SAP Security Recommendations Secure Configuration of SAP NetWeaver® Application Server Using ABAP™ Version 1.2 January 2012 Table of Contents 4 Introduction 6 Network Filtering 8 SAP GUI for Microsoft Windows 9 Password Management Password Policy Password Hashes Users with ABAP Default Password 10 Secure Network Communication 11 Secure HTTP (HTTPS) Usage of HTTPS Protection of Cryptographic Keys Protection of Session Identifiers 12 Limit Web-Enabled Content 13 ABAP RFC Connectivity 15 Gateway Security ABAP RFC Registered RFC Server Program Started RFC Server Program 17 Message Server Security 18 Security Patch Management for ABAP 19 Security Configuration Monitoring 20 Appendix 21 Endnotes Introduction SAP helps our customers become best-run businesses by The purpose of this document is to provide recommendations providing software solutions to optimize and innovate core for the most important security configuration activities that businesses processes. The SAP NetWeaver® technology plat- should be performed for ABAP systems on the level of SAP form with the ABAP™ programming language is used to store technology. It does not cover topics that are mainly related to and process business-critical data (such as financial, human corporate policies or business processes, which differ largely resources, and customer relationship data). Therefore, it is from customer to customer. Examples of these exclusions are crucial that customers secure their SAP® software platform. system administration and operation (such as operating sys- SAP software systems must fulfill compliance requirements tem security and database security), SAP authorization con- and follow regulations such as the Sarbanes-Oxley Act. More cepts (including segregation of duties on business and system generally, they must conform to data protection and privacy operations levels), secure development, logging, and tracing. laws as well as comply with industry-specific regulations. Since SAP software systems run business-critical processes, The general scope of this document is to provide a set of protecting them from attacks is vital. security measures for ABAP systems to protect against unau- thorized access within the corporate network. For Internet To protect systems based on ABAP against unauthorized access scenarios, additional security measures must be considered and manipulation, security configuration must be applied on and implemented. More details on this can be found in different levels (landscape architecture, operating system, the documentation provided by SAP. The topics listed in database, SAP technology, SAP applications, and SAP authori- the following table are covered in this document. zations, for example). SAP and third parties provide compre- hensive documentation on how ABAP systems can be secured, If you require support during implementation of SAP security including SAP security guides, SAP security notes, SAP Com- notes referenced in this document, please create an SAP munity Network, and materials in many books. Additionally a customer support ticket for the primary component of the document was released on how to protect Java- and ABAP- corresponding SAP Note (for example, primary component based SAP applications against common attacks.1 Please BC-CST-GW for SAP Note 140808141) in the SAP Notes tool. refer to the appendix of this document for further references. Topic Content Network Filtering Network filtering is a fundamental requirement for secure systems based on the SAP NetWeaver® Application Server component. It reduces the attack surface to the least number of services required to be accessed by end users. Security measures for these services required in typical customer instal- lations are covered in the remaining sections of the document. SAP® GUI for Customers can increase the security of their client workstations using the latest SAP GUI for Microsoft Microsoft Windows Windows with security rules. It restricts SAP software systems in the ability to perform security- relevant operations on client workstations (execute commands, upload files, and so on). Password Default passwords, weak password policies, and old password hashes can lead to insecure systems Management and must be configured in a secure way. Secure HTTP (HTTPS) Cryptographically secured network communication is recommended to mitigate risks of interception and Secure Network of communication containing business data and user credentials (passwords, SAP logon tickets, and Communication so on). Protection of cryptographic keys is also required. Limit Web-Enabled Only Web content that is needed for business scenarios should be accessible to end users. Content Remote Function Call Security of SAP software systems relies on separation of systems of different security classifications (RFC) Connectivity (such as development, test, and production). If interconnectivity between systems of different security with ABAP™ Program- classification is required, it should be done considering guidelines to ensure the security of systems ming Language with higher classification. Gateway Security Secure configuration of gateways and message servers is required to mitigate the risk of unauthorized and Message Server access to SAP software systems. Security Security Patch Security notes must be implemented to ensure that identified security vulnerabilities are closed Management for ABAP and cannot be misused by attackers. Security Configuration As system configuration may change, monitoring of security configuration is essential to ensure Monitoring systems remain in a secure state. Secure Configuration of SAP NetWeaver Application Server Using ABAP 55 Network Filtering Secure network architecture is a fundamental requirement for secure ABAP systems. Network filtering must be used to reduce the attack surface (see Figure 1). Implementation of network filtering between end-user networks and ABAP systems2 is required and documented in the SAP NetWeaver Security Guide.3 Figure 1: Attack Surface Reduction Through Network Filtering Without network filtering With network filtering Database SAP servers Database SAP servers with database with database Fire- Operating system Operating system wall . . . . . . End user End user RFC RFC DIAG DIAG Fire- . . . . . . wall Default attack surface: all services Reduced attack surface: accessible services RFC = Remote function call DIAG = Dynamic information and action gateway The network services listed in the following table are required to be accessible from end-user networks in most real-world ABAP installations. All other network services are typically not required and should be blocked between the end-user network and ABAP systems. Network services listed below refer to the standard installation of ABAP systems.4 NN is used as a place- holder for the instance number of the SAP software system. Service Required For Port Number Dispatcher The dispatcher is used by SAP® GUI. The communication protocol used is DIAG. 32NN Gateway The gateway manages remote function call (RFC) communication. 33NN Message Server The message server manages load-balancing information and SAP internal 36NN communication. HTTPS Secure HTTP 443NN The network architecture depends on SAP infrastructure com- additional network services are made available to end-user ponents (such as the SAP router, Web dispatcher, and load networks, additional security measures must be taken to balancer), which must be taken into account for architecture secure these services. planning (see Figure 2). These infrastructure components do not change the fact that access to DIAG, RFC, message server, Administrative access to the ABAP systems needs to be done and HTTPS is necessary, but they have impact on network from an administration network. This network is allowed to access filtering implementation. the ABAP systems with administrative protocols (SSH, RDP, database administration, and so on). Access to the administra- This document assumes that only the network services listed tive network must be properly secured by common security above are available to end-user networks. Only security config- concepts (for example, to allow admin istrative access to the ABAP urations for these services are covered by this document. If systems only from dedicated subnets or admin workstations). Figure 2: Example of SAP® Architecture with Network Filtering Corporate network End-user Firewall Adminis- network trative SAP® software systems SAP network Message server Adminis- trative RFC protocols: Application Database Application Database SSH DIAG server server RDP Database HTTPS adminis- lewal Firewall Firewall tarnadti oson on r Fi Other systems Database SSeerrvveerr RFC = Remote function call DIAG = Dynamic information and action gateway Secure Configuration of SAP NetWeaver Application Server Using ABAP 77 SAP GUI for Microsoft Windows ABAP systems can access security-critical functionality on SAP GUI end-user workstations under the permission of the end user (such as uploading and downloading files, changing the Microsoft Windows registry, and executing programs). SAP GUI 7.10 introduced the possibility of alerting end users in case of such access from ABAP systems. The option of alerting on security events can be enabled, but end users must confirm access requests. This can lead to many security pop-ups. SAP GUI 7.20 improves granularity and flexibility of security event handling. This is done using configurable security rules. SAP GUI 7.20 offers a default set of security rules that can be extended by customers.5 This mitigates the risk of malicious attacks on SAP GUI workstations from ABAP systems that have been compromised. We strongly recommend implementing the following security measures: • Deploy the latest available SAP GUI version on all end-user workstations.6 • Ensure that SAP GUI security rules are activated using at least the security rule setting “Customized” and default action “Ask.”7 Password Management SAP software systems must store password information in Activate the latest password hashing mechanism (code version) some representation like all systems using password-based available for your release by setting the profile parameters below. logon. SAP software systems do not store passwords as such Downward-compatible password hashes should not be stored but use one-way functions to calculate so-called password on releases 7.0 onward. If you use central user administration hashes. These are stored in the database. The system verifies (CUA), you must ensure that the CUA system has at least the user passwords using the one-way function to calculate the same or a higher release than all attached systems11 and that hash and compare it against the stored value. Since it is a one- additional relevant SAP Notes are implemented.12, 13 way function, the password itself cannot be calculated from the stored password hashes. Releases Recommended Profile Code Parameters Version All systems using this method are subject to password diction- Up to 4.5 No special profile parameter needed B ary attacks or password brute-force attacks if the password hashes can be retrieved from the system.8 The following 4.6–6.40 login/password_charset = 2 E security measures should therefore be taken to significantly 7.00–7.01 login/password_downwards_ F reduce the probability of successful password-cracking attacks. compatibility = 0 PASSWORD POLICy 7.02 onward login/password_downwards_ H compatibility = 0 Set strong password policies according to your corporate policy.9 The following profile parameters are relevant to configure After activation of the latest password-hashing mechanism, password policies. redundant password hashes need to be deleted from the rele- • login/min_password_lng vant tables.14 • login/min_password_letters • login/min_password_digits USERS WITH ABAP DEFAULT PASSWORD • login/min_password_lowercase • login/min_password_uppercase Changing default passwords is crucial for secure system oper- • login/min_password_specials ation.15 The default users that are created in different clients in • login/password_max_idle_productive every ABAP system are SAP*, DDIC, EARLYWATCH, SAPCPIC, and • login/password_max_idle_initial TMSADM. Be sure to change the passwords of default users in • login/password_history_size all clients including client 066 and unused clients. The report • login/password_expiration_time RSUSR00316, 17 or the SAP EarlyWatch® Alert services can be used to verify that default passwords have been changed. Enforce password policy for existing passwords during logon (login/password_compliance_to_current_policy = 1). Password change for the default user TMSADM must be done for all systems in an SAP transport management domain at PASSWORD HASHES the same time.18, 19, 20 A tool is provided to assist changing the TMSADM password in a transport landscape.21, 22 Systems with Restrict access to tables (USR02, USH02, and in later releases releases older than 4.6C should lock the user TMSADM.23 USRPWDHISTORY) containing password hashes by changing the table authorization group of these tables. Users that are not administrators must not have access to this new table authorization group.10 Secure Configuration of SAP NetWeaver Application Server Using ABAP 9 Secure Network Communication The SAP proprietary protocols DIAG (used for SAP GUI) and Windows.26, 27 For comprehensive SNC capabilities and ad- RFC do not cryptographically authenticate client and server, vanced management of credentials and single sign-on in nor do they encrypt network communication. Passwords trans- Microsoft Windows and heterogeneous environments, we mitted over the network can be eavesdropped on. Additionally, recommend using the SAP NetWeaver Single Sign-On applica- due to missing mutual authentication, rogue systems could tion28 or a certified SNC partner product. intercept network traffic, manipulate content, and forward it to legitimate servers (“man in the middle” attacks). Although detailed requirements for SNC implementations are customer specific, at least the following security measures Secure network communication (SNC) provides cryptogra- should be taken: phically strong mutual authentication, integrity protection of • Implement SNC between SAP GUI and ABAP systems since transmitted data, and encryption of network traffic. Its use is end-user traffic may pass networks susceptible to network highly recommended to mitigate aforementioned risks (see “sniffing.” Figure 3 for examples of recommended uses). • For RFC communication, SNC should be implemented if the network traffic is susceptible to sniffing by end users. SNC without single sign-on capability is available to all SAP • We recommend using strong cryptographic authentication NetWeaver customers for SAP GUI using SNC client encryption24 and we recommend deactivating password-based access for and for all RFC communication between SAP servers.25 Basic most SAP GUI users. Delete formerly used password hashes single sign-on capabilities are available in environments where of those users from the database.14 Only a small number of SAP servers and SAP GUI clients run Microsoft emergency accounts should be able to access the system with password login. Figure 3: Recommended Scenarios for Secure Network Communication (SNC) Corporate network End-user Server network Other server network network ABAP™ ABAP ABAP lal lal lal w w w e e e r r WAN r SAP® GUI Fi DB DB Fi Fi DB (using DIAG) SNC SNC SNC recommended optional recommended DIAG = Dynamic information and action gateway SNC = Secure network communication DB = Database
Description: