SAP NetWeaver ABAP security configuration. Part 1: Why do we do these guidelines?

With this article we are starting a new series of guidelines describing some basic assessment procedures one can carry out on various business applications that would help cybersecurity professionals to expand their ERP systems’ immunity to attacks.

As we all know, ERP systems such as SAP may favor the quality of the management of all the information and resources involved in a company’s operations.

However, while ERP applications promote the way business processes are organized, they also may undermine the information security within organizations.

We should not forget how important it is to secure enterprise applications and various ERP systems.

No need to say that the ERP system forms the core of any large company: it deals with all processes critical for business such as purchases, payments, logistics, HR, product management, financial planning etc. All the information stored in the ERP systems is sensitive, and any unauthorized access to this information can cause huge damages up to a business interruption.

According to the report by the Association of Certified Fraud Examiners (ACFE), in 2006-2010, the organizations’ losses caused by the internal fraud (the IT-frauds ) amounted to app. 7% of their annual revenue [1].

For the last five years, a widespread myth that the ERP security is only a SoD matrix is over, and today this belief seems to become a history for many people. For that time, the SAP security experts presented a number of detailed reports on various attacks on the internal SAP subsystems:

— the RFC protocol,
— the SAP ROUTER access control system,
— the SAP web-applications,
— the SAP GUI client workstations, and many others.

The interest for this area grows exponentially every year. In comparison with only 1 report on SAP Security [2] in 2006, more than 30 of them were presented in 2013 at specialized hacking and security technical conferences. Lately, a number of hacking utilities was released, and thus confirmed the possibility of attacks on the SAP solutions.

According to the Business Application Vulnerability Statistics [3], [4], more than one hundred vulnerabilities in the SAP products were fixed in 2009, while this figure was more than 500 in 2010. In July 2014, there were more than 3000 SAP Security Notes, i.e. notifications on various SAP components vulnerabilities.

This entry will help you to get extended info about what is coming next and why it is so important to know everything about it.

General information

“The Enterprise Application System Vulnerability Assessment Guide” describes 9 most known business application security areas relating to implementation and operation. This top list was completed during vulnerability assessments of multiple business applications and may be applied to any of them. These areas became weighty factors for many emerging threats and related attacks. Securing these areas means getting ready to prevent numerous attacks targeted at the business application security.

This series of posts contains a detailed analysis of the most widespread business application platform – the SAP NetWeaver ABAP. During this analysis 33 key settings were identified and distributed among 9 areas mentioned above. This post will show how to protect the applications from the most widespread vulnerabilities in this field as well as provide further steps on securing all 9 areas.

The top-9 critical areas for business applications

Below, you can find the list of the top-9 critical areas for the vulnerability assessment of business applications. They are ranked from 1 to 9 according to their severity and impact on the ERP system, business applications and related security. For this list, 3 main parameters were considered:

1. the initial access to exploit a vulnerability;
2. the severity of a vulnerability (a potential impact if exploited);
3. the complexity of a vulnerability exploitation.

This list is the same for all the business applications. In the next chapters, checks for each of these items (specific to the SAP NetWeaver ABAP platform) are described in detail. However, these descriptions are stated in a way to ensure understanding of the basic principles concerning vulnerability assessment for any enterprise application systems.

Critical area Access Severity Simplicity
1. Patch management flaws Anonymous High High
2. Default passwords for access to the application   Anonymous High High
3. Unnecessary functionality Anonymous High High
4. Open remote management interfaces Anonymous High Medium
5. Insecure settings Anonymous Medium Medium
6. Unencrypted connections Anonymous Medium Medium
7. Access control and SOD conflicts User High Medium
8. Insecure trusted connections User High High
9. Security events logging Administrator   High Medium

The Guide description

Our approach contains 33 steps to securely configure SAP NetWeaver ABAP platform, that were distributed among 9 areas mentioned above.

The authors’ efforts were not only to make this list as brief as possible but also to cover the most critical threats for each area. This approach is the main objective of this Guide. Despite best practices by the SAP, ISACA, and DSAG, our intention was not to create just another list of issues with no explanation on why a particular issue was (not) included in the final list, but to prepare a document that may be easily used not only by SAP security experts. Report should also provide a comprehensive coverage of all the critical areas of SAP Security.

At the same time, the development of the most complete guide would be a never-ending story as at the time of writing there were more than 7000 checks of security configuration settings for the SAP platform, without those of specific role-based access and in-house applications.

As a result, each of the 9 areas includes major checks that must be implemented first and can be applied to any system regardless of its settings and custom parameters. It is also important that these checks are equally applicable both to production systems and to those of testing and development.

In addition to major all-purpose checks, each item contains a subsection called “Further steps”. This subsection gives major guidelines and instructions on what should be done in the second and third place, and then how to further securely configure a particular item. The recommended guidelines are not always mandatory and sometimes depend on a specific SAP solution. On the one hand, with this approach, the authors were able to highlight the key security parameters for a quick assessment of any SAP solution (from the ERP to the Solution Manager or Industry Solution) based on the NetWeaver ABAP platform. On the other hand, it was made to cover all the issues and give complete recommendations.

In terms of quality, the present Guide differs from the previous SAP best practices that also contain few items, but do not cover the overall picture. The situation is the same with the best practices by ISACA and DSAG that have a lot of items, but the priorities are unclear and too complicated for the first step (though these papers are highly valuable and necessary).

33 steps to security

Here is our list of the most critical checks for SAP NetWeaver ABAP – based systems

1. Patch management flaws
[EASAI-NA-01] Check for components update (SAP Security Notes)
[EASAI-NA-02] Check for kernel updates

2. Default passwords for access to the application
[EASAI-NA-03] Default password check for a SAP* user
[EASAI-NA-04] Default password check for the DDIC user
[EASAI-NA-05] Default password check for the SAPCPIC user
[EASAI-NA-06] Default password check for the TMSADM user
[EASAI-NA-07] Default password check for the EARLYWATCH user

3. Unnecessary functionality
[EASAI-NA-08] Access to the RFC-function via the SOAP interface
[EASAI-NA-09] Access to the RFC-function via the form interface
[EASAI-NA-10] Access to the Exchange Infrastructure (XI) via the SOAP interface

4. Open remote management interfaces
[EASAI-NA-11] Unauthorized access to the SAPControl (SAP MMC) service functions
[EASAI-NA-12] Unauthorized access to the SAPHostControl service functions
[EASAI-NA-13] Unauthorized access to the Message Server service functions
[EASAI-NA-14] Unauthorized access to the Oracle DBMS

5. Insecure settings
[EASAI-NA-15] Minimal password length
[EASAI-NA-16] Number of invalid logon attempts before the user account lock out
[EASAI-NA-17] Password compliance with the security policies in place
[EASAI-NA-18] Access control settings for RFC-service (reginfo.dat)
[EASAI-NA-19] Access control settings for RFC-service (secinfo.dat)

6. Access control and SOD conflicts
[EASAI-NA-20] The check for SAP_ALL profile accounts
[EASAI-NA-21] The check for accounts that may start any programs
[EASAI-NA-22] The check for accounts that may modify USH02 table
[EASAI-NA-23] The check for accounts that may execute OS commands
[EASAI-NA-24] Check for disabled authorizations

7. Unencrypted connections
[EASAI-NA-25] The SSL encryption to protect HTTP connections
[EASAI-NA-26] The SNC encryption to protect the SAP GUI client connections
[EASAI-NA-27] The SNC encryption to protect RFC connections between systems

8. Insecure trusted connections
[EASAI-NA-28] RFC connections that store user authentication data
[EASAI-NA-29] Trusted systems with low security level

9. Logging of security events
[EASAI-NA-30] Logging of security events
[EASAI-NA-31] Logging of HTTP requests
[EASAI-NA-32] Logging of table changes
[EASAI-NA-33] Logging of SAP Gateway activities

As you can see, the guide is not as enormous as it could have been due to the complicity of the topic: we tried to maximize the clarity of the Guide for you.

Stay in touch with us as next week we will come back with the new article where the guideline will reappear in its all glory. We’ll provide you with the detailed explanation of each step.

Do you want more?

Subscribe me to your mailing list