Another chapter of Secure By Default for SAP S/4HANA 2023
From the initial idea to improve security settings in SAP S/4HANA to execution it took some time, but since several years we have been able to continuously integrate more and more Secure By Default into the SAP S/4HANA product.
With the release of SAP S/4HANA 2023 another step was taken and to cover some additional topics for new installations, conversions, and system copies.
Identical to the former years, Secure By Default settings are applied for
- SAP S/4HANA 2023
- SAP BW/4HANA 2023
- All SAP products based on S/4HANA Foundation 2023
List of new Secure By Default Settings
In new installations, system copies, and conversions the following security relevant settings and configurations are applied automatically:
- Disable the old tickets for trusted / trusting communication as the old method for trusted / trusting was identified as insecure
- Prevent the assignment of users to roles as part of transports to avoid that users get authorizations in higher tiers while importing transports
- Usability and analysis improvements for the log of RFC and SICF usage to support deactivation of unused RFC function modules and SICF services for attack surface reduction
- Block the usage of invisible characters in user names as this lead to unexpected situations for end users
- Leverage the automated activation of HANA Data at Rest Encryption features as part of HANA2 SP07 installations to ensure that business data cannot be accessed on file system level. Please make sure to backup your HANA encryption keys!
- Granular logging of Secure By Default activations in application log for easier debugging in conversions
Further traceability of Secure By Default configuration changes has been added. This is helpful for system conversions. Executed changes are now visible in the SAP application log (transaction slg1 with object S_SBD).
As with SAP S/4HANA 1909, SAP S/4HANA 2020, SAP S/4HANA 2021, customers will receive the security settings automatically with new installations, system copies and conversions. An opt-out is possible for the security relevant profile parameters, but not recommended from SAP side. More details can be found in SAP Note 2926224.
As Secure By Default settings cannot and will not cover all aspects of security settings in S/4HANA systems, we highly recommend customers to perform additional reviews and improvements of their security settings. Good sources are the SAP security whitepapers. Secure by Default settings provide a good starting point, but there are additional security settings and configurations which are either customer specific, cannot be shipped as default or need to be applied on a regular basis (e.g., security patching).
- Use the SAP-provided tools and services, such as Early Watch Alert, Configuration Validation and System Recommendations in order to display missing security patches. These inform you about gaps in a cost-efficient way.
- Always introduce disruptive security settings with good timing. Conversion projects and new installations are opportunities to increase security. As a benefit, security testing can be included as part of the testing activities planned within the project. This leverages synergies in the area that has proven to be particularly costly.
Please refer to these blog posts for older SAP S/4HANA releases
- For SAP S/4HANA 2022 – Secure By Default, please also refer to this blog https://blogs.sap.com/2022/11/03/secure-by-default-returns-with-sap-s-4hana-2022
- For SAP S/4HANA 2021 – Secure By Default, please also refer to this blog The story resumes – Secure By Default for SAP S/4HANA 2021
- For SAP S/4HANA 2020 – Secure By Default, please also refer to this blog Secure By Default for SAP S/4HANA 2020
- For SAP S/4HANA 1909 – Secure By Default, please also refer to this blog Secure By Default: Ways To Harden Your Systems At (Almost) No Cost
Complete List of all SAP S/4HANA Secure By Default Settings
Below you can find a complete list of all Secure By Default settings that are included in SAP S/4HANA 2023. Bold entries were added with SAP S/4HANA 2023:
- Security relevant profile parameters are set to secure values which increases security in areas such as:
- Mandatory SSL Protection of session logon tickets (part of S/4HANA 2022)
- Protect the RFC gateway against unauthorized RFC call forwarding (part of S/4HANA 2022)
- Strong password policies and password hashes (part of S/4HANA 2020)
- Protection of internal system communication (part of S/4HANA 2020)
- Strengthened authorizations system (part of S/4HANA 1909)
- Enhanced RFC interface protection (part of S/4HANA 1909)
- Enforce TLS1.2-only for web-based interfaces of SAP S/4HANA covering SAP Internet Communication Manager (ICM), SAP Start Service, SAP Host Agent (part of S/4HANA 2022)
- Disable the old insecure tickets for trusted / trusting communication (part of S/4HANA 2023)
- Security relevant configurations and customizing are set to secure values
- Prevent usage of non-reference user as reference user (part of S/4HANA 2022)
- 3 parameters were changed to secure defaults in the Transport Management (part of S/4HANA 2021)
- Web protection is increased by activation of the UCON HTTP allowlist (part of S/4HANA 2021)
- Start authorizations for WebDynpro were enabled for an improved security for Webdynpro applications (part of S/4HANA 2021)
- All available scenarios of the Switchable Authorization Framework (SACF) are activated which adds additional functional authorization checks for technical function modules (part of S/4HANA 2020)
- All available scenarios of the Generic Application Access Rules (SLDW) were activated as defined by SAP development (part of S/4HANA 2021)
- Prevent the assignment of users to roles as part of transports to avoid that users get authorizations in higher tiers while importing transports (part of S/4HANA 2023)
- Security relevant logging was enabled to support traceability and security monitoring
- Performance, usability and analysis optimized log of RFC and SICF usage to support deactivation of unused RFC function modules and SICF services (part of S/4HANA 2022 and S/4HANA 2023)
- Security Audit Log is activated what allows customers to trace critical activities in the system (part of S/4HANA 1909)
- Activation of table logging for business-critical tables (part of S/4HANA 2021)
- HTTP server and HTTP client log of the SAP Internet Communication Manager is enabled (part of S/4HANA 1909)
- Granular logging of Secure By Default activations in application log for easier debugging in conversions (part of S/4HANA 2023)
- HANA for S/4HANA relevant configurations were enabled to improve traceability and encryption
- SAP HANA Audit Log is switched on for HANAs running SAP S/4HANA. This enables traceability of activities on SAP HANA database level (part of S/4HANA 2021)
- Leverage the automated activation of HANA Data at Rest Encryption Features as part of HANA2 SP07 installations to ensure that business data cannot be accessed on file system level (part of S/4HANA 2023)
- Values of additional security relevant profile parameters were changed in the kernel default