How to secure your SAP NetWeaver ABAP?
In this blog I would like to present you with a paper dedicated to improve the security of SAP ABAP systems called “Secure Configuration of SAP NetWeaver Application Server Using ABAP”. As SAP NetWeaver ABAP platforms often play a central part of the core business processes in a company, systems should comply with different requirements and regulations. IT security plays a key role in the process of achieving compliance.
The paper states security considerations and practical tips on the Top 10 security topics related to SAP NetWeaver ABAP systems. Measures suggested in this paper are the most important recommendations which have to be implemented on ABAP systems.
I had a discussion with the authors of the paper Björn and Christian, in order to get better insight into the background and the reasons for creating it.
Q: What is the reason that you decided to write this paper?
Björn: SAP provides lots of documentation around security for SAP systems. Unfortunately there is too much documentation available so we thought that a short guide would be good to get a path through and link the relevant documents. It is based on our experience consulting SAP internal departments and SAP customers. There are more things to do depending on system usage, but it gives a very good starting point.
Q: What is your experience of how SAP NetWeaver Application Server ABAP systems are operated productively?
Christian: Operating productive SAP NetWeaver Application Server ABAP in a secure way requires expert knowledge, management support and adequate resources. Usually security measures are implemented on infrastructure level, database level and also on SAP authorization level. Secure configuration of the SAP NetWeaver Application Server ABAP platform and security patch management sometimes lack the required attention leaving systems open for abuse.
Q: Who is the audience for this document?
Christian: The primarily audience is likely “SAP basis” staff operating the SAP NetWeaver ABAP systems. But the document also provides valuable information to system owners, security officers and auditors.
Q: How long have you been working in the field of IT security?
Björn: Both, Christian and I have been in IT security for our entire professional career. We both focus on SAP security for more than a decade now. We have covered various aspects of security like penetration testing, infrastructure security design, security operations and SAP security. Actually I am now working for the internal IT department of SAP covering SAP security topics. Christian is working for Installed Base Maintenance and Support focused on security architecture topics. Before that Christian was working as a consultant in the SAP security consulting practice.
Q: What would be your next recommendation after the Top 10?
Björn: We have focused on internal system security issues first but the next step is to address concerns for SAP systems which are Internet-facing, as on the Internet the number of attackers is much higher and more advanced security measures need to be applied.
Here is a short summary of the paper which gives you an idea of the topics addressed in it.
10 Tips from SAP to Secure SAP NetWeaver Application Server Using ABAP
In light of heightened security threats to the IT systems of businesses, frequent legal changes to governance, risk and compliance rules, and the continuous need to ensure the frictionless performance of business processes, software security remains a critical issue to all companies.
Enterprises all over the world use SAP software solutions to optimize and to innovate core business processes. SAP NetWeaver is the technology platform used to store and process business-critical data, for example from financial processes, in human resources, or customer relationship management. The platform consists of SAP NetWeaver Application Server ABAP and SAP NetWeaver Application Server Java.
It is therefore crucial that customers secure the SAP technology platform by protecting it against unauthorized access and manipulation as well as applying security configuration on different levels (e.g. landscape architecture, operating system, database, SAP Basis, SAP applications, SAP authorizations).
SAP has created a list of top 10 recommendations for the most important security activities that should be performed for SAP NetWeaver Application Server ABAP:
No. 1: Limit Communication Channels for System (Network Filtering)
Network filtering reduces the attack surface to network services that need to be accessed by end-users, for example SAP Internet Communications Manager as the entry point for HTTP and HTTPS.
No. 2: Ensure Password Complexity
Companies need to set strong password policies according to their corporate policy. Passwords should not be saved automatically on a local computer. Usually, a password must be at least eight characters long, contain a mixture of upper- and lowercase letters as well as a number. The password must not be a dictionary word or contain the user name or any part of the user’s full name.
No. 3: Change Default Passwords and Avoid Dictionary Attacks
Changing default passwords is crucial for secure system operation. Services such as SAP EarlyWatch Alert provide a status if default passwords are set.
SAP systems do not store passwords as such, but use one-way functions to calculate so-called password hashes. Access to tables containing password hashes should be restricted. Only the latest password hashing mechanism should be activated, while ensuring that old, redundant password hashes are deleted.
No. 4: Activate Security Rules for SAP GUI
SAP strongly recommends implementing the latest available SAP Graphical User Interface (GUI) version on all end-user workstations and ensuring that SAP GUI security rules are activated.
No. 5: Secure Protocols to Ensure Encrypted Communication
Companies should use tools such as Secure Network Communication (SNC) to ensure cryptographically strong mutual authentication, integrity protection of transmitted data, and encryption of network traffic. Web-based access should be secured using HTTPS.
No. 6: Limit Web-enabled Content
Web content is managed by the SAP Internet Communication Framework (ICF). Only ICF services that are required for business scenarios should be enabled.
No. 7: Avoid Unauthorized Access via ABAP RFC Connectivity
SAP Remote Function Call (SAP RFC) is the main integration technology between SAP systems and is also heavily used in integrations with non-SAP systems. To mitigate the risk of unauthorized access via RFC, companies should analyze the trust relationships between systems and the user credentials stored in RFC destinations, and ensure that user accounts have minimum authorizations.
No. 8: Manage Access Control Lists
Access control lists (ACL) define the privileges a user has for a particular resource. For system security it is of utmost importance that these lists are created and maintained for SAP Gateway and SAP Message Server.
No. 9: Use Tools and Services to Facilitate Security Patch Management
Up-to-date information on vulnerabilities and access to patches are critical to ensure the security of IT systems. SAP provides this information via SAP Security Notes.
No. 10: Monitor Security Configuration Regularly
Companies should implement monitoring services such as SAP EarlyWatch Alert that can regularly – at least once a month – verify applied security configurations.