SAP Security

Reading time: 4 min.
Tomasz Jurgielewicz

SAP Security

Security requirements are constantly increasing, and securing critical data in an organization is one of the basic issues that ensure the continuity of basic business processes.
System environments are becoming more and more complex (communication with external systems, data exchange and continuous development of existing systems).

During a possible attack on the SAP system (no matter if the attack comes from inside or outside the organization) an attacker might gain access to valuable system information
therefore, it can use this information for further attacks to other SAP systems as well as obtain important company data (customer data, product information, e.g. recipes and drawings ttechnical data, salary data, etc.) unnoticed.

Managing security comes down to managing risk

First, to do it properly, all risks should be recorded and grouped according to prioritize so that the organization with the SAP system can learn and correct any possible threats to the SAP system (e.g. with the help of external support).
The research SAP security and compliance includes checking the network, operating system, database, parameters, and conflicts SoD in the SAP system based on the provided risk and conflict matrices.

6 basic risk areas

We have listed 6 basic risk areas that should be looked at first.
We divided the areas into two parts: technical and users.

Technical part

1. Setting up the SAP configuration

Layer of configuration parameters that should correspond to the organization's security policy. These parameters should be monitored regularly.

Example:

login/password_expiration_time (default 0, our recommendation is 30)
The user has to change the password after a certain number of days (for parameter 0, enforcement is not enabled).


login/min_password_lng
(default value 3, our recommendation is 8+)
Setting the minimum password length.

login/fails_to_user_lock (default value 12, our recommendation is 5)
Number of incorrect entered password to lock the user account.

2. Verification of events and settings "on" and "outside" the SAP layer

SAP Level

SAP Security Audit Log:

  • main security log,
  • some information is difficult to read from the security perspective,
  • SAP user login * does not constitute a risk according to the log, while the risk is a wrong login password.

SAP Change Documents and Table Loggin:

  • logging of document changes and changes to tables,
  • low quality in the absence of archiving documents in time.

SAP System Log:

  • główny log systemu SAP,
  • logs written over after 14 days.

Levels beyond SAP

Operating system log Windows/UNIX -the problem is, for example, the fact that the administrator must have root privileges to read logs only

Database log – no possibility to analyze database settings from the SAP level (e.g. information about accounts and their authorizations)

Web Logs SAP Router/HTTP - the problem is the lack of standard solutions to redirect logs to syslog

3. Updating system patches

Every system is vulnerable to hacking, SAP is no exception, so it's important to regularly install system patches.
Thanks to them, information about break-ins with the use of known vulnerabilities appears.

Example 1 - a report by the US Department of Security pointing to intrusions into at least 36 global SAP systems using a known (and fixed) vulnerability since 2010. More at https://bit.ly/28Kpk5r

Example 2 - the annual meeting of the security community, the PWNIE Awards in 2015 awarded the first prize in the Best Server-Side Bug category for detecting a vulnerability in SAP, allowing for unauthorized access to the system https://bit.ly/29Se5hB

Username

4. Default accounts

During the implementation of the SAP system default user accounts are created. They are used for the initial installation of the system, they are commonly known both by their name and password.
It is extremely important to properly protect these accounts.
The most critical account is SAP * (it allows for virtually unlimited access to and changes in the system)

Default account passwords should be changed and highly privileged profiles (such as SAP_ALL) should be removed.
The important thing is that if you delete the default account - it will be recreated automatically (with the default password).
The SAP account * should therefore have the password changed and the login / no_automatic_user_sapstar parameter set to 1 (no possibility to restore the automatic SAP account *).

5. Default profiles

As in the case of default accounts, SAP has (delivered with the installation) sets of authorization profiles allowing for wide access to the system. The use of these profiles should be very strictly managed, and their use should be limited to emergencies only.

The most important broad access profile is SAP_ALL - it allows you to perform any transaction, access to any object, function or action (there is a reason in the jargon of SAP administrators it is commonly referred to as "God on the system"). It is important that this profile is not assigned anywhere. The same applies to the SAP_NEW profile

6. Conflicts of Permissions

Inadequately providing users with access rights to different parts of the system increases the risk of fraud.

Example: if one person has both the option to change the bank account number and the ability to make a transfer - it is possible to bypass the organization's policies in order to transfer money outside.

To sum up: it is important to properly manage the privilege conflict matrix. Such a matrix allows, first of all, to identify existing conflicts, and verification of individual users' access will allow for risk assessment. The implementation of an effective data access policy in SAP is one of the most important elements of sealing the SAP environment in terms of risks, the main factor of which is user activity.

If you find this article valuable, please share it.
This will allow us to reach new people. Thank you in advance!

We will take care of the digital transformation of your business

Do you want to protect your business against cyber attacks? Or maybe you are planning a digital transformation or looking for IT specialists for a project? We are happy to help. We are here for you. Let's talk about professional IT services for your company.
Contact Us
Darmowy e-book

Wszystko, co musisz wiedzieć
o migracji z SAP ERP na SAP S/4HANA

Nasz zespół ekspertów przygotował dla Ciebie
e-poradnik, dzięki któremu zrobisz to łatwo, bezboleśnie i bez szkody dla bezpieczeństwa
Twojej firmy.

To praktyczna wiedza podana w przystępnym
języku - zupełnie za darmo.
Pobierz darmowego e-booka
Contact
contact@lukardi.com
+ 48 508 400 203
Address Information
ul. Tęczowa 3 , 60-275 Poznań
NIP: 5213683072
REGON: 360098885
Visit our Social Media:
Address Information
ul. Tęczowa 3 , 60-275 Poznań
NIP: 5213683072
REGON: 360098885
Visit our Social Media:
Lukardi 2022. All Rights Reserved. 
Made with