Foreword: At ESNC, we have conducted numerous SAP security assessments to date. Based on our experiences with multiple large enterprise customers and banks, we’d like to summarize our top 5 recommendations for having a secure SAP landscape in this knowledge base article. We believe that it brings little value to invest on improving segregation of duties(SoD), authorizations or conducting ABAP code security projects, if customers haven’t implemented proper processes or mitigation for the following issues so far. SAP BASIS security is crucial for having a secure SAP landscape.
Secure the SAP gateway
There are various attacks to SAP gateway such as running operating system commands without authentication.
Restrict access to SAP gateway by proper network controls both internally and externally. If business case exists for customer networks to use RFC communications because of applications such as BEx (Business Explorer), apply proper security configuration on the SAP gateway for restricting TYPE E and TYPE R connections.
Please refer to secinfo, reginfo configuration for more information.
Ensure that SAP landscape is free of weak or default passwords
SAP systems contain hundreds or thousands of users. A single compromised account can cause issues for the rest of the landscape.
After SAP systems are configured for proper password policy, we recommend running password audits on SAP systems periodically to prevent weak passwords such as “Summer-2012” or “Welcome01” to be present. Although such passwords can be password policy compliant, please remember that “compliant” does not mean “secure“.
Disable critical ICM/ITS or JAVA AS web services
Disable or restrict access to web services such as SOAPRFC and WEBRFC. These services allow RFC communication over the Internet.
Disable the invoker servlet on SAP Java AS systems to prevent attackers from bypassing your system security controls.
Any application unnecessarily available increases exposure which results in elevated risk.
Patch SAP system and SAP GUI regularly
SAP AG releases security patches every month. Please setup proper patch management policies both for the SAP applications and other client components such as SAPGUI or SAP NetWeaver Business Client.
Secure the private key store for protection against Single Sign-on attacks
PSE files contain sensitive information which lets an attacker create valid system tokens. With these valid security tokens, attacker can connect to remote systems as any user WITHOUT A PASSWORD. The tokens are usually valid forever.
Protect PSE files with proper operating system security controls. Protect access to tables such as SSF_PSE_D by putting them to a seperate table group and adjusting SAP authorizations accordingly. Restrict executing of OS commands from applications by securing the gateway and relevant application components. Introduce a regular key replacement process.