Technical Articles
Secure By Default for SAP S/4HANA 2020
With the new release SAP S/4HANA 2020, we are taking another step in our journey for secure by default and have increased the number of secure by default settings compared to SAP S/4HANA 1909. Now, with SAP S/4HANA 2020 the following security relevant settings and configurations are automatically applied with new installations, system copies and conversions:
- 17 security relevant profile parameters are set to secure values which increases security in areas such as:
- Strong password policies and password hashes
- Protection of internal system communication
- Strengthened authorizations system (already shipped with S/4HANA 1909)
- Enhanced RFC interface protection (already shipped with S/4HANA 1909)
- Security Audit Log is activated what allows customers to trace critical activities in the system (already shipped with S/4HANA 1909)
- All scenarios of the Switchable Authorization Framework (SACF) are activated which adds additional functional authorization checks for technical function modules.
- Values of additional security relevant profile parameters were changed in the kernel default
As with SAP S/4HANA 1909, customers will receive the security settings automatically with new installations, system copies and conversions. An opt-out is possible for the security relevant profile parameters, but not recommended from SAP side. More details can be found in the SAP Note 2926224.
As secure by default settings cannot and will not cover all aspects of security settings in S/4HANA systems, we highly recommend customers to perform additional reviews and improvements of their security settings. Good sources are the SAP security whitepapers. Secure by default settings provide a good starting point, but there are additional security settings and configurations which are either customer specific, cannot be shipped as default or need to be applied on a regular basis (e.g. security patching).
- Use the SAP-provided tools and services, such as Early Watch Alert, Configuration Validation and System Recommendations in order to display missing security patches. These inform you about gaps in a cost efficient way.
- Always introduce disruptive security settings with good timing. Conversion projects and new installations are very good points in time to increase security. As a benefit, no additional effort for security testing is required, as testing is scheduled anyway. And this is the most expensive part of security.
For SAP S/4HANA 1909 – Secure By Default, please also refer to this blog Secure By Default: Ways To Harden Your Systems At (Almost) No Cost
Hello Björn,
great to see that things are getting more secure out of the box!
Some days ago I wanted to configure the monitoring of our Webdispatcher used with our S/4 system on the solution manager 7.2. However I noticed that monitoring using Solman is only possible when you have a HTTP port open. Ours was configured with HTTPS only, which I think should be default for a Webdispatcher in the DMZ, but now we had to activate a http port again. There is no option to select the protocol in Solman and only http ist working.
Do you know when it will be able to monitor a Webdispatcher with Solman 7.2 using https instead of http? We prefer to not activate http on new systems anymore...only https using TLS 1.2.
Best regards,
Markus
Hello Markus,
thanks for your questions. I checked your topic with the SAP internal experts. The issue is known and improvements are planned. Unfortunately, I cannot provide a release date.
Best regards, Bjoern
Enabling the Security Audit Log by default seems heavy handed. Now the customer needs to apply appropriate configuration and filters to avoid wasting their HANA memory resources. Our DEV system has logged over 5 million records in a very short period of time. We have also logged an incident for a situation where the Security Audit Log causes performance issues in response critical processes. We will need to switch off SAL and enable again only when there is a clear business need. In this case disabling SAL by default would have been preferable.
Thanks Peter for your remarks. Activation of Security Audit Log was requested by Customers and Auditors to comply to legal and security requirements and enable traceability of user/system activities for security monitoring / forensics.
Using the statistics functionality it was possible to identify which SAL events caused the huge number of records. The root cause was heavy usage of the RFC Callback functionality (DUI). As discussed SAP internally, maintain a specific allowlist for the allowed RFC Callbacks and if these events are not necessary for legal / security reasons, please unselect both events from the SAL filter definition.
Hello Bjoern,
I have added your Blog to my Blog - Upgrade to SAP S/4HANA 2020 – time to change
best regards Roland
Hello Bjoern Brencher ,
with Secure By Default for SAP S/4HANA 2020 the default value for profile parameter login/password_compliance_to_current_policy is 1.
Has the table buffering setting for table USR40 also been changed as recommended in SAP note 1538373 or is the described performance impact gone with SAP HANA anyhow?
BR,
Joe Görlich
Hello Joe,
I checked SAP internally and the default behaviour has not been changed. SAP Note 1538373 remains valid.
Kind regards, Bjoern