Preface

19

Target Audience

19

System Administration: A Vast Field of Options

20

What Is Basis?

21

Structure of This Book

23

1 Introduction

25

1.1 Potential Threats

26

1.1.1 Data Breach

27

1.1.2 Privacy Violations

27

1.1.3 Phishing

27

1.1.4 Theft

28

1.1.5 Fraud

28

1.1.6 Brute Force Attacks

29

1.1.7 Disruption

29

1.1.8 Who Represents a Threat?

30

1.1.9 Understanding Modern-Day Vulnerabilities

31

1.2 The Onion Concept

34

1.2.1 Perimeter

35

1.2.2 Operations

35

1.2.3 Patching

35

1.2.4 Human Factor

36

1.2.5 Physical Security

36

1.2.6 Security Awareness

36

1.3 Risk and True Cost of Security

37

1.4 The Administrator's Role in Security

40

1.4.1 Planning

40

1.4.2 Execution

41

1.4.3 Segregation of Duties

42

1.4.4 Audit Support

42

1.4.5 Basis versus Security

43

1.5 Summary

43

2 Configuring Profiles and Parameters

45

2.1 Understanding System Parameters

46

2.2 System Profiles

47

2.2.1 Instance Profile

47

2.2.2 Default Profile

48

2.2.3 Other Profiles

49

2.3 Profile and Parameter Structure

49

2.3.1 Profiles on the Operating System Level

51

2.3.2 Profiles on the Database Level

52

2.4 Static and Dynamic Parameters

53

2.5 Viewing and Setting Parameters

55

2.5.1 Viewing Parameters with ABAP Report RSPARAM

56

2.5.2 Viewing the Documentation with Transaction RZ11

58

2.5.3 Changing Parameters with Transaction RZ10

59

2.6 Key Security-Related Parameters

64

2.7 Controlling Access to Change Parameters

66

2.8 Summary

67

3 Restricting Transactional Access

69

3.1 Clients

71

3.2 Who Should Be Able to Lock and Unlock Transactions?

71

3.3 Which Transactions to Lock

71

3.4 Locking Transactions

73

3.5 Viewing Locked Transactions

76

3.6 Summary

78

4 Securing Clients

79

4.1 Client Settings

81

4.1.1 Client Setting Fields

83

4.1.2 Suggested Client Settings

85

4.1.3 Changing Client Settings

87

4.2 Client Logon Locking

89

4.3 Summary

92

5 Securing the Kernel

93

5.1 Understanding the Kernel

94

5.1.1 Kernel Patching

96

5.1.2 Kernel Versioning

97

5.1.3 Checking the Kernel Version

100

5.1.4 Checking the Kernel Version from the Operating System Level

101

5.2 Common Cryptographic Library

102

5.2.1 Checking the CommonCryptoLib in SAP GUI

102

5.2.2 Checking the CommonCryptoLib on the OS Level

103

5.3 Kernel Update

104

5.3.1 Overall Kernel Update Process

105

5.3.2 Downloading the Kernel

107

5.3.3 Installing the Kernel

110

5.4 Summary

114

6 Managing Users

115

6.1 What Is a User ID in SAP?

115

6.2 Different User Types

115

6.2.1 Dialog User: Type A

116

6.2.2 System User: Type B

116

6.2.3 Service User: Type S

117

6.2.4 Communication User: Type C

117

6.2.5 Reference User: Type L

117

6.3 The User Buffer

117

6.4 Creating and Maintaining a User

118

6.4.1 Documentation

119

6.4.2 Address

120

6.4.3 Logon Data

121

6.4.4 Secure Network Communication

122

6.4.5 Defaults

123

6.4.6 Parameters

124

6.4.7 Roles

125

6.4.8 Profiles

125

6.4.9 Groups

126

6.4.10 Personalization

126

6.4.11 License Data

127

6.4.12 DBMS

127

6.5 Copy a User

128

6.6 Change Documents for Users

129

6.7 Mass User Changes with Transaction SU10

131

6.8 User Naming Convention

139

6.9 Security Policies

140

6.10 Maintain User Groups

145

6.11 Central User Administration

147

6.11.1 Distribution Parameters for Fields (Transaction SCUM)

149

6.11.2 Background Jobs

150

6.11.3 CUA-Related Tables

151

6.12 User Lock Status

151

6.13 User Classification

152

6.14 User-Related Tables

153

6.15 Securing Default Accounts

154

6.16 User Access Reviews

156

6.17 Inactive Users

157

6.18 Password and Logon Security

158

6.18.1 Where Does SAP Store Passwords?

158

6.18.2 What Is the Code Version?

159

6.18.3 Why Do I Have to Protect These Tables?

159

6.18.4 Logon Procedure

160

6.18.5 Password Change Policy

161

6.19 Segregation of Duties

163

6.20 Summary

165

7 Configuring Authorizations

167

7.1 Authorization Fundamentals

168

7.1.1 What is a Role?

168

7.1.2 What is a Profile?

168

7.1.3 Authorization Objects

169

7.1.4 The Profile Generator

169

7.1.5 Authorization Checks

169

7.1.6 Display Authorization Data

171

7.1.7 The User Buffer

173

7.1.8 Maintain Check Indicators: Transaction SU24

173

7.1.9 System Trace

175

7.2 SAP Role Design Concepts

180

7.2.1 Single Roles

181

7.2.2 Derived Roles

181

7.2.3 Composite Roles

182

7.2.4 Enabler Roles

182

7.2.5 Comparison of the Role Design Concepts

183

7.2.6 Why Not Use Enabler Roles?

184

7.2.7 What Impact Does a System Upgrade Have on Roles and Authorizations?

188

7.2.8 Role-Naming Conventions

188

7.3 The Profile Generator

192

7.3.1 Create a Single Role

192

7.3.2 Create a Composite Role

204

7.3.3 Create a Master and Derived Role

207

7.3.4 Overview Status

213

7.3.5 Mass Generation of Profiles

214

7.3.6 Mass Comparison

215

7.3.7 Role Menu Comparison

216

7.3.8 Role Versioning

217

7.4 Assign and Remove Roles

219

7.5 Lock and Unlock Transactions

221

7.6 Transaction SUIM: User Information System

221

7.6.1 User

222

7.6.2 Roles

223

7.6.3 Profiles

223

7.6.4 Authorizations

223

7.6.5 Authorization Objects

224

7.6.6 Transasctions

224

7.6.7 Comparisons

224

7.6.8 Where-Used Lists

225

7.6.9 Change Documents

225

7.7 Role Transport

226

7.8 Common Standard Profiles

228

7.9 Types of Transactions

229

7.9.1 Dialog Transactions

230

7.9.2 Report Transactions

230

7.9.3 Object-Oriented Transactions

231

7.9.4 Variant Transactions

231

7.9.5 Parameter Transaction

234

7.9.6 Call Transaction in Transaction SE97

237

7.10 Table Authorizations

239

7.10.1 Table Group Authorizations via S_TABU_DIS

240

7.10.2 Table Authorizations via S_TABU_NAM

241

7.10.3 Cross-Client Table Authorizations via S_TABU_CLI

241

7.10.4 Line-Oriented Table Authorizations via S_TABU_LIN

241

7.10.5 Table Authorizations and Auditors

245

7.10.6 Table Views for Database Tables

245

7.11 Printer Authorizations

249

7.12 Other Important Authorization Objects

249

7.12.1 Upload and Download Authorizations

249

7.12.2 Report Authorizations

250

7.12.3 Background Jobs

251

7.12.4 ABAP Workbench

251

7.12.5 Batch Sessions

251

7.12.6 Query Authorizations

251

7.12.7 Remote Function Call Authorizations

252

7.13 Transaction SACF: Switchable Authorizations

253

7.14 Customizing Entries in Tables PRGN_CUST and SSM_CUST

255

7.15 Mass Maintenance of Values within Roles

257

7.16 Upgrading to a New Release

260

7.17 ABAP Debugger

267

7.18 Authorization Redesign and Cleanup

269

7.18.1 Business Impact of Security Redesign

270

7.18.2 Reducing the Business Impact of a Role Redesign Project

270

7.18.3 Gathering Authorization Data

271

7.18.4 Testing Role Changes in Production

272

7.18.5 Automate Role Creation and Testing

273

7.19 Introduction to SAP GRC Access Control

273

7.19.1 Access Risk Analysis

273

7.19.2 Access Request Management

274

7.19.3 Business Role Management

274

7.19.4 Emergency Access Management

275

7.19.5 Segregation of Duties Management Process

275

7.20 Summary

277

8 Authentication

279

8.1 What Is Single Sign-On?

279

8.1.1 Common Components of SSO

281

8.1.2 Establishing a Plan for SSO Adoption

283

8.2 Single Sign-On Technologies

284

8.2.1 X.509 Digital Certificates

284

8.2.2 Kerberos

285

8.2.3 SPNEGO

285

8.2.4 SAP Logon Tickets

285

8.2.5 SAML

286

8.3 SAP GUI Single Sign-On Setup

286

8.3.1 Setting up Secure Network Communications in Transaction SCNWIZARD

287

8.3.2 Setting Up Kerberos Single Sign-on with SAP GUI

296

8.4 SAML

309

8.4.1 Principals

310

8.4.2 Identity Providers

310

8.4.3 Service Providers

310

8.4.4 SAML Assertions

311

8.4.5 Overall SAML Process

311

8.4.6 SAP NetWeaver AS ABAP Service Provider Setup

312

8.4.7 ICF Service Authentication and SAP Fiori

338

8.5 Summary

339

9 Patching

341

9.1 Patching Concepts: SAP’s Approach to Patching

341

9.1.1 SAP Notes

342

9.1.2 SAP Note Severity

343

9.1.3 Other Patching

344

9.1.4 SAP Security Patch Day

344

9.2 Application of Security SAP Notes

347

9.3 Implications of Upgrades and Support Packages

354

9.4 Evaluating Security with SAP Solution Manager

354

9.4.1 SAP EarlyWatch Alert Reporting

355

9.4.2 System Recommendations

356

9.4.3 Other Functionality

357

9.5 Summary

358

10 Securing Transports

359

10.1 Transport System Concepts

360

10.1.1 Operating System-Level Components

361

10.1.2 Controlling System Changes: Setting System/Client Change Options

363

10.1.3 Transport Management System Users

367

10.1.4 TMS RFC connections

370

10.2 Transport Authorizations

373

10.3 Operating System–Level Considerations

376

10.4 Landscape Considerations

377

10.5 Summary

378

11 Auditing and Logging

379

11.1 External Audits

380

11.2 Internal Audits

381

11.3 Auditing Tools

382

11.3.1 Security Audit Log

382

11.3.2 System Log

396

11.3.3 Table Logging

398

11.3.4 Workload Monitor

403

11.3.5 Read Access Logging

404

11.3.6 User Information System

406

11.4 Summary

409

12 Securing Network Communications

411

12.1 Choosing a Network Security Strategy

411

12.2 Securing Using Access Controls

412

12.2.1 Firewalls

412

12.2.2 Application-Level Gateways

414

12.2.3 Business Secure Cell

415

12.2.4 Securing Common Ports

416

12.2.5 Securing Services

417

12.2.6 Access Control Lists

418

12.2.7 Tuning Network Access Control

422

12.3 Securing the Transport Layer

422

12.4 Connecting to the Internet and Other Networks

424

12.5 Summary

431

13 Configuring Encryption

433

13.1 Introduction to Cryptography

433

13.1.1 Encryption in Depth

434

13.1.2 Secure Communication in SAP NetWeaver

448

13.2 Enabling SSL/TLS

451

13.2.1 Setting System Parameters

451

13.2.2 Creating the TLS/SSL PSE

454

13.2.3 Testing TLS/SSL

460

13.2.4 Requesting and Installing Certificates

464

13.3 The Internet Connection Manager

468

13.3.1 ICM Concepts

468

13.3.2 Important ICM Security Parameters

469

13.3.3 Controlling Access Using Access Control List

469

13.3.4 Security Log

473

13.3.5 Controlling Access Using a Permission File

475

13.4 SAP Web Dispatcher

481

13.4.1 Initial Configuration of SAP Web Dispatcher

483

13.4.2 SSL with SAP Web Dispatcher

486

13.5 Summary

487

14 Database Security

489

14.1 Platform-Independent Database Considerations

490

14.1.1 Database Patching

490

14.1.2 Networking

491

14.1.3 User Accounts

492

14.1.4 Database Backups

493

14.1.5 Additional DB Functionality

494

14.2 Securing the Database Connection

495

14.2.1 Understanding the Database Connect Sequence

495

14.2.2 SAP HANA Database: HDB User Store

498

14.2.3 Oracle Database: Secure Storage in File System

500

14.2.4 Microsoft SQL Server: Authentication

504

14.3 Logging and Encrypting Your Database

507

14.3.1 SAP HANA Data Volume Encryption

508

14.3.2 Oracle Transparent Data Encryption

511

14.3.3 MSSQL Server

511

14.4 Summary

511

15 Infrastructure Security

513

15.1 Business Secure Cell Concept

514

15.2 Secure Landscape

515

15.3 Policy

519

15.3.1 Establishing Security Policy

521

15.3.2 Starting Points for Your Policy

523

15.3.3 Further Policies

525

15.3.4 Adopting Policy

525

15.3.5 Auditing and Reviewing Policy

526

15.4 Operating System Considerations

527

15.4.1 General Linux Recommendations

528

15.4.2 Microsoft Windows

530

15.4.3 Operating System Users

531

15.4.4 Viruses and Malware

531

15.4.5 Application Server File System

539

15.5 Monitoring

540

15.5.1 OS Logs

540

15.5.2 Application Logs

540

15.5.3 Certificate Revocation Lists

541

15.6 Virtualization Security Considerations

553

15.7 Network Security Considerations

555

15.7.1 Auditing Using Vulnerability Scanners

556

15.7.2 Network Intrusion Detection

558

15.7.3 Firewall

559

15.7.4 Load Balancing

559

15.8 Physical Security

560

15.9 Summary

561