integrity, and privacy of your system at every level. We describe how the SAP Web AS ABAP systems facilitate secure authentication in the following topics. • Authentication Mechanisms Available in SAP Systems [Page 8] (cid:123) Logon and Password Security in the SAP System [Page 8] (cid:131) Password Rules [Page 11] (cid:131) Security Measures Related to Password Rules [Page 14] (cid:131) Password Storage and Transport [Page 15] (cid:131) Profile Parameters for Logon and Password (Login Parameters) [Page 15] (cid:123) Secure Network Communications (SNC) [Page 21] (cid:123) Client Certificates [Page 22] (cid:123) SAP Logon Tickets [Page 23] (cid:123) Pluggable Authentication Services [Page 24] • User Types [Page 26] • Protecting Standard Users [Page 26] (cid:123) Defining a New Superuser and Deactivating SAP* [Page 28] • Preventing Unauthorized Logons [Page 29] • Recognizing and Preventing Multiple Dialog User Logons [Page 30] • Security Measures When Using SAP Shortcuts [Page 31] • Additional Information on User Authentication [Page 31] October 2005 7 SAP NetWeaver Application Server ABAP Security Guide 1 User Authentication 1.1 Authentication and Single Sign-On The SAP Web AS ABAP supports a number of mechanisms for authenticating users and providing for a Single Sign-On environment. For the security aspects involved when using any of these mechanisms, see the following sections: • Logon and Password Security in the SAP System [Page 8] • Secure Network Communications (SNC) [Page 21] • X.509 Client Certificates [Page 22] • SAP Logon Tickets [Page 23] • Pluggable Authentication Services [Page 24] For more information about how these mechanisms work on the SAP Web AS, see User Authentication and Single Sign-On [SAP Library]. 1.1.1 Logon and Password Security in the SAP System This section provides a general overview of logon and password security in the SAP System. To increase the security of the passwords, they are encrypted, and are only stored and transferred as hash values. After SAP NetWeaver 6.40, the password hash algorithm will be changed from MD5 to SHA-1. This means that more secure hash values, which are not backward-compatible, and which make reverse engineering attacks difficult, can be generated. By default, new systems generate two hash values: a backward-compatible value and a new value. However, you can configure the system so that only the new hash value, which is not backward-compatible, is generated. You can set the degree of backward compatibility with the profile parameter login/password_downwards_compatibility. The system can determine the type (new or old) of the current user password at any time. During logon, the system calculates the password hash based on the entered data and in accordance with the information from the user master record (see the hash procedure used) and compares the hash values. The system decides itself which part of the entered password is evaluated. • If the user master record shows that the user’s password was encrypted with the old password hash algorithm, the system only evaluates the first eight characters and converts these to upper-case • If the user master record shows that the user’s password is encrypted with the new password hash algorithm, the system evaluates all characters as they were entered (up to 40 characters, with no conversion to upper-case). The new functions do not initially have any consequences after the upgrade; the operation of the system and password queries continue to run as usual. The passwords of the new type gradually replace the passwords of the old type. If your security requirements mean that you need to use exclusively the non-backward compatible passwords of the new type, this affects the following elements: • Communication frameworks (RFC, ICF) that transfer or store the passwords • Central User Administration, which distributes the password hash values If you are using non-backward compatible passwords, communication with older systems (where the older system calls the newer system) and the shared use of a Central User Administration that consists of old and new systems are no longer possible in principle (see SAP Note 792850). 8 October 2005 SAP NetWeaver Application Server ABAP Security Guide 1 User Authentication Initial Password When you create a user master record, you must assign a password to the user. The password must meet the internal requirements set by the SAP System and your own regulations (see Password Rules [Page 11]). As the administrator you do not need to observe the following rules: • List of invalid passwords or password templates in table USR040 • Password history; that is, the password can also be one of the last five passwords used by the user • Minimum number of different characters between the old and the new password When a new user logs on for the first time, he or she must change the password. To do this, the user enters the old password once and then the new password twice. When the user enters the new password, the system checks it against all password rules defined by SAP and by the administrator. Logon with User ID and Password To be able to access the SAP system and the data contained in it, the users of the SAP system must log on. To do this, they enter their user ID and password. A user must enter both user ID and password; it is not possible to have an empty password. (Alternatively, you can use the logon with Single Sign-On (BC-SEC) [SAP Library]) Before the user is granted access after entering his or her password, the system checks ... 1. Whether the user has a password and whether the user can log on with a password logon 2. Whether the user has been locked and is therefore not allowed to log on: (cid:123) The user administrator can lock a user to prevent the user logging on to the system. For more information, see the Lock/Unlock section of User Maintenance Functions [SAP Library]. (cid:123) The system also sets a logon lock if the user exceeds the permitted number of logon attempts (only for password-based logons). 3. Whether the user’s logon data (password, user name, and client) are correct 4. Whether the user must set a new password (in the case of an initial password, an expired password, or a password that has been reset by the administrator) You can specify how long passwords remain valid in the system profile. By default, there is no limit on the validity of passwords. If the user ID and password are correct, then the system displays the date and time of the user’s last logon under System → Status. With the date and time, the user can check that no suspicious logon activity has occurred. The logon date and time cannot be changed in a standard production system. The system does not record the logoff date and time. October 2005 9 SAP NetWeaver Application Server ABAP Security Guide 1 User Authentication Password Checks Password Checks for Password-Based Logon For every failed password check, the failed logon counter for the affected user master record is increased. If the user changes his or her password, the system first checks the current password. If this check fails, the system increases the incorrect logon counter. If the user exceeds the limit set by the profile parameter login/fails_to_user_lock, the user is locked. This operation is logged in the Security Audit Log and in the Syslog. If a lock is set, subsequent password checks are immediately terminated (without a statement about the correctness of the password). The lock is regarded as invalid after the end of the current day. (Exception: see the profile parameter login/failed_user_auto_unlock). The failed logon counter is reset by a successful password check at logon or password change; this is also logged in the Security Audit Log. Non-password-based logons do not affect the failed logon counter; active logon locks, that is, locks that the administrator has set in transaction SU01, are taken into account at each logon or password change. Password Checks for Non-Password-Based Logon If you are using a SAP GUI logon, the system checks, in the case of non-password-based logon variants (SSO: SNC, X.509, PAS, logon ticket), whether the user has a password that must be changed. If you are using SAP GUI logon, the administrator can use the profile parameter login/password_change_for_SSO and its parameters to display various dialog boxes. For more information about this, see the documentation for the profile parameter in transaction RZ11. Logon Errors If a user enters an incorrect password, then the system allows the user two retries before terminating the logon attempt. Should the user continue to enter an incorrect password in subsequent logon attempts, then the SAP GUI connection is terminated. By default, this is done after three consecutive failed logon attempts. You can use the parameter login/fails_to_user_session_end to specify the number of logon attempts that the system should allow before terminating the connection (see Profile Parameters for Logon and Password (Login Parameters) [Page 15]). The user can repeat the logon attempt until he or she enters a valid user ID or until the permissible number of logon attempts is exhausted (parameter login/fails_to_user_lock). After SAP NetWeaver 6.40, the system differentiates between upper- and lower-case. The locking of a user due to incorrect logon attempts with a password only applies on the same day (see the parameter login/fails_user_auto_unlock); however, the user administrator can also remove the lock earlier. 10 October 2005
Description: