The story resumes – Secure By Default for SAP S/4HANA 2021
The recent release of SAP S/4HANA 2021 followed our secure development lifecycle to ensure that our customers will receive a secure product. With a complex solution such as SAP S/4HANA, however, security by design is not the only topic that both SAP as the software provider and the customer need to consider. Which is why we continue our “Secure by Default” program, making life for our customers easier by delivering secure values in a fresh installation or conversion for configuration settings wherever possible.
And SAP S/4HANA 2021 continues that mission of securing SAP S/4HANA by default. Once again, we also decided to extend the scope and coverage of secure by default settings compared to SAP S/4HANA 2020 and SAP S/4HANA 1909. A full overview of included security by default settings can be found at the end of the blog.
Products in scope
Secure by default settings are applied for
- SAP S/4HANA 2021
- All SAP products based on S/4HANA Foundation 2021
- SAP BW/4HANA 2021
List of new Secure By Default Settings
The following security relevant settings and configurations are automatically applied with new installations, system copies and conversions:
- Activation of table logging for business-critical tables. This logging allows tracing all changes on field level for financial and business relevant tables
- The SAP HANA Audit Log is switched on for HANA databases running SAP S/4HANA. This gives administrators a better overview and traceability of activities on SAP HANA database level. See also here
- 3 parameters were changed to secure defaults in the Transport Management. More precisely, these settings will enable table logging, consistency checks and versioning for transports between systems.
- The UCON HTTP allowlist is now activated by default – effectively limiting the attack surface of your system.
- Start authorizations for WebDynpro were enabled for an improved security for Webdynpro applications.
- All available scenarios of the Generic Application Access Rules (SLDW) were activated as defined by SAP development
- Values of additional security relevant profile parameters were changed in the kernel default.
As with SAP S/4HANA 1909 and SAP S/4HANA 2020, customers will receive the security settings automatically with new installations, system copies and conversions. An opt-out is possible for the security relevant profile parameters, but not recommended from SAP side. More details can be found in the SAP Note 2926224.
As secure by default settings cannot and will not cover all aspects of security settings in S/4HANA systems, we highly recommend customers to perform additional reviews and validations of their system settings to improve their security posture. Good sources are the SAP security whitepapers. Secure by default settings provide a good starting point, but there are additional security settings and configurations which are either customer specific, cannot be shipped as default or need to be applied on a regular basis (e.g. security patching).
- Use the SAP-provided tools and services, such as Early Watch Alert, Configuration Validation and System Recommendations in order to display missing security patches. These tools are included in the standard delivery and are therefore a cost-efficient way to get an overview of the security status for each system.
- If you do introduce disruptive security settings, make sure to get your timing right. Conversion projects and new installations are very good points in time to increase security. As a benefit, no additional effort for security testing is required, as testing is scheduled anyway. And this is the most expensive part of security.
The Secure by Default settings mentioned in this article are by no means the only improvements to security of its kind:
- For SAP S/4HANA 2020 – Secure By Default, please also refer to this blog Secure By Default for SAP S/4HANA 2020
- For SAP S/4HANA 1909 – Secure By Default, please also refer to this blog Secure By Default: Ways To Harden Your Systems At (Almost) No Cost
Complete List of all Secure By Default Settings
Below you can find a complete list of all secure by default settings that are included in SAP S/4HANA 2021 and SAP BW/4HANA 2021:
- 18 security relevant profile parameters are set to secure values which increases security in areas such as:
- Activation of table logging for business-critical tables (included since S/4HANA 2021)
- Strong password policies and password hashes (included since S/4HANA 2020)
- Protection of internal system communication (included since S/4HANA 2020)
- Strengthened authorizations system (included since S/4HANA 1909)
- Enhanced RFC interface protection (included since S/4HANA 1909)
- SAP HANA Audit Log is switched on for HANAs running SAP S/4HANA. This enables traceability of activities on SAP HANA database level (included since S/4HANA 2021)
- 3 parameters were changed to secure defaults in the Transport Management (included since S/4HANA 2021)
- Web protection is increased by activation of the UCON HTTP allowlist (included since S/4HANA 2021)
- Start authorizations for WebDynpro were enabled for an improved security for Webdynpro applications (included since S/4HANA 2021)
- All available scenarios of the Generic Application Access Rules (SLDW) were activated as defined by SAP development (included since S/4HANA 2021)
- Security Audit Log is activated what allows customers to trace critical activities in the system (included since S/4HANA 1909)
- All available scenarios of the Switchable Authorization Framework (SACF) are activated which adds additional functional authorization checks for technical function modules (included since S/4HANA 2020)
- Values of additional security relevant profile parameters were changed in the kernel default