EP: KM – Security Vulnerability Concerns
With the Enterprise Portal we have discussed the importance of security in some of my previous blog postings. Ensuring that a Portal Landscape is configured in accordance to security guidelines is the main method of prevention towards security breaches or attacks. In this blog posting we are going to look at the notion of “Security” from the perspective of Knowledge Management & the KM Content Level.
KM Folders are utilized as the base platform in which KM Documents are stored. For example through KM End-Users can access, obtain, manage and review data information through documents sourced from the business intranets, external WWW feeds, and file servers. The KM Documents themselves are presented in the standard formats of PPT, excel, word documents and html.
Security Audit – Highlighting KM Security Concerns
Common organizational practice is focused upon a Portal Landscape is configured in accordance to the highest security measures. One way of ensuring this is to have the latest SP’s & Patch Level Releases currently maintained with your EP Setup as this is highly encouraged by SAP.
Implementing and deploying the latest Patches & SP’s often provides a means of preventing easily avoidable issues.
What Can Scans & Audits Reveal?
A Security Scan can highlight vulnerabilities across different technology areas for example:
- SQL Injection
- CSS – Cross Site Scripting
- Indirect retrieval of sensitive information
- Logon authentication issues
- Browser Caching
- Application termination
KM & Security Scans
As a Knowledge Management Setup involves the management and holstering of documents within repositories many end-users will require “Read” access even without other editorial privileges.
There is core documentation to follow in this instance to ensure KM Content is maintained correctly in accordance to security measures (and to prevent vulnerabilities being noted) is outlined below:
- SAP Note: 1648138 – Insecure default configuration of ACLs in KM repositories
- SAP Note: 599425 – Permissions for KM repositories
- SAP Note: 1477597 – Unauthorized modification of stored content in NW KMC
Once the KM Content Level permissions are set in accordance to your requirements and the optimal settings maintained within both notes this will ensure there are no security risks in the underlying makeup.
If you are utilizing third party security auditing standards and vulnerabilities are noted across the Portal the recommendation would be to follow and review the following KBA. Within this KBA we are given comprehensive insight into some of the most common security concerns & their subsequent resolutions:
- SAP KBA: 2191528 – Third-party report showing security vulnerabilities
Lastly in terms of KM itself and its associated setup I would recommend following the KM Security guide which has been outlined below for your convenience and cross-reference: