Security in SAP transport Management

This blog is written in an effort to raise more awareness on securing your SAP infrastructure. In this case specifically on the topic of securing the SAP Transport Mechanism.

Over the past years there has been published a lot of information on securing your SAP infrastructure. SAP itself has  published the SAP Security guides, there are many SAP Security researchers that present their findings on Security conferences and here on SCN people are also actively blogging on this topic. Many security related topics have already been highlighted, but I found there was not much information on the specific topic of Securing the SAP Transport Management System (TMS). I therefore did a deep-dive into this topic myself and wrote a whitepaper on it.

To summarize some findings:

5 important vulnerabilities that might exist in your SAP infrastructure related to TMS:

•XPRA execution

•User TMSADM exists with default password, outside client 000 or has too much authorisation

•Access rights on the TMS transport directory share are not restrictive enough

•ABAP code vulnerabilities in STMS related reports and Function Modules

•Remote execution of TP commands

Some solutions to prevent the above:

To prevent XPRA execution:

• Perform peer code reviews of all developments
• Use SE03 –> “search for object in requests” to find transports with XPRA steps
• Consider to define critical objects. This prevents the export of transports with the XPRA step in it.

Mitigate risks around the TMSADM user:

• Change default password for TMSADM user in client 000. See OSS notes 1488406, 761637, 1552894, 1414256 and 1515926
• Delete TMSADM user in clients other then 000
• Only assign profile S_A.TMSADM to user TMSADM

Mitigate risks related to the transport shares:

• Set strict rights for the transport shares.
• Mount shares with “nosuid” option (Linux/Unix)

ABAP vulnerabilities:

• Patch:
• Regularly review the security notes to check for notes that are not covered by SAP Solution Manager System recommendations. Usually these notes are for components that are not registered in the SAP Solution Manager

Remote execution TP commands:

• Protect the Gateway with an Access Control List (ACL). See the White Paper “Secure Configuration of SAP NetWeaver Application Server for ABAP”  ¹⁰
• See Note 1371799  on how to prevent starting of TP via the gateway

General recommendations somewhat related:

• When changing the password of the TMSADM user, do NOT use the NEW DEFAULT password. Instead choose your own strong password
• Protect RFC connections between systems with SNC
• Make sure to have strict transport procedures in place. It might be considered to use ChaRM. This functionality can standardize the way transports are moved throughout the landscape and can enforce one way of working. This excludes the use of manual steps and reduce risk. 
• Do NOT forget the HUMAN factor as it is often the weakest link
• See the SAP Security guides for more information

For more background information on this topic and also a detailed description on exploiting these vulnerabilities see the whitepaper on:
http://www.erp-sec.com/news/