SAP NetWeaver ABAP security configuration. Part 1: Why do we do these guidelines?
With this article we are starting a new series of guidelines describing some basic assessment procedures one can carry out on various business applications that would help cybersecurity professionals to expand their ERP systems’ immunity to attacks.
As we all know, ERP systems such as SAP may favour the quality of management of all the information and resources involved in a company’s operations.
However, while ERP applications promote the way business processes are organized, they also may undermine information security within organizations.
We should not forget how important it is to secure enterprise applications and various ERP systems.
No need to say, that the ERP system is in the core of any large company: it deals with all processes critical for business – purchases, payments, logistics, HR, product management, financial planning etc. All information stored in the ERP systems is sensitive, and any unauthorized access to this information can cause huge damages up to a business interruption.
According to the report by the Association of Certified Fraud Examiners (ACFE), in 2006-2010, the organizations losses caused by the internal fraud (the IT-frauds ) amounted to app. 7% of annual revenue .
For the last five years, a widespread myth that the ERP security is only a SOD matrix was over, and today this belief seems to become a history for many people. For that time, the SAP security experts have presented lots of detailed reports on various attacks on the internal SAP subsystems:
— the RFC protocol,
— the SAP ROUTER access control system,
— the SAP web-applications,
— the SAP GUI client workstations, and many others.
The interest for this area grows exponentially every year: compared to only 1 report on SAP Security  in 2006, more than 30 of such reports were presented in 2013 at specialized hacking and security technical conferences. Lately, a number of hacking utilities were released, and thus confirmed the possibility of attacks on the SAP solutions.
According to the business application vulnerability statistics  and , more than one hundred vulnerabilities in the SAP products were fixed in 2009, while this figure was more than 500 in 2010. In July 2014, there were more than 3000 SAP Security Notes, i.e. notifications on various SAP components vulnerabilities.
This entry will help you to get extended info about what is going to come next. And why it is so important to know everything about it.
“The Enterprise Application System Vulnerability Assessment Guide” describes 9 most known business application security areas relating to implementation and operation. This top list was prepared by the authors during vulnerability assessments of multiple business applications; this list may be applied to any of them. These areas are weighty factors for many emerging threats and related attacks. Securing of these areas means getting ready to prevent numerous attacks targeted at business application security.
This series of posts contains a detailed analysis of the most widespread business application platform – the SAP NetWeaver ABAP. During this analysis 33 key settings were identified and distributed between 9 areas mentioned above. This post will show how to protect against the most widespread vulnerabilities in this area as well as provide further steps on securing all 9 areas .
The top-9 critical areas for business applications
Below, you can find the list of Top-9 critical areas for vulnerability assessment of business application. They are ranked from 1 to 9 according to their severity and impact on the ERP system, business applications and related security. For this list, 3 main parameters were considered:
1. initial access to exploit the vulnerability;
2. severity of vulnerability (a potential impact if exploited);
3. complexity of vulnerability exploitation.
This list is the same for all the business applications. In the next chapters, checks for each of these items (specific to the SAP NetWeaver ABAP platform) are described in detail. However, these descriptions are stated in a way to ensure understanding of the basic principles relating to vulnerability assessment for any enterprise application systems.
|1. Patch management flaws||Anonymous||High||High|
|2. Default passwords for access to the application||Anonymous||High||High|
|3. Unnecessary functionality||Anonymous||High||High|
|4. Open remote management interfaces||Anonymous||High||Medium|
|5. Insecure settings||Anonymous||Medium||Medium|
|6. Unencrypted connections||Anonymous||Medium||Medium|
|7. Access control and SOD conflicts||User||High||Medium|
|8. Insecure trusted connections||User||High||High|
|9. Security events logging||Administrator||High||Medium|
The Guide description
Our approach contains 33 steps to securely configure SAP NetWeaver ABAP platform, that were distributed among 9 areas mentioned above.
The authors’ efforts were to make this list as brief as possible but also to cover the most critical threats for each area. This approach is the main objective of this Guide: as despite best practices by the SAP, ISACA, and DSAG, our intention was not to create just another list of issues with no explanation on why a particular issue was (not) included in the final list, but to prepare a document that may be easily used not only by SAP security experts. Report should also provide comprehensive coverage of all critical areas of SAP Security.
At the same time, the development of the most complete guide would be a never-ending story as at the time of writing there were more than 7000 checks of security configuration settings for the SAP platform as such, without those of specific role-based access and in-house applications.
As a result, each of the 9 areas includes major checks that must be implemented first and can be applied to any system regardless of its settings and custom parameters. It also important that these checks are equally applicable both to production systems and those of testing and development.
In addition to major all-purpose checks, each item contains a subsection called “Further steps”. This subsection gives major guidelines and instructions on what should be done in the second and third place, and then how to further securely configure each particular item. The recommended guidelines are not always mandatory and sometimes depend on a specific SAP solution. On the one hand, with this approach, the authors were able to highlight key security parameters for a quick assessment of any SAP solution (from the ERP to the Solution Manager or Industry Solution) based on the NetWeaver ABAP platform and, on the other hand, to cover all issues and give complete recommendations on them.
In terms of quality, this makes the present Guide different from the SAP best practices that also contain few items, but do not cover the overall picture, as well as from best practices by ISACA and DSAG that have a lot of items, but the priorities are unclear and too complicated for the first step (though these papers are highly valuable and necessary).
33 steps to security
So, here it is. Our list of most critical checks for SAP NetWeaver ABAP – based systems
1. Patch management flaws
[EASAI-NA-01] Check for components update (SAP Security Notes)
[EASAI-NA-02] Check for kernel updates
2. Default passwords for access to the application
[EASAI-NA-03] Default password check for a SAP* user
[EASAI-NA-04] Default password check for the DDIC user
[EASAI-NA-05] Default password check for the SAPCPIC user
[EASAI-NA-06] Default password check for the TMSADM user
[EASAI-NA-07] Default password check for the EARLYWATCH user
3. Unnecessary functionality
[EASAI-NA-08] Access to the RFC-function via the SOAP interface
[EASAI-NA-09] Access to the RFC-function via the form interface
[EASAI-NA-10] Access to the Exchange Infrastructure (XI) via the SOAP interface
4. Open remote management interfaces
[EASAI-NA-11] Unauthorized access to the SAPControl (SAP MMC) service functions
[EASAI-NA-12] Unauthorized access to the SAPHostControl service functions
[EASAI-NA-13] Unauthorized access to the Message Server service functions
[EASAI-NA-14] Unauthorized access to the Oracle DBMS
5. Insecure settings
[EASAI-NA-15] Minimal password length
[EASAI-NA-16] Number of invalid logon attempts before the user account lock out
[EASAI-NA-17] Password compliance with the security policies in place
[EASAI-NA-18] Access control settings for RFC-service (reginfo.dat)
[EASAI-NA-19] Access control settings for RFC-service (secinfo.dat)
6. Access control and SOD conflicts
[EASAI-NA-20] The check for SAP_ALL profile accounts
[EASAI-NA-21] The check for accounts that may start any programs
[EASAI-NA-22] The check for accounts that may modify USH02 table
[EASAI-NA-23] The check for accounts that may execute OS commands
[EASAI-NA-24] Check for disabled authorizations
7. Unencrypted connections
[EASAI-NA-25] The SSL encryption to protect HTTP connections
[EASAI-NA-26] The SNC encryption to protect the SAP GUI client connections
[EASAI-NA-27] The SNC encryption to protect RFC connections between systems
8. Insecure trusted connections
[EASAI-NA-28] RFC connections that store user authentication data
[EASAI-NA-29] Trusted systems with low security level
9. Logging of security events
[EASAI-NA-30] Logging of security events
[EASAI-NA-31] Logging of HTTP requests
[EASAI-NA-32] Logging of table changes
[EASAI-NA-33] Logging of SAP Gateway activities
As you can see – the guide is not as enormous as it could have been due to the complicity of the topic. We tried to maximize the clarity of the guide to security assessments for you.
Stay in touch with us as next week we’ll come back with the new article where the guideline will reappear in its all glory. We’ll provide you with detailed explanation of each step.