SAP Security Baseline Template

Version 1.9

The structure of the template is based on the SAP Secure Operations Map:
Security Security Cloud Emergency
Compliance Governance Audit Security Concept

Secure Users and Authentication and Support Security Review

Operation Authorizations Single Sign-On Security and Monitoring

Communication
Secure Setup Secure Configuration Data Security
Security

Security Maintenance
Secure Code Custom Code Security
of SAP Code

Infrastructure Operating System and

Network Security Frontend Security
Security Database Security

Chapter 2 shows the regulations that should be fulfilled for all SAP systems in the system
landscape. Adjust the target values according to your Corporate Security Policy.
Chapter 3 provides some information on how to verify compliance of a system or landscape to the
requirements given in chapter 2
Chapter 4 and following show additional information to define and validate the target values.
SAP SECURITY BASELINE TEMPLATE

Change History

Date Version Change

August 2016 1.9 • Description about Kernel Parameters of the Security Audit Log
added
• Description about critical authorization for S_DEVELOP activity
16=execute for object types CLAS, FUGR and PROG added
• URL domain service.sap.com replaced by support.sap.com for
some links
• Pictures showing text in SolMan section replaced by text
• URL for Wiki about 'Home of TCP/IP Ports' added
• Description about “security policies for users” added
• References to Configuration Stores, Configuration Items Target
Systems of the application Configuration Validation added
• Migration from Service Marketplace to the SAP Support Portal i.e.
change links to SMP to corresponding links to Support Portal.
• New requirement about SAP HANA network settings
• New requirement about standard passwords of users which are
generated by the SAP Solution Manager
24-Jun-2015 1.8 • Cleaned up and completed Change History.
• Added option to delete client 066 to O-1.
• Added information on configuration stores to chapter “Verifying
compliance”.
13-May-2015 1.7 • Translated further pictures into tables.
• Minor editorial changes for improved readability
12-May-2015 1.6 • Added requirement I-13 “SAP HANA Security”
05-May-2015 1.5 • Added some clarifications and corrections in the “Network Security”
section. Added Security Audit Log parameters in S-1.
• Removed segregation requirement between production and
development systems from S-3.
• Added explanatory information for HANA Security – System
privileges and Audit settings.
30-Apr-2015 1.4 • Correction of parameter values in areas
- I-5: Web Dispatcher Security
- S-1: ABAP Profile Parameters
• Updated formatting in chapter 2.
• Added explanatory chapter on HANA Security
06-Mar-2015 1.3 • Editorial corrections including transformation of pictures into tables.
• Added appendix chapter “SAP Secure Operations Map”
09-Dec-2014 1.2 • Added chapter “Verifying Compliance”
03-Dec-2014 1.1 • Formatting changes for keywords and tables.
• Further editorial changes to improve readability.
• Updated information in explanatory chapter “SAP Security Patch
Day Process”. Added additional links and references in the
Appendix. Added a chapter with information on the Security
Optimization Service.
• Added an Index at the end of the document.

24 Juli 2018 Document1 page 2 of 149

SAP SECURITY BASELINE TEMPLATE

19-Aug-2014 1.0 Initial Version adapted to the new Secure Operations Map –
including corresponding change of regulation IDs in chapter 2

24 Juli 2018 Document1 page 3 of 149

SAP SECURITY BASELINE TEMPLATE

TABLE OF CONTENTS

1 Overview, Requirements and Guidelines ...................................................... 10

1.1 Purpose of this document ........................................................................................ 10
2 Regulations ...................................................................................................... 11
2.1 Infrastructure Security (Identifier-Prefix I) ............................................................... 11
2.1.1 Network Security .......................................................................................................................... 11
2.1.2 Operating System Security .......................................................................................................... 13
2.1.3 Database Security ....................................................................................................................... 14
2.1.4 Frontend Security ........................................................................................................................ 16
2.2 Secure Code (Identifier-Prefix C) ............................................................................. 16
2.2.1 Security Maintenance of SAP Code ............................................................................................ 16
2.2.2 Custom Code Security ................................................................................................................. 16
2.3 Secure Setup (Identifier-Prefix S) ............................................................................. 17
2.3.1 Secure Configuration ................................................................................................................... 17
2.3.2 Communication Security .............................................................................................................. 19
2.3.3 Data Security ............................................................................................................................... 21
2.4 Secure Operation (Identifier-Prefix O) ..................................................................... 21
2.4.1 Users and Authorizations ............................................................................................................. 21
2.4.2 Authentication and Single Sign-On .............................................................................................. 23
2.4.3 Support Security .......................................................................................................................... 23
2.4.4 Security Review and Monitoring .................................................................................................. 23
2.5 Security Compliance (Identifier Prefix X)................................................................. 24
2.5.1 Security Governance ................................................................................................................... 24
2.5.2 Audit ............................................................................................................................................. 24
2.5.3 Cloud Security.............................................................................................................................. 24
2.5.4 Emergency Concept .................................................................................................................... 24
3 Verifying Compliance ...................................................................................... 25
3.1 Configuration Stores ................................................................................................. 27
3.1.1 Configuration Stores for HANA based systems........................................................................... 27
3.1.2 Configuration Stores for ABAP based systems ........................................................................... 27
3.1.3 Configuration Stores for Java based systems ............................................................................. 28
4 Annotations and Additional Information ....................................................... 30
4.1 Infrastructure Security .............................................................................................. 30
4.1.1 Network Security .......................................................................................................................... 30
4.1.1.1 Network Zones and Firewalls ...................................................................................................... 30
4.1.1.1.1 Client – Server Communication – ABAP Systems .................................................................................. 31
4.1.1.1.2 Client – Server Communication – Java Systems .................................................................................... 33
4.1.1.1.3 Server – Server Communication ............................................................................................................. 34

24 Juli 2018 Document1 page 4 of 149

SAP SECURITY BASELINE TEMPLATE

4.1.1.2 SAP provided Gateways and Reverse Proxies and standalone components ............................. 34
4.1.1.2.1 SAProuter ............................................................................................................................................... 35
4.1.1.2.2 SAP Web Dispatcher .............................................................................................................................. 36
4.1.1.3 Administrative Access to SAP Systems ...................................................................................... 37
4.1.2 Operating System Security .......................................................................................................... 38
4.1.2.1 Windows ...................................................................................................................................... 38
4.1.2.1.1 Windows Groups and Users in an SAP System Environment................................................................. 38
4.1.2.1.2 Windows Operating System User Settings in an SAP System ................................................................ 38
4.1.2.1.3 SAP Systems in the Windows Domain Concept ..................................................................................... 39
4.1.2.1.4 Securing Data Relevant to the SAP System ........................................................................................... 39
4.1.2.1.5 Security Settings for Shared Memory...................................................................................................... 40
4.1.2.2 Unix .............................................................................................................................................. 40
4.1.2.2.1 Protecting Specific Properties, Files and Services .................................................................................. 40
4.1.2.2.2 Setting Access Privileges for SAP System Directories Under UNIX/LINUX ............................................ 41
4.1.3 Database Security ....................................................................................................................... 41
4.1.3.1 General Recommendations ......................................................................................................... 41
4.1.3.1.1 Authentication and Encryption ................................................................................................................ 42
4.1.3.1.2 Authorization ........................................................................................................................................... 42
4.1.3.2 SAP HANA Security ..................................................................................................................... 42
4.1.3.2.1 Change Passwords of Users after Handover .......................................................................................... 42
4.1.3.2.2 Deactivate SYSTEM user ....................................................................................................................... 43
4.1.3.2.3 Limit Password Lifetime .......................................................................................................................... 43
4.1.3.2.4 Password Policy...................................................................................................................................... 43
4.1.3.2.5 System privilege DATA ADMIN ............................................................................................................... 43
4.1.3.2.6 System privileges must be Granted to Database Administrators Only .................................................... 44
4.1.3.2.7 SQL Trace Level ..................................................................................................................................... 44
4.1.3.2.8 Audit Trail ................................................................................................................................................ 44
4.1.3.3 SAP MaxDB Security ................................................................................................................... 44
4.1.3.3.1 Changing Passwords of Standard Users ................................................................................................ 44
4.1.3.3.2 Restricting and Checking Log Files for Failed Logon Attempts ............................................................... 45
4.1.3.3.3 Use secure Authentication ...................................................................................................................... 46
4.1.3.3.4 Implement Backup and Disaster Recovery Procedures .......................................................................... 46
4.1.3.3.5 Network Split for Administrative Protocols .............................................................................................. 46
4.1.3.3.6 Implement Database Configuration Hardening ....................................................................................... 47
4.1.3.3.7 Use Dedicated Database Hosts for Productive Databases ..................................................................... 47
4.1.3.3.8 Defining Clear Authorizations for Users .................................................................................................. 47
4.1.3.3.9 Securing Communication Channels ........................................................................................................ 47
4.1.3.3.10 Dispensable Functions with Impact on Security ...................................................................................... 48
4.1.3.3.11 Checking User Input in SQL Statements................................................................................................. 48
4.1.3.3.12 Trace and Log Files ................................................................................................................................ 48
4.1.3.4 Oracle .......................................................................................................................................... 48
4.1.3.4.1 User Management .................................................................................................................................. 48

24 Juli 2018 Document1 page 5 of 149

SAP SECURITY BASELINE TEMPLATE

4.1.3.4.2 Secure Store Connect ............................................................................................................................. 49

4.1.3.4.3 Secure Data Storage............................................................................................................................... 49
4.1.3.4.4 BRBACKUP, BRARCHIVE, and BRCONNECT ...................................................................................... 50
4.1.3.4.5 BRRECOVER, BRRESTORE, and BRSPACE ....................................................................................... 51
4.1.3.4.6 REQUIREMENTS FOR BACKUPS USING RMAN ................................................................................. 51
4.1.3.5 IBM DB2 ....................................................................................................................................... 51
4.1.3.5.1 Password Security .................................................................................................................................. 51
4.1.3.5.2 Use Secure Authentication...................................................................................................................... 52
4.1.3.5.3 Implement Backup and Data Recovery Procedures ............................................................................... 52
4.1.3.5.4 Implement Authorization Concept ........................................................................................................... 52
4.1.3.5.5 Use Secure communication .................................................................................................................... 52
4.1.3.5.6 Use Dedicated Database Hosts for Productive Databases ..................................................................... 53
4.1.3.5.7 Employ Database Encryption .................................................................................................................. 53
4.1.4 Frontend Security ........................................................................................................................ 53
4.1.4.1 SAP GUI for Microsoft Windows .................................................................................................. 53
4.2 Secure Code .............................................................................................................. 53
4.2.1 Security Maintenance of SAP Code ............................................................................................ 53
4.2.1.1 General Information ..................................................................................................................... 53
4.2.1.2 Implementation of a Security Patch Day Process ....................................................................... 54
4.2.1.3 SAP Security Patch Day Process ................................................................................................ 56
4.2.1.4 SAP Solution Manager “System Recommendations” Function ................................................... 57
4.2.1.5 Solution Manager Configuration Validation ................................................................................. 57
4.2.1.6 Transporting SAP Security Notes ................................................................................................ 58
4.2.1.7 Implementing SAP Security Notes with Transaction SNOTE ....................................................... 58
4.2.2 Custom Code Security ................................................................................................................. 58
4.2.2.1 Custom Code Lifecycle Management .......................................................................................... 58
4.2.2.1.1 CCLM High level architecture ................................................................................................................. 58
4.2.2.1.2 Authorization Concept ............................................................................................................................. 59
4.2.2.1.3 RFC Set Up............................................................................................................................................. 59
4.2.2.1.4 CCLM Library .......................................................................................................................................... 59
4.2.2.1.5 Lead System ........................................................................................................................................... 59
4.2.2.1.6 CCLM - Summary ................................................................................................................................... 60
4.2.2.2 Selected Attack Vectors and Recommended Countermeasures ................................................ 61
4.2.2.2.1 Overview ................................................................................................................................................. 61
4.2.2.2.2 Cross-Site Request Forgery.................................................................................................................... 61
4.2.2.2.3 SQL Injection .......................................................................................................................................... 61
4.2.2.2.4 Directory Traversals ................................................................................................................................ 62
4.2.2.2.5 Invoker Servlet ........................................................................................................................................ 62
4.2.2.2.6 ABAP Code Injection............................................................................................................................... 63

4.3 Secure Setup ............................................................................................................. 63

4.3.1 Secure Configuration ................................................................................................................... 63

24 Juli 2018 Document1 page 6 of 149

SAP SECURITY BASELINE TEMPLATE

4.3.1.1 Secure Configuration of ABAP systems ...................................................................................... 63

4.3.1.1.1 Profile Parameters .................................................................................................................................. 63
4.3.1.1.2 Profile Parameters to control SAP Logins ............................................................................................... 66
4.3.1.1.3 Virus Scan Interface ................................................................................................................................ 79
4.3.1.2 Secure Configuration of Java systems ........................................................................................ 79
4.3.1.2.1 UME Parameters .................................................................................................................................... 80
4.3.1.2.2 SAP Logon Ticket ................................................................................................................................... 80
4.3.2 Communication Security .............................................................................................................. 80
4.3.2.1 Transport Layer Security on the AS ABAP .................................................................................. 82
4.3.2.2 Transport Layer Security on the AS JAVA .................................................................................. 82
4.3.2.3 Transport Layer Security When Using the SAP Web Dispatcher ................................................ 84
4.3.2.4 RFC Security................................................................................................................................ 85
4.3.2.5 Securing the RFC Gateway ......................................................................................................... 87
4.3.2.5.1 Monitoring: gwmon (case 1) .................................................................................................................... 88
4.3.2.5.2 RFC connections to ABAP stack (case 2) ............................................................................................... 88
4.3.2.5.3 Starting of RFC server programs (case 3) .............................................................................................. 89
4.3.2.5.4 Registration of RFC server programs (case 4) ........................................................................................ 89
4.3.2.5.5 Gateway Logging .................................................................................................................................... 90
4.3.2.5.6 RFC Gateway Hardening ........................................................................................................................ 90
4.3.2.6 Message Server Security ............................................................................................................. 91
4.3.2.7 Limit Web-Enabled Content ......................................................................................................... 92
4.3.3 Data Security ............................................................................................................................... 93
4.4 Secure Operation ...................................................................................................... 93
4.4.1 Users and Authorizations ............................................................................................................. 93
4.4.1.1 Handling default users and passwords ........................................................................................ 93
4.4.1.2 Roles and Responsibilities ........................................................................................................... 94
4.4.1.3 Processes .................................................................................................................................... 95
4.4.1.4 Creation / Change / Deletion of Mitigation Controls / Mitigation Control Assignments ............... 95
4.4.1.4.1 Developer Access to Production Systems .............................................................................................. 95
4.4.1.4.2 RFC Authorizations ................................................................................................................................. 96
4.4.1.4.3 Authorizations: Role Development .......................................................................................................... 96
4.4.1.4.4 Authorization Setup ................................................................................................................................. 96
4.4.2 Authentication and Single Sign-On .............................................................................................. 97
4.4.2.1 Client – Server Authentication via SAPGUI or RFC clients ......................................................... 97
4.4.2.2 Client Server Authentication via Web Browser ............................................................................ 99
4.4.3 Support Security .......................................................................................................................... 99
4.4.3.1 Access by SAP Support ............................................................................................................... 99
4.4.4 Security Review and Monitoring ................................................................................................ 100
4.4.4.1 Security Audit Log ...................................................................................................................... 100
4.4.4.2 Security Monitoring and Reporting using the SAP Solution Manager ....................................... 101
4.4.4.3 Baseline Document References Logging .................................................................................. 102

24 Juli 2018 Document1 page 7 of 149

SAP SECURITY BASELINE TEMPLATE

4.5 Security Compliance ............................................................................................... 102

4.5.1 Security Governance ................................................................................................................. 102
4.5.2 Audit ........................................................................................................................................... 103
4.5.3 Cloud Security............................................................................................................................ 104
4.5.4 Emergency Concept .................................................................................................................. 105
4.6 Specific Topics ........................................................................................................ 105
4.6.1 SAP HANA Security ................................................................................................................... 105
4.6.1.1 SAP HANA Network and Communication Security ................................................................... 106
4.6.1.2 Secure Data Communication ..................................................................................................... 106
4.6.1.3 User and Role Management ...................................................................................................... 108
4.6.1.3.1 Deactivating the SYSTEM User ............................................................................................................ 108
4.6.1.4 HANA Authorization ................................................................................................................... 108
4.6.1.5 Data Storage Security ................................................................................................................ 109
4.6.1.5.1 Data Volume Encryption ....................................................................................................................... 109
4.6.1.5.2 Secure Storage of Passwords in SAP HANA ........................................................................................ 110
4.6.1.6 Security Configuration Checklist ................................................................................................ 111
4.6.2 Process Integration (SAP PI) Security ....................................................................................... 116
4.6.2.1 PI Service Users for internal and external communication ........................................................ 116
4.6.2.2 PI Authorizations ........................................................................................................................ 117
4.6.2.3 Message Level Security ............................................................................................................. 117
4.6.2.4 Specific Topics related to “Business Warehouse” (SAP BW) ................................................... 117
5 Tools and Monitoring .................................................................................... 118
5.1 Solution Manager .................................................................................................... 118
5.1.1 Communication Channels and Communication Destinations ................................................... 120
5.1.2 Use of Gateway ......................................................................................................................... 121
5.1.3 User management and user types............................................................................................. 121
5.1.4 RFC- Authorization .................................................................................................................... 122
5.1.5 End User Roles in SAP Solution Manager ................................................................................ 122
5.1.6 Authorizations for user interfaces .............................................................................................. 123
5.1.6.1 Critical RFC connections and authorization objects .................................................................. 123
5.1.6.2 Authorization Object S_TABU_DIS, S_TABU_NAM and S_TABU_CLI ...................................... 124
5.1.7 Required TCP/IP Ports .............................................................................................................. 124
5.2 Early Watch Alert (EWA) ......................................................................................... 125
5.3 SAP Security Optimization Service ........................................................................ 126
5.4 Configuration Validation ......................................................................................... 126
6 Appendix: SAP Secure Operations Map ...................................................... 128
6.1 Security Governance .............................................................................................. 129
6.2 Audit ......................................................................................................................... 129
6.3 Cloud Security ......................................................................................................... 129

24 Juli 2018 Document1 page 8 of 149

SAP SECURITY BASELINE TEMPLATE

6.4 Emergency Concept ................................................................................................ 130

6.5 Users & Authorizations ........................................................................................... 130
6.6 Authentication and Single Sign-On........................................................................ 130
6.7 Support Security ..................................................................................................... 131
6.8 Security Review and Monitoring ............................................................................ 131
6.9 Secure Configuration .............................................................................................. 131
6.10 Communication Security ........................................................................................ 131
6.11 Data Security ........................................................................................................... 132
6.12 Security Maintenance of SAP Code ....................................................................... 132
6.13 Custom Code Security ............................................................................................ 132
6.14 Network Security ..................................................................................................... 132
6.15 Operating System and Database Security ............................................................. 132
6.16 Frontend Security.................................................................................................... 133
7 Appendix : References + Links whitepapers / best practices ................... 134
8 Index ............................................................................................................... 141

24 Juli 2018 Document1 page 9 of 149

SAP SECURITY BASELINE TEMPLATE

1 Overview, Requirements and Guidelines

1.1 Purpose of this document
The purpose of this document is to provide a baseline on which security measures have to be
applied to SAP systems. Deviations from this baseline (i.e. if security measures are not applied or
are applied in a different way) need to be documented and approved. It is a general and
indispensable requirement to have an exception management, approval and mitigation process in
place, which however is not part of this document.

24 Juli 2018 Document1 page 10 of 149

SAP SECURITY BASELINE TEMPLATE

2 Regulations
This section contains the standards and regulations that are mandatory for all SAP systems. The
content of this chapter is restricted to focus on the requirements. It can also be extracted as a
separate document to serve as guidance and reference for the compliance of SAP systems to this
SAP Security Baseline.
Some of the requirements are explicitly marked as “critical” and in red. Although from a Security
Baseline perspective all requirements should be fulfilled by all systems, sometimes the question
arises where to start. The “critical” mark is meant as a guidance on priority in this respect, but the
other requirements should at most get delayed and not forgotten! The “critical” mark is especially
aligned with those requirements also checked in an EarlyWatch Alert report and with those the
violation of which makes a Security Optimization Service report overall “red”.
Additional information and options are available in chapter 3 “Annotations and Additional
Information” of this document.
It has to be mentioned, that regardless of regulations, there could always be specific exceptions
needed. In this case, it also is important to say, that those specific exceptions have to be regulated
by separate exception processes outside this document.

2.1 Infrastructure Security (Identifier-Prefix I)

2.1.1 Network Security
To secure the SAP systems a network infrastructure like the following is recommended:

Application servers and database servers of SAP backend systems are located in the same
network zone, which is separated from the internal PC network. Only required ports are open
between PC network and application server network.

24 Juli 2018 Document1 page 11 of 149

SAP SECURITY BASELINE TEMPLATE

Especially the following requirements have to be fulfilled:

I-1: Network Segregation

The SAP Server Network (“High Security Area”) must be separated from the Client Network
(“Internal Workstation Network”) and from the “DMZ” via Firewalls. Only required connectivity must
be allowed to pass through these Firewalls.
Especially access to databases and to operating system level must be blocked.
Exception: Required direct user access to an SAP HANA system.

I-2: Communication Encryption

All communication across non-trusted networks has to be authenticated and encrypted. The
internal network / Intranet (“Internal Workstation Network”) has to be considered as “non-trusted”
unless sufficient other security mechanisms are in place that make it a trusted network.

I-3: DMZ Authentication

Access coming from the Internet must be authenticated and verified in the DMZ, before any further
connections to or interactions with inner networks are allowed.

I-4: SAProuter Security

Any SAProuter has to be configured and operated in a secure manner.
This includes especially:
a) All applicable SAProuter Security Notes have been implemented and upcoming security
corrections get implemented on a regular basis.
b) The SAProuter routing table has to be setup and maintained as required to restrict access
through the SAProuter to the required ones.
c) On operating system level the SAProuter executable as well as any SAProuter configuration
data (especially the routing table) has to be protected against unauthorized and undesired
changes.

I-5: Web Dispatcher Security

Any Web Dispatcher has to be configured and operated in a secure manner.
This includes especially:
a) The Web Dispatcher has to be kept up-to-date (see SAP note 538405)
b) Information disclosure has to be prohibited by using a specific directory to store web error pages
and setting the corresponding profile parameter to this directory, e.g. by setting
icm/HTTP/error_templ_path = /usr/sap/<SID>/<Instance>/data/icmerror
and by setting is/HTTP/show_detailed_errors to FALSE.

c) Additionally the following Web Dispatcher URL filter entries should be included for the same

24 Juli 2018 Document1 page 12 of 149

SAP SECURITY BASELINE TEMPLATE

purpose:
D /sap/public/icman/*
D /SAP/public/ping
D /sap/public/icf_info/*
D /SAP/wdisp/information
d) Use HTTPS to prevent the password from being intercepted. Use an HTTPS port that has been
set up with the parameter icm/server_port_<num>1 in the URL.
e) Allow Web Dispatcher administration only on ports that have a secure protocol (HTTPS), by
setting the PORT option of the parameter icm/HTTP/admin_<num> to an HTTPS port.
f) Configure a port that can only be accessed from the internal network as the administration port.
Use the PORT option of the parameter icm/HTTP/admin_<num> to do this.
g) Allow administration only under a certain host name or IP address, which can only be accessed
from the internal network. To do this, use the HOST option of the parameter
icm/HTTP/admin_<num>.
h) Limit administration to clients from the internal network. To do this, use the CLIENTHOST option
of the parameter icm/HTTP/admin_<num>.

I-6: Administrative Access

Administrative access must be restricted to those workstations from which such access is planned
to occur. The firewalls between the network segments must be configured accordingly.
Any administrative access must only be done via authenticated and encrypted connections.
Access has to be just permitted on demand, if the connection is not required on a daily / regular
basis.

2.1.2 Operating System Security

The following regulations state security requirements for operating system level security that are
specific to the operation of SAP systems. General operating system security measures are of
course required as well and assumed to be in place. Some key general requirements are
additionally given in the annotations chapter or document corresponding to these regulations.

I-7: Windows Security Requirements:

An SAP system must not be installed on a Windows Domain Controller.
The SAP specific critical users <sid>adm, SAPService<sid> must be administered securely like
other critical administration users. Resource access and administration rights of these users must
be limited to the required ones.

1This requirement holds for the parameter defining the web protocol. Keep in mind that other protocols like
P4 or SMTP should be secured as well.

24 Juli 2018 Document1 page 13 of 149

SAP SECURITY BASELINE TEMPLATE

The SAPService<sid> user runs the SAP system Windows service. It requires the authorization
to log-on as a service on the local machine but must not be allowed to log-on interactively.
Moreover, this user must not be included in the local Windows Administrators group.
With respect to authorization, system resources belonging to the SAP System have to be
protected. This includes the protection of files, processes and shared memory.

I-8: Unix Security Requirements

Protect the SAP system specific users <sid>adm and <db><sid>. Beside system administrators,
these users should be the only users that exist on the application servers and the main instance at
the operating system level. After installation, lock <db><sid> on the application servers.

2.1.3 Database Security

I-9: General Database Security Regulations
a) Whenever possible, use SAP tools to access the data in the database.
b) Change the default password for SAPR3 or SAP<SID>.
c) Do not grant any access for other DBA users to the following tables:
- USR* tables
- T000 table (no write access)
- General tables (such as SAPUSER or RFCDES) or application-specific tables (such as PA* or
HCL*)
d) If non-SAP tools have to be used for access to data in the database for whatever reasons, take
the following precautions:
- Do not use the user SAPR3 or SAP<SID> to connect to the database. Create other users for such
purposes.
- Restrict the access rights of such users to the necessary tables only.
- Assign read-only access to these users.
- Make sure that there are no user authorized to maintain all tables
- Make sure that no damage to the consistency or authorization security of your database is made

I-13: SAP HANA Security

(see details as well as corresponding “select” statements in chapter 4.1.3.2)
a) The passwords of the SYSTEM user and all other password-enabled, not deactivated users
must have been changed since the handover of the appliance to the customer.
b) Deactivate SYSTEM user. Do not restrict the valid time range of user SYSTEM.
(Caveat: You have to have set up an administration concept and corresponding administrators
before doing this!)
c) The password lifetime must be limited for all users.
Exception: Technical users may get an unlimited password lifetime if required.

24 Juli 2018 Document1 page 14 of 149

SAP SECURITY BASELINE TEMPLATE

d) The following password policy parameters must be set:

- force_first_password_change = true
- maximum_unused_initial_password_lifetime <= 7
- minimal_password_length >= 8
e) The system privilege DATA ADMIN must not be granted neither to a user nor to a role.
f) System privileges must be granted to Database Administrators only
g) The SQL trace level must not be ‘ALL_WITH_RESULTS’.
h) The HANA Audit Trail must be activated with the following minimum requirements:
- Auditing Status must be enabled
- Audit Trail Target must not be CSV Text File
- Audit Level Trail Targets must be “Initial” or contain at least one of the targets “Syslog” or
“Database Table” for each of the Audit Trail Targets. It may contain multiple selections including
“CSV Text File”.
Additionally suitable Audit Policies must be configured according to the customer needs.
i) SAP HANA network settings for internal services must be configured according to note 2183363.
For single host systems, the parameter listeninterface must be set to .local to enforce that
the HANA internal communication listens to the HANA internal loop back interface only.
For distributed systems, a separate network must be configured for internal communication. The
parameter listeninterface must be set to .internal and the parameter
internal_hostname_resolution must be maintained accordingly.

I-10: SAP MaxDB Security

a) Passwords of the database users must be properly maintained. Especially the default
passwords of users DBADMIN, DBA and DBM must be changed.
b) Define and implement a proper authorization concept for the database users.
c) Limit software and functions to the required minimum:
- Install only software components that are really needed
- Switch off the Global Listener and SAP MaxDB X Servers for Local Communication
- Start SAP MaxDB X Server without NI Support (Unix and Linux)
- Remove Demo Data
d) Trace and Log Files
- Use traces only to search for errors. Delete the trace files and disable trace writing when
evaluating is finished
- Restrict access to log files
- Restrict access to operating system commands and functions
- Withdraw the server authorization for reading database files from all DBM operators that should
not have access to log files.

24 Juli 2018 Document1 page 15 of 149

SAP SECURITY BASELINE TEMPLATE

- In Database Manager CLI, withdraw the DBFileRead server authorization.

I-11: Oracle DB Security

a) Passwords of the database users must be properly maintained. The passwords especially for
SAP<SID> or SAPR3, and <sid>adm must be changed regularly.
b) A proper authorization concept for the database users must be defined and implemented.
c) OPS$ users only may be defined for the Windows users that are necessary for operating the
SAP system. These are typically the users SAPService<sid> and <sid>adm; however, you may
assign them other names. For more information about creating OPS$ users on Windows, see SAP
note 50088.
d) If technically possible (Kernel 7.20 in place) the OPS$ remote connect must be replaced by the
new “Secure Storage in File System” (SSFS) method.
e) Access to the database must be restricted to the required IP addresses

2.1.4 Frontend Security

I-12: SAPGUI Security
a) The SAPGUI installations on all client computers must by updated on a regular basis
b) The SAPGUI ACLs must be activated. Proper Administrator Rules must be distributed and
activated.

2.2 Secure Code (Identifier-Prefix C)

2.2.1 Security Maintenance of SAP Code
C-1: Maintenance of SAP Code (critical):
a) All SAP software must be updated to the latest Support Package or Patch at least every 12
months.
b) SAP publishes Security Notes on a monthly basis on the second Tuesday of each month. All
such Security Notes must be reviewed and implemented shortly – if not decided and documented
otherwise in the review.

2.2.2 Custom Code Security

C-2: Security of Custom Code
The security of custom code must be ensured during development:
a) Custom Code management must be in place to avoid or remove custom code which is either
replaceable with SAP standard code or which is not used
b) Code security scanners must be used to scan for well-known code weaknesses
c) Proper development regulations and a proper development organization must be in place which
ensures that security is respected as an integral part and a key property of the custom code
developed.

24 Juli 2018 Document1 page 16 of 149

SAP SECURITY BASELINE TEMPLATE

2.3 Secure Setup (Identifier-Prefix S)

2.3.1 Secure Configuration
S-1: ABAP Profile Parameters
The setting of the following ABAP Profile Parameters is mandatory for all SAP NetWeaver AS
ABAP based systems:
a) login/min_password_lng ≥ 8
(Minimum Password Length)
b) Enforce at least 2 different character categories out of
- login/min_password_digits ≥ 1 (min. number of digits in passwords),
- login/min_password_letters ≥ 0 (min. number of letters in passwords),
- login/min_password_lowercase ≥ 1 (min. number of lowercase letters in passwords),
- login/min_password_uppercase ≥ 1 (min. number of uppercase letters in passwords),
- login/min_password_specials ≥ 0 (min. number of special characters in passwords)
c) login/password_max_idle_initial between 1 to 14
(max. validity of initial passwords)
d) login/password_downwards_compatibility <> 5= 0
Password downwards compatibility (8 / 40 characters, case-sensitivity)2.
e) login/password_compliance_to_current_policy = 1
Enforce compliance of password with current password policy. With this configuration, users with
incompatible password will be prompted for a password change in the next logon. Users of type
"SYSTEM" and "SERVICE" are not affected by this change.
f) snc/enable = 1
Enable SNC-Module (Secure Network Communications)
Enforce encryption for SNC using
snc/data_protection/min = 3
snc/data_protection/max = 3
snc/data_protection/use = 3 or 9
If your SAP system is isolated by means of packet-filtering routers and you want to accept
conventional connections that are not protected with SNC parallel to SNC-protected connections,
then you must also set the appropriate parameters (snc/accept_insecure_gui,
snc/accept_insecure_rfc, snc/accept_insecure_cpic)3.

2Value 5 is prohibited since it would enforce that passwords are only saved using old / unsecure hash
algorithms. Values 1-4 are not recommended either as old / unsecure hashes are generated.
3Keep in mind that only profile parameters snc/only_encrypted_gui and snc/only_encrypted_rfc
would ensure that only SNC secured connections are possible – which is beyond the scope of this security
baseline (see SAP Notes 1690662 and 2122578 for details).

24 Juli 2018 Document1 page 17 of 149

SAP SECURITY BASELINE TEMPLATE

g) icm/server_port_<num>4: PROT=HTTPS, ….
(Configure ICM for SSL usage)
h) login/ticket_only_by_https = 1
(generate ticket that will only be sent via https)
This setting requires according entries in customizing table HTTPURLLOC to force the URL
generation to produce https URLs only.
i) login/ticket_only_to_host = 1
(ticket will only be sent back to creating host)
j) rsau/enable = 1
rsau/selection_slots ≥ 10
rsau/user_selection = 1
(Enable Security Audit Log)
k) icf/set_HTTPonly_flag_on_cookies NOT 1 OR 3
(HTTPonly attribute should be active for ICF logon cookie)
l) dynp/checkskip1screen = ALL
(GUI Shortcut security according to notes 1399324 and 1157137)

S-2: Protection of Password Hashes in ABAP Systems

a) Access to tables USR02, USH02 and USRPWDHISTORY must be protected against unauthorized
access by the means of assignments of table authorization group SPWD and of restricted
authorizations for authorization object S_TABU_DIS respective S_TABU_NAM.5
b) The latest password hashing mechanism must be activated. Redundant old downward
compatible password hashes must be removed.

S-3: Modification Protection for ABAP Production Systems (critical):

Any system with production clients or with productive data in a non-production client (e.g. for test
purposes) has to be treated as a production system.
For such production systems the following two options have to be set to “not modifiable”:
a) System Change Option: Check table TADIR for PGMID=HEAD and OBJ=SYST and whether
EDTFLAG = N or P (Transaction SE06)

b) Client Change Option: Check table T000 for all clients, whether CCCORACTIV=2 and
CCNOCLIIND=3. CCCATEGORY=P means production client. (Transaction SCC4)

4This requirement holds for the parameter defining the web protocol. Keep in mind that other protocols like
P4 or SMTP should be secured as well.
5 SAP note 1484692 lists some more tables. You may want to include these tables as well.

24 Juli 2018 Document1 page 18 of 149

SAP SECURITY BASELINE TEMPLATE

S-4: Secure Configuration of Java Systems

a) Unused J2EE Engine Services and unused J2EE Applications must be deactivated.
b) Custom-created J2EE applications must be assigned appropriate Security Roles
c) HTTP-Only cookie handling must be activated (see SAP notes 943336 and 2068872)
d) Server Header must be disabled by setting UseServerHeader to false in the HTTP Provider
Service in the global configuration of dispatcher and server nodes
e) Encryption for the Secure Store must be activated
f) Application aliases of unused applications should be disabled
g) Invoker Servlet must be disabled by setting EnableInvokerServletGlobally to false in
the servlet_jsp service in the global configuration of server nodes (see SAP note 1445998)

S-5: UME Parameters of Java Systems

The setting of the following UME parameters is mandatory for all SAP NetWeaver AS JAVA based
systems:
a) ume.logon.selfreg = FALSE
(UME Self Registration)
b) ume.logon.security_policy.password_min_length ≥ 8
(Minimum Password Length)
c) ume.logon.security_policy.userid_in_password_allowed = FALSE
(User ID in password allowed)
d) ume.logon.security_policy.oldpass_in_newpass_allowed = FALSE
(Old password in password allowed)
e) Enforce at least 2 different character categories out of
- ume.logon.security_policy.userid_special_char_required ≥ 0
(Minimum number of Special special characters in password required)
- ume.logon.security_policy.password_alpha_numeric_required ≥ 1
(Minimum number of LLetters and numbers in password required)
- ume.logon.security_policy.password_mix_case_required ≥ 1
(Minimum number of uppercase and lowercase letters in Mix case password required)
f) ume.logon.httponlycookie = TRUE
g) ume.logon.security.enforce_secure_cookie = TRUE
(Send SAP Logon Ticket only via HTTPS)
h) login.ticket_lifetime ≤ 8h
(SAP Logon Ticket Lifetime)

2.3.2 Communication Security

S-6: RFC Connectivity
a) All RFC destinations must be required and must be assigned to an owner responsible for the
destination and who can provide information on the need and usage of this destination. RFC
destinations not or no longer required must be removed.

24 Juli 2018 Document1 page 19 of 149

SAP SECURITY BASELINE TEMPLATE

b) RFC destinations with stored user credentials or using trusted system logon must only exist
between systems of the same security classification or from system of higher security classification
to systems of lower security classification.
c) The RFC authorization check has to be activated with the system profile parameter
auth/rfc_authority_check. This parameter must be set to the value ‘1’.
d) Systems of higher security classification may never trust systems of lower security classification.
e) If a SAP system technically allows for the use of UCON, then UCON should be activated and
RFC services not required should be switched of through UCON.
f) The inbound RFC or GUI connections have to be encrypted. Use the parameters
snc/accept_insecure_gui or snc/accept_insecure_rfc to make sure that the logon
inbound connection is secured with SNC.

S-7: RFC Gateway Security (critical)

These requirements are valid for ABAP and for Java systems.
a) The RFC Gateway Access Control Lists secinfo and reginfo must be maintained and
activated.
b) The profile parameter gw/reg_no_conn_info must be set according to SAP note 1444282.
(respective note 2269642 as of Kernel 7.40). At least bit 1, 2, 3, and 4 (bit 1 as of Kernel 7.40)
must be set, gw/reg_no_conn_info must therefore contain one of the values 15, 31, 47, 63,
79, 95, 111 ,127, 143, 143, 159, 175, 191, 207, 223, 239, 255 (respective 1, 65, 129, 193 as of
Kernel 7.40).
c) The RFC Gateway’s default “Initial Security Environment” must be enabled by setting
gw/acl_mode = 1
d) RFC Gateway monitoring must be set to “local only” by setting gw/monitor = 1
e) The simulation mode has to be off by setting gw/sim_mode = 0

S-8: Message Server Security

a) The Message Server ports must be split into an internal port (for communication with the
application servers) and an external port (for communication with clients / users). The Message
Server internal port can be defined via profile parameter rdisp/msserv_internal. This port
must be blocked by all firewalls between the server network and the client network so that no client
can connect to this internal Message Server port.
b) External monitoring of the Message Server must be prohibited by setting ms/monitor = 0
c) External administration of the Message Server must be deactivated by setting ms/admin_port
=0
d) The Access Control List of the Message Server must be maintained via profile parameter
ms/acl_info

S-9: Limit Web-Enabled Content on ABAP Servers

Only required ICF services may be enabled. ICF services not required must be disabled.

24 Juli 2018 Document1 page 20 of 149

SAP SECURITY BASELINE TEMPLATE

All ICF services that do not require user authentication must be reviewed, including all services in
/sap/public as well as services with stored logon data. Authentication should be activated and
services not required should be disabled where possible.
At least the following ICF services must be disabled if existing in the actual release and not used in
business scenarios:
/sap/bc/soap/rfc
/sap/bc/echo
/sap/bc/FormToRfc
/sap/bc/report
/sap/bc/xrfc
/sap/bc/xrfc_test
/sap/bc/error
/sap/bc/webrfc
/sap/bc/bsp/sap/certreq
/sap/bc/bsp/sap/certmap
/sap/bc/gui/sap/its/CERTREQ
/sap/bc/gui/sap/its/CERTMAP
/sap/bc/bsp/sap/bsp_veri
/sap/bc/bsp/sap/icf
/sap/bc/IDoc_XML
/sap/bc/srt/IDoc

2.3.3 Data Security

S-10: Malware Scanning for Uploaded Files
On systems on which files get uploaded, malware and virus scanning through the SAP Virus Scan
Interface must be activated.

2.4 Secure Operation (Identifier-Prefix O)

2.4.1 Users and Authorizations
O-1: Handling of ABAP Default Users in ABAP Systems (critical)
a) User SAP*
- The user must exist in all clients and must be locked in all clients
- The password must be changed from the default or initial master value.
- The user must belong to the group SUPER in all clients
- Profile parameter login/no_automatic_user_sapstar must to be set to 1
b) User DDIC
- The password must be changed from the default or initial master value.
- The user must belong to the group SUPER in all clients
c) User SAPCPIC
- The password must be changed from the default or initial master value.
- The user must belong to the group SUPER in all clients

24 Juli 2018 Document1 page 21 of 149

SAP SECURITY BASELINE TEMPLATE

- If you don’t need the user SAPCPIC then this user should be deleted
d) User TMSADM
- The password must be changed from the default or initial master value.
See SAP note 1414256 – “Changing TMSADM password is too complex”
- The user must not exist in any other client than client 000
- The user must belong to the group SUPER
e) User EARLYWATCH
- The password must be changed from the default or initial master value.
- The user must belong to the group SUPER
Alternatively, you can delete client 066 according to SAP note 1749142 respective the blog “How
to remove unused clients including client 001 and 066” on SCN.

f) Standard users created by the SAP Solution Manager

- With new installations of the SAP Solution Manager all generated users get specific passwords.
However, old installations of the SAP Solution Manager may had generated users with well-known
password. See notes 2293011 and 2119627 for details which list following users:
SOLMAN_BTC, CONTENTSERV, SMD_BI_RFC, SMD_RFC,
SMDAGENT_<SAPSolutionManagerSID>, SMD_ADMIN, SMD_AGT, and additional dialog users
SAPSUPPORT, SOLMAN_ADMIN
- Ensure to use a specific password for those users6.

O-2: No use of ABAP authorization profiles SAP_ALL and SAP_NEW (critical)

The authorization profile SAP_ALL must not be assigned to any user. An exception from this rule is
possible for emergency accounts if the activation and use of such emergency accounts is
sufficiently controlled and monitored.
The authorization profile SAP_NEW and the role SAP_NEW7 must not be assigned to any user. An
exception from this rule is possible only while preparing the technical part of a release upgrade.

O-3: Segregation of Basis Authorizations and Business Authorizations

Basis authorizations and business authorizations should be separated into different roles. Business
roles should be kept free from basis authorizations.

6 Limitation: You cannot use report RSUSR003 or the SOS or the ConfigVal to validate these users.
7See blog “Life (profile SAP_NEW), the Universe (role SAP_NEW) and Everything (SAP_ALL)”
https://scn.sap.com/community/security/blog/2014/02/17/life-profile-sapnew-the-universe-role-sapnew-and-
everything-sapall

24 Juli 2018 Document1 page 22 of 149

SAP SECURITY BASELINE TEMPLATE

O-4: Restricted Assignment of Critical ABAP Basis Authorizations (critical)

The assignment of critical basis authorization should be tightly controlled. Especially the
assignment of the following critical basis authorizations – which are checked in the EarlyWatch
Alert report – should be avoided or limited as far as possible:
- Authorization to change or display all tables
- Authorization to start all reports
- Authorization to debug / replace (forbidden in production systems)
- Authorization to display other users spool request
- Authorization to administer RFC connections
- Authorization to execute all Function Modules
- Authorization to reset/change user passwords

O-5: RFC Authorizations in ABAP Systems

RFC Authorizations (S_RFC) must be explicitly defined and assigned.
The assignment of S_RFC=* is not allowed

O-6: Java Systems Administrators (defined in the ABAP Application Server) (critical)
Make sure that no users other than system administrators belong to the standard "Administrators"
group (for single stack installations) or SAP_J2EE_ADMIN (for dual stack installations).

2.4.2 Authentication and Single Sign-On

At the moment there are no baseline requirements for Authentication and Single Sign-On Security.

2.4.3 Support Security

O-7: Support Security
A clear process description describing the requirements has to be set up:
- when OSS connections can be opened
- who is authorized to open OSS Connections (SAP Basis)
- how SAP Support may access the System (using a user with display authorizations or using
firefighter in production environments)
See the annotation chapter / document for more recommendations

2.4.4 Security Review and Monitoring

O-8: Security Audit Log in ABAP Systems (critical)
a) The Security Audit Log must be activated by setting
rsau/enable = 1 with
rsau/selection_slots ≥ 10 and
rsau/user_selection = 1 (see S-1)

24 Juli 2018 Document1 page 23 of 149

SAP SECURITY BASELINE TEMPLATE

The same requirement holds for the Security Audit Log Kernel Parameters which you can define
with transaction SM19: “Security Audit active”, “Number of Selection Filters”, and “Generic User
Selection”.
b) At least the following audit slots must be defined and activated:
- Audit all events for critical users like SAP* (using filter SAP#*), emergency users like FF* ,
support users like SAPSUPPORT*
- Audit critical events for all users
See the annotation chapter / document for more recommendations

2.5 Security Compliance (Identifier Prefix X)

2.5.1 Security Governance
At the moment there are no baseline requirements for Security Governance Security described in
this document.

2.5.2 Audit
X-1: Audit
a) Define logs and traces to be collected: activate and configure the security audit log
b) Restrict access to log data and logging facilities
c) Ensure the auditability of systems by enforcing appropriate and effective security, e.g. no
unrestricted authorizations (e.g. SAP_ALL) or debug/replace authorizations on production systems
d) Analyze logs with appropriate tools
e) Perform Security Assessments like penetration-tests, vulnerability scanning
f) Audit the different Secure Operations Tracks e.g.:
- infrastructure settings and communication interfaces
- user and authorizations (spot checks, GRC access control)

2.5.3 Cloud Security

At the moment there are no baseline requirements for Cloud Security described in this document.

2.5.4 Emergency Concept

At the moment there are no baseline requirements for the Emergency Concept described in this
document.

24 Juli 2018 Document1 page 24 of 149

SAP SECURITY BASELINE TEMPLATE

3 Verifying Compliance
Verifying compliance of a system or landscape against the baseline requirements given in chapter
2 is obviously a key demand. You can check some of those requirements in an easy and reliable
way through technical means i.e. using the application “Configuration Validation” of the SAP
Solution Manager. This chapter provides an overview over such means and their coverage on the
requirements.
IDs marked in bold/underlined/red refer to critical requirements from chapter 2

ID Requirement How to verify Remarks

I-1 Network Segregation Network Architecture Review
I-2 Communication Encryption Network Architecture Review
I-3 DMZ Authentication Network Architecture Review
I-4 SAProuter Security b) Remote SOS
a) c) manually
I-5 Web Dispatcher Security Configuration Validation Except a)
I-6 Administrative Access Network Architecture Review
I-7 Windows Security manually
Requirements
I-8 Unix Security manually
Requirements
I-9 General Database Security manually
Regulations
I-13 SAP HANA Security manually
I-10 SAP MaxDB Security manually
I-11 Oracle DB Security manually
I-12 SAPGUI Security manually
C-1 Maintenance of SAP Code a) Configuration Validation A single check at a single
point in time does not make
(number of SPs, not time)
sense here. A reasonable
b) System process must be
Recommendations implemented
C-2 Security of Custom Code manually
S-1 ABAP Profile Parameters Configuration Validation
S-2 Protection of Password Configuration Validation
Hashes in ABAP Systems
S-3 Modification Protection for Configuration Validation
Production Systems
S-4 Secure Configuration of Manually Requirement needs
Java Systems refinement
c) d) Configuration Validation
S-5 UME Parameters Configuration Validation

24 Juli 2018 Document1 page 25 of 149

SAP SECURITY BASELINE TEMPLATE

S-6 RFC Connectivity a) b) d) e) manually Only profile parameters are

currently assessable via
c) f) Configuration Validation
Configuration Validation
S-7 RFC Gateway Security a) manually; reporting
available
b) c) d) e) Configuration
Validation
S-8 Message Server Security Configuration Validation Sub-requirement a) cannot
be assessed via
Configuration Validation
S-9 Limit Web-Enabled Content Configuration Validation
S-10 Malware Scanning for manually
Uploaded Files
O-1 Handling of ABAP Default Configuration Validation Limitation: only the users
Users in ABAP Systems which are checked by
report RSUSR003 can be
checked by Configuration
Validation
O-2 No use of authorization Configuration Validation
profiles SAP_ALL and
SAP_NEW
O-3 Segregation of Basis Configuration Validation in relation to a list of
Authorizations and selected critical basis
Business Authorizations authorizations. Limit list of
authorization to be checked
to avoid abort of collector
operations
O-4 Restricted Assignment of Configuration Validation
Critical Basis
Authorizations
O-5 RFC Authorizations Configuration Validation
O-6 Java Systems manually
Administrators
O-7 Support Security manually Process definition and
description required

O-8 Security Audit Log (ABAP) Configuration Validation

X-1 Audit manually Process definition and
description required

24 Juli 2018 Document1 page 26 of 149

SAP SECURITY BASELINE TEMPLATE

3.1 Configuration Stores

3.1.1 Configuration Stores for HANA based systems
Topic Target Configuration Stores
System
SAP HANA Security in general BL_I-13 AUDIT_POLICIES
HDB_LEVEL
HDB_PARAMETER
PUBLIC_USERS
SEGREGATION_NATIVE_OBJECTS
SPECIAL_PRIVILEGES

3.1.2 Configuration Stores for ABAP based systems

Topic Target Configuration Stores
System
ABAP Profile Parameters in BL_S-1 ABAP_INSTANCE_PAHI
general configuration items rec/client/* snc/*

Password Policy BL_S-1 ABAP_INSTANCE_PAHI

configuration items login/*
“Security Policies for Users” SECURITY_POLICY
Web Dispatcher Security BL_I-5 ABAP_INSTANCE_PAHI
configuration items icm/*
Modification Protection for BL_S-3 GLOBAL
Production Systems CLIENTS
Handling of ABAP Default Users in BL_O-1 ABAP_INSTANCE_PAHI
ABAP Systems configuration item
login/no_automatic_user_sapstar
STANDARD_USERS
Protection of Password Hashes in BL_S-2 USER_PASSWD_HASH_USAGE
ABAP Systems AUTH_PROFILE_USER
AUTH_COMB_CHECK_USER
No use of authorization profiles BL_O-2 AUTH_PROFILE_USER
SAP_ALL and other critical configuration items SAP_ALL SAP_NEW
authorization profiles
AUTH_ROLE_USER
AUTH_TRANSACTION_USER

Segregation of Basis and Business BL_O-3 AUTH_COMB_CHECK_USER

Authorizations
Restricted Assignment of Critical BL_O-4
Basis Authorizations

24 Juli 2018 Document1 page 27 of 149

SAP SECURITY BASELINE TEMPLATE
Topic
RFC Authorizations
Java Systems Administrators
(ABAP)
RFC Connectivity
RFC Gateway Security
Message Server Security
Limit Web-Enabled Content
Security Audit Log
Maintenance of Code
3.1.3 Configuration Stores for Java based systems
Topic
Maintenance of Code
24 Juli 2018
Target Configuration Stores
System
BL_O-5
BL_O-6
BL_S-6 ABAP_INSTANCE_PAHI
configuration items
auth/rfc_authority_check
snc/accept_insecure_r3int_rfc
snc/accept_insecure_rfc
RFCDES_TYPE_3_CHECK
BL_S-7 ABAP_INSTANCE_PAHI
configuration items gw/*
GW_SECINFO
GW_REGINFO
SAP_KERNEL
BL_S-8 ABAP_INSTANCE_PAHI
configuration items ms/*
rdisp/msserv_internal
MS_SECINFO
MESSAGE_SERVER_PORT
BL_S-9 SICF_SERVICES
BL_O-8 ABAP_INSTANCE_PAHI
with configuration items rsau/* (Caution:
The profile parameters are ignored if “Kernel
Parameters” are used in transaction SM19 as
of release 7.31)
AUDIT_CONFIGURATION (This store shows
the current activation status either based on
the profile parameters or – if used – of the
“Kernel Parameters.)
ABAP_NOTES
ABAP_TRANSPORTS
System Recommendations results
ABAP_COMP_RELEASE
SAP_KERNEL
Target Configuration Stores
System
JAVA_NOTES
System Recommendations results
Document1 page 28 of 149
SAP SECURITY BASELINE TEMPLATE

Topic Target Configuration Stores

System

Secure Configuration of Java BL_S-4 com.sap.security.core.ume.service

Systems http
servlet_jsp
RFC Gateway Security BL_S-7 Parameters (of group SAP START
SERVICE)
UME Parameters BL_S-5 com.sap.security.core.ume.service

24 Juli 2018 Document1 page 29 of 149

SAP SECURITY BASELINE TEMPLATE

4 Annotations and Additional Information

4.1 Infrastructure Security
4.1.1 Network Security

4.1.1.1 Network Zones and Firewalls

From a security requirement point of view, in general, a network topology like the following one
shown in the picture below has to be set up:

Server network must be protected from client network, just required services should be reachable
(e.g. SAPGUI access, HTTP / HTTPS access). Direct access to database ports, for instance,
should be not possible from client network. Operate your systems in a closed, secure LAN or use
SAProuters and packet filters to control access to the systems.
Non-trusted Networks (e.g. Internet, Networks of third party companies):
Information classified as confidential or secret has to be encrypted when being transmitted across
non-trusted networks. Access to SAP Systems has to be protected by DMZs and proxy servers or
application gateways. The firewalls protect the network from undesired access from persons or
resources outside of the designated area (for example access from the internet to the systems).
The application gateway or proxy server in the DMZ makes sure that requests are not directly
passed through to the desired resource, but are handled by the gateway or proxy server's own
cache. Not only does this buffer zone reduce network load, but it also allows you to filter requests
increasingly from the external to internal networks through the multiple firewalls. Application
servers, database servers, and the user management systems have increased protection and are
only accessible by authorized users or resources.
Trusted Network (Border Gateway zones like IDMZs, Database Zone; secure cells like Intranet
Secure Network ISN):
Just authorized people should be allowed to access the trusted network. Due to risk of sniffing
attacks by people authorized to access the intranet information classified as secret (e.g.
passwords) must be transmitted encrypted.

24 Juli 2018 Document1 page 30 of 149

SAP SECURITY BASELINE TEMPLATE

High Security Networks (Data Centers):

Access to High Security Networks should just be granted if there is a clear business need. The
network must be configured that a PC connected to the network cannot monitor the traffic between
different components. Any port which is not used should explicitly be deactivated. It is highly
advised to allow the (SAP GUI-/RFC-) access only via SAProuter or use an http Reverse Proxy
and use an http reverse proxy (such as Apache).
Positioning of Servers in Network Zones

Server Comments Area

 High security area
Generally  If no direct interaction between web client and
 Inner DMZ
application server required
 Web application called by the client
Database  same network zone
 Should be located “close” to respective Application
Server as the Application
Server to optimize performance (Bandwidth,
Server
Latency) and session stability
 You can separate DB server as well
 Inner DMZ
LDAP directory  External users
 High security area
 Internal users or unique common user persistence
(used by other applications)
 High security area
T-Rex  Interacts directly with an Application Server in “Inner
DMZ” zone (e.g. Portal/KMC or ISA)  considered
as backend server
 Inner DMZ
KM-  CM-Repository: located in the database (e.g.
 Inner DMZ or High
Repositories “dbonly”)
security area
 Other repositories: depends on repository type and
access path
ITS (aka  High security area
 Integrated ITS  accessed directly by the client but
SAPGUI for also part of a backend server
HTML or  Inner DMZ and
“WebGUI”)  Nonintegrated ITS (up to 640): WGate (accessed
High security area
directly by the client) and AGate split
 High security area
BSP/BEx-Web-  Accessed directly by the client but part of a backend
Applications server
Additional  Inner DMZ of High
 Check requirements for additional components
components security area
required for the respective business scenario (e.g.
(application- CRM-ISA, HR-eRecruitment, LAC)
specific)
Application  AG: Outer DMZ
 Scenario “Loadbalancing between Application
Gateway / LB: Inner DMZ
Gateways”
Loadbalancer  LB: Outer DMZ
 Scenario: „Application gateway protects
Loadbalancer” (typical) AG: Inner DMZ

4.1.1.1.1 Client – Server Communication – ABAP Systems

The following picture provides an overview of inbound and outbound communication of ABAP
based SAP Systems with the corresponding protocols and the appropriate encryption that has to
be used:

24 Juli 2018 Document1 page 31 of 149

SAP SECURITY BASELINE TEMPLATE

SAPlpd
+SNC

LDAP+SSL

Services that are not required by clients should not be accessible from client network.
The following picture displays the “internal” communication of ABAP systems with the
corresponding protocols and the appropriate encryption that has to be used:
As there is a high network load especially for connections between application server instances
and database instance, encryption can have impact on the necessary infrastructure (CPU power
and memory) but today normally it can be neglected. Nevertheless it is recommended to test the
performance as part of the evaluation.
The firewall has to be a combination of a port filter and a SAProuter as Gateway for requests via
classical protocols (e.g. RFC) and administrative access and / or a HTTP reverse proxy e.g. SAP
Web Dispatcher) for HTTP access.

24 Juli 2018 Document1 page 32 of 149

SAP SECURITY BASELINE TEMPLATE

4.1.1.1.2 Client – Server Communication – Java Systems

The following picture provides an overview of inbound and outbound communication of Java based
SAP Systems with the corresponding protocols. All communication has to be encrypted. This
means that regardless of what protocol is used, every connection has to be protected by use of the
appropriate encryption. For example: the connection between the HTTP client to the AS Java by
HTTP protocol has to be encrypted by SSL.

24 Juli 2018 Document1 page 33 of 149

SAP SECURITY BASELINE TEMPLATE

Services that are not required by clients should not be accessible from client network.

4.1.1.1.3 Server – Server Communication

Development-, Test- and Production Systems have to be divided into separate network segments
and each of the network segments have to be protected by firewall.
It is very important to separate DEV, TEST and PROD Systems and allow only dedicated access.
Actually, PROD has to be separated. The TEST systems, can then either be with DEV or PROD,
depending on whether in the TEST landscape productive data are stored or not.

4.1.1.2 SAP provided Gateways and Reverse Proxies and standalone components
Web Dispatcher and SAProuter are Application Gateways to SAP Systems, they are highly
integrated with the SAP Environment and on no account they do replace “real” security products
like firewalls, reverse proxy, security appliances.
The following standalone components are relevant in SAP NetWeaver Environments:
- SAProuter
- SAP Web Dispatcher
- RFC Gateway (integrated or standalone – addressed later in this document in the chapter
“Secure Configuration of ABAP Systems”)

24 Juli 2018 Document1 page 34 of 149

SAP SECURITY BASELINE TEMPLATE

4.1.1.2.1 SAProuter
As SAProuter is an SAP program that acts to protect the SAP network it has complementary
functionality to an existing port filter and should always be used in combination with it. SAProuter
should be used as a gateway for classical ABAP connections.
From the security point of view the SAProuter should be considered for the following reasons:
- Control and log connections to SAP Systems
- To set up an indirect connection if a direct connection is not possible due to network
configuration
- Improve Network Security by implementing and setting the following:
- SAProuter passwords
- Only allowing access from specific hosts
- Only allowing access to specific services of specific hosts
- Only accept SNC secured connections
- Use SAProuter as SNC tunnel
Furthermore, the increase of performance and stability by reducing the SAP System load within the
local area network (LAN) when communicating with a wide area network (WAN) should be
considered.
SAProuter has to be checked for policy compliance. Especially the SAProuter Route Table
(consists of connection entries) and the SAProuter Executable have to be protected.
Apply the following steps for compliance:
- The Route Table has to be especially protected for changes. This has to be done by means of
operating system. The default name of the Route Tab is saprouttab.
- SAProuter has to be configured to protect particular connections with a password.
- This password is entered in the Route Table and therefore stored unencrypted. Therefore it is
mandatory to use a password that is not related to personal password
- Encrypt those connections that are using a password for the SAProuter connection. This can
be enforced by using the parameter “s” within the Route Table (connections not using SNC are
rejected in this case).
The SAProuter executable (saprouter on UNIX / Linux or saprouter.exe on Windows) has to
be protected, as SAProuter is administered by using the SAProuter executable and appropriate
“SAProuter Options”.

Field Meaning Possible Values

t Type P = permitted, D = denied, T = SNC target
s SNC X = secure network communication required
n Native X = native protocols permitted
shs previous SAProuter hops number
dsh post SAProuter hops number
s-add source address
s-msk source address mask
d-add destination address
d-msk destination address mask
a all destination ports X = no port specified
d-p-l destination port min (low) 16-bit integer

24 Juli 2018 Document1 page 35 of 149

SAP SECURITY BASELINE TEMPLATE

Field Meaning Possible Values

d-p-m destination port max (low) 16-bit integer
pwd password string
snc-n SNC name string

4.1.1.2.2 SAP Web Dispatcher

The SAP Web Dispatcher as part of SAP NetWeaver is a reverse proxy receiving HTTP(S)
requests and distributing them to SAP Systems. The Web Dispatcher should not be used as first
entry point from the internet:

So the main purpose of the SAP Web Dispatcher should be to provide an SAP integrated load
balancing mechanism. Additionally, it can be used as end point of the SSL encryption:
To guarantee maximum security when using the Web Dispatcher, the following measures have to
be taken when the system is in operation:
 Always keep Web Dispatcher up-to-date. SAP note 538405 describes where you can find
the latest version.
 Configure error pages, so that the technical reason for the error does not arrive at the end
user, by using a specific directory to store web error pages and setting the corresponding
profile parameter to this directory, e.g. by setting icm/HTTP/error_templ_path =
/usr/sap/<SID>/<Instance>/data/icmerror.In addition, set the parameter
is/HTTP/show_detailed_errors to FALSE. After you have done this, no details about
the error are passed to the client.
 Use the Web Dispatcher as a URL filter with positive lists. In any case, filter the following
URLs since they return information about the infrastructure and configuration:
o D /SAP/public/icman/*
o D /SAP/public/ping
o D /sap/public/icf_info/*
 Block the access to the internal information page by using the following entry in your
URI permission table:
o D /SAP/wdisp/information

24 Juli 2018 Document1 page 36 of 149

SAP SECURITY BASELINE TEMPLATE

 Implement the following settings to increase security in the web administration interface:
o Use HTTPS to prevent the password from being intercepted. Use an HTTPS port
that has been set up with the parameter icm/server_port_<num>8 in the URL.
o Allow Web Dispatcher administration only on ports that have a secure protocol
(HTTPS), by setting the PORT option of the parameter icm/HTTP/admin_<num>
to an HTTPS port.
o Configure a port that can only be accessed from the internal network as the
administration port. Use the PORT option of the parameter
icm/HTTP/admin_<num> to do this.
o Allow administration only under a certain host name or IP address, which can only
be accessed from the internal network. To do this, use the HOST option of the
parameter icm/HTTP/admin_<num>.
o Limit administration to clients from the internal network. To do this, use the
CLIENTHOST option of the parameter icm/HTTP/admin_<num>.

The following network services are required to be accessible from end user networks in most
ABAP installations. All other network services are typically not required and should be blocked
between the end-user-network and ABAP systems. NN is the placeholder for the instance number
of the SAP software system.

Service Required for Port Number

Dispatcher The dispatcher is used by SAPGUI. The communication 32NN
protocol used is DIAG.
RFC Gateway The RFC gateway manages remote function call (RFC) 33NN
communication.
Message The message server manages load-balancing information and 36NN
Server SAP internal communication.
HTTPS Secure HTTP 443NN

Administrative access to the ABAP system needs to be done from an administrative network. This
network is only allowed to access the ABAP system with administrative protocols like SSH, RDP,
database administration, etc.

4.1.1.3 Administrative Access to SAP Systems

As certain connections are not required for a classical end user, but for administrative purposes the
following examples have to be paid particular attention to:
- Direct Access to Databases using administrative Database Clients (e.g. MS SQL Server
Management Studio, Oracle SQL Studio, …)
- telnet / P4 access to Java Server (P4 access using Visual Administrator)
- SSH access to administer Unix / Linux operating systems
Access from client network should only be allowed if the following prerequisites are met:

8This requirement holds for the parameter defining the web protocol. Keep in mind that other protocols like
P4 or SMTP should be secured as well.

24 Juli 2018 Document1 page 37 of 149

SAP SECURITY BASELINE TEMPLATE

- Firewall ACL may contain dedicated clients, no general access is granted.

- A secured Authentication Mechanism
- Established SNC (Secure network communication) connections between two SAProuters.
No additional hardware is required at either end of the connection. The technology of SNC
makes the connection over the internet secure, using state-of-the-art encryption
- Access is just permitted on demand, if the connection is not required on a daily / regular
basis
Note:
Firewall ACL must not be the only mean of protection (e.g. consider IP spoofing attacks here).
An alternative to get administrative access to required services is the usage of a terminal server
within the server network and a secured rdp connection to the terminal server.
Dedicated exceptions have to be maintained in the firewall ACL. For the administrative access to
server farm the use of specific rdp / terminal server access is mandatory.

4.1.2 Operating System Security

4.1.2.1 Windows

4.1.2.1.1 Windows Groups and Users in an SAP System Environment

Windows distinguishes between the domain groups and the local groups.
In a Windows domain there are domain local, domain global and universal groups. Domain groups
are valid within a Windows domain, not only on one server. Therefore, it is necessary to bundle the
domain users into different activity groups, depending on their tasks. The domain administrator can
export these activity groups to other domains, so the respective user can access all resources
needed to administer the SAP system.
The name of the group, the standard domain global group for SAP system administrators is
defined as SAP_<SID>_GlobalAdmin.
Local user groups, as well as local users, exist locally on one server.
During the installation of an SAP system, user rights are assigned to local users instead of groups.
For example, the user <sid>adm gets the user right Log on as a service. However, to simplify user
administration, server resources should be assigned to local groups instead of single users and
then assign the appropriate domain users and domain groups to the local group.
Note:
If defining a local group of users, or a single local user on a domain controller, the group or user is
known on all domain controllers within the domain. Therefore installing SAP systems on a domain
controller have to be avoided.

4.1.2.1.2 Windows Operating System User Settings in an SAP System

 Windows automatically creates the users Administrator and Guest during the installation. It
is not needed for SAP system operations.
 The guest account must be enabled to grant non-authenticated users (that have not
specified a valid user name or password) access to resources on a computer.
The Windows built-in user Administrator has unlimited access to all Windows resources. Change
the user name and hide its password. Create other users for administrative tasks and limit their
rights to those tasks for which they are used (for example, user administrators, backup operators,
or server operators).
The <sid>adm user is the Windows user for SAP system administration
To protect this user from unauthorized access, take the following precautions:

24 Juli 2018 Document1 page 38 of 149

SAP SECURITY BASELINE TEMPLATE

 Change the password regularly.

 Restrict the access rights to instance-specific resources for the SAP system only.
Although <sid>adm can access SAP system files, a different user runs the SAP system itself,
namely SAPService<sid>.
Since the SAP system must run even if no user is logged on to the local Windows machine, the
SAP system runs as a Windows service. Therefore, during the installation, the user
SAPService<sid> receives the right to Log on as a service on the local machine.
SAPService<sid> also administers the SAP system and database resources within the
Computing Center Management System (CCMS). Therefore, it needs full access to all instance-
specific and database-specific resources such as files, shares, peripheral devices, and network
resources.
Note:
It is rather difficult to change the password of this user. To change the password for a Windows
service user, you must stop the service, change the password for the service user, edit the start-up
properties of the service, and restart it. Therefore, to change the password of this user, you need to
stop the SAP system.
In addition, prevent this special service user from logging on to the system interactively. This
prevents misuse by users who try to access the system from the presentation servers. You then do
not have to set an expiration date for the password and you can disable the setting change
password at logon.
Do not include the SAPService<sid> user in the local Administrator group of the Windows
operating system.
Furthermore, with regards to authentication the passwords of standard operating system users
have to be changed regularly.
With respect to authorization, System resources belonging to the SAP System have to be
protected. This includes the protection of files, processes and shared memory.

4.1.2.1.3 SAP Systems in the Windows Domain Concept

It is recommended to create two separate domains for your company domain and your SAP
system domain. Between the two domains a trusted relationships which is useful for single sign-on
functionality should be set up.
 In the company domain, set up your domain users (to include your SAP system users) and
your company domain administrator.
 In the SAP domain, set up your SAP system servers, services and administrators,
including:
o SAP system application and database servers
o SAP system or database services
o SAP system administrators
o Windows administrators
o SAP domain administrator
It is also recommend to establish separate domains for the company data and the SAP system.
Furthermore the Windows trusted domain concept should be used as certain SAP-specific features
and Windows-specific services require trusted relationships between domains.

4.1.2.1.4 Securing Data Relevant to the SAP System

 Regardless of whether the SAP system is installed centrally or as a distributed system, it is
recommended to set up one domain that contains the SAP system application and
database servers.

24 Juli 2018 Document1 page 39 of 149

SAP SECURITY BASELINE TEMPLATE

 It is strongly recommend to set up all SAP system servers in one Windows domain. For
short-term test installations or demonstration purposes only, you might install a central SAP
system that is not located in a Windows domain. However, this setup it is recommended for
limited use only. It is difficult to introduce the domain concept to a system that is already in
use.
 In a central installation on a server in a domain, all SAP system administrators are
members of the local group SAP_<SAPSID>_LocalAdmin.
 In a distributed installation with several server machines in the domain, a global group is set
up for the SAP system (SAP_<SAPSID>_GlobalAdmin). This global group itself is a
member of the server's local groups and contains the SAP system administrators. This also
simplifies the administration in the client or server environment, since new users who need
SAP system administration rights only need to become members of the global group.

4.1.2.1.5 Security Settings for Shared Memory

The shared memory is used by the SAP system dispatcher and the work processes for certain
activities, such as buffering (ABAP programs, database data) and sharing interprocess information.
These processes use the Access Control List (ACL) of their executable (dispatcher: disp+work
on Unix or Linux disp+work.exe on Windows) to protect the shared memory segments they are
creating or attaching. Therefore, users who have only Read, List Content and Execute permissions
on the executable cannot start programs that create the SAP shared memory segments, or write to
them.

4.1.2.2 Unix
This section discusses security under the UNIX or LINUX operating system, including
recommendations and preventive measures.

4.1.2.2.1 Protecting Specific Properties, Files and Services

There are certain precautions to take when using any of the following properties, files or services.
- SUID/SGID programs: only use versions of SENDMAIL (or similar SUID programs) in which
known errors have been corrected
- Password file ( passwd): use a shadow password file that allows only the user root to access
the password information
- BSD services rlogin and remsh/rsh: the UNIX services for rlogin and remsh/rsh are especially
dangerous in regard to security. It is recommended to deactivate these services in the
inetd.conffile unless they are needed for specific purposes. Use secure alternatives like SSH
as a drop-in replacement.
- Network Information System (NIS): use Secure alternatives as LDAP (with SSL/TLS) or
Kerberos.
- Network File System (NFS): There are certain security risks involved when using these
services. Especially when determining which directories should be made available. Do not
export directories that contain SAP data to arbitrary recipients using NFS. Export to known and
"trustworthy" systems only. Assign write authorization for NFS paths very carefully and avoid
distributing the home directories of users across NFS.
As summary, the following must be taken into account:
 Any services that are not need have to be disabled
 Use tools for monitoring activities to detect potential misuse of these services.
 If these services are used, then use them only within a secure LAN.
 Do not export directories that contain SAP data to arbitrary recipients using NFS. Export to
"trustworthy" systems only.
 Protect the following users: root, <sid>adm and <db><sid> . These users should be the
only users that exist on the application servers and the main instance at the operating system
level. After installation, lock <db><sid> on the application servers.

24 Juli 2018 Document1 page 40 of 149

SAP SECURITY BASELINE TEMPLATE

 For critical users, empty the .rhosts files and assign it the 000 permissions.
 Either delete the file /etc/hosts.equiv or make sure that it is empty.
 Keep the operating system up to date regarding security-related patches that are released by
the operating system vendor.

4.1.2.2.2 Setting Access Privileges for SAP System Directories Under UNIX/LINUX
It is recommended to apply the file and directory access privileges as shown in the table below:

SAP Directory or files Access privilege Owner Group

in octal form
/<sapmnt>/<SAPSID>/exe 755 <sapsid>adm sapsys
/<sapmnt>/<SAPSID>/exe/saposcol 755 root sapsys
/<sapmnt>/<SAPSID>/global 700 <sapsid>adm sapsys
/<sapmnt>/<SAPSID>/profile 755
/usr/sap/<SAPSID> 751
/usr/sap/<SAPSID>/<instance ID> 755
/usr/sap/<SAPSID> 750 <sapsid>adm sapsys
/usr/sap/<SAPSID>/<instance ID>/sec 700 <sapsid>adm sapsys
/usr/sap/<SAPSID>/SYS 755 <sapsid>adm sapsys
/usr/sap/<SAPSID>/SYS/* 755 <sapsid>adm sapsys
/usr/sap/trans 775 <sapsid>adm sapsys
/usr/sap/trans/* 770 <sapsid>adm sapsys
/usr/sap/trans/.sapconf 775 <sapsid>adm sapsys
<home directory of <sapsid>adm> 700 <sapsid>adm sapsys
<home directory of <sapsid>adm>/* 700 <sapsid>adm sapsys

4.1.3 Database Security

SAP does not provide strong security mechanisms on application level for internal communication
which includes the connection to the database. This means that the password for the database
user is transmitted in plaintext. Furthermore, in the following Database Security chapter there are
important security recommendations but they are not exhaustive.

4.1.3.1 General Recommendations

 Whenever possible, use SAP tools to access the data in the database.
 Change the default password for SAPR3 or SAP<SID> (<SID> OFR on AS/400).
 Do not grant any access for other DBA users to the following tables:
o USR* tables
o T000 table (no write access)
o General tables (such as SAPUSER or RFCDES) or application-specific tables (such
as PA* or HCL*)

24 Juli 2018 Document1 page 41 of 149

SAP SECURITY BASELINE TEMPLATE

Note:
For security reasons, use SAP tools whenever possible to access the database instead of tools
based on external applications.
If such tools have to be used for whatever reasons, take the following precautions:
 Do not use the user SAPR3 or SAP<SID> to connect to the database. Create other users
for such purposes.
 Restrict the access rights of such users to the necessary tables only.
 Assign read-only access to these users.
 Make sure that no damage to the consistency or authorization security of your database is
made

4.1.3.1.1 Authentication and Encryption

The passwords of database users which are required for the authentication of the SAP System
against the database or for the authentication using database tools have to be changed regularly.
In order to secure the authentication process as well as the communication, there are the following
methods:
- Use the encryption mechanism provided by the proprietary database driver, if available (This
depends on the database vendor)
- Use operating system methods or application-level methods (e.g. SSH or SSL tunnels)
- Place the application servers and the database server in a separate High Security Network
Segment which has security measures that make monitoring of network traffic less possible.
- Encryption in such network segments is not mandatory but is recommended
- Use SSF for ABAP technology

4.1.3.1.2 Authorization
Protection of database tables has to be implemented on application level by a suitable
authorization concept. This topic is not further evaluated in this document.

4.1.3.2 SAP HANA Security

On a multi-tenant HANA database the following topics apply to system database as well as to each
of the tenant databases.

4.1.3.2.1 Change Passwords of Users after Handover

The passwords of the SYSTEM user and all other password-enabled, not deactivated users must
have been changed since the handover of the appliance to the customer. This applies for the
standard user SYSTEM as well as for all manually created database user. A list of users can be
gathered with:
select * from public.users where (not user_name = 'SYS' and not user_name like
'_SYS_%' and user_deactivated = 'FALSE' and is_password_enabled = 'TRUE') or
user_name = 'SYSTEM'

Review the field PASSWORD_CHANGE_TIME, but be aware that this is not an absolute valid source
of information for two reasons:
- If the password live time for the user is disabled, the value of password change time is null
- If the password live time was enabled after disabling the value of the password change time is
set to the reactivation time

24 Juli 2018 Document1 page 42 of 149

SAP SECURITY BASELINE TEMPLATE

4.1.3.2.2 Deactivate SYSTEM user

Deactivate SYSTEM user. Do not restrict the valid time range of user SYSTEM.
Procedure: use the user maintenance user interface or following statement:
select user_name, valid_from, valid_until, user_deactivated from public.users
where user_name = 'SYSTEM'

Note: to deactivate the SYSTEM user you need to set up administration concept for SAP HANA db
including administration users and administration roles. Guidance can be found at following
document:
How to Define Standard Roles for SAP HANA Systems
https://scn.sap.com/docs/DOC-53974

4.1.3.2.3 Limit Password Lifetime

The password lifetime must be limited for all users. Exception: Technical users may get an
unlimited password lifetime if required.
On a 3-tier scenario typical technical application server users are SAP<SID> and DBACOCKPIT.
More users may exist appending on your scenarios.
A list of accounts with unlimited password lifetime can be found with following statement:
select user_name, password_change_time from public.users where
password_change_time is null and (not user_name = 'SYS' and not user_name like
'_SYS_%')

If the user SYSTEM is locked and the password stored in a safe place for emergency situations it
might be an option to allow an unrestricted password lifetime for SYSTEM as well.

4.1.3.2.4 Password Policy

Default settings of the password policy provide sufficient protection. Although settings may be
changed according to the customers password policy.
Nevertheless there are three settings that must provide a minimum of protection:
- force_first_password_change = true
- maximum_unused_initial_password_lifetime <= 7
- minimal_password_length >= 8
You can review the settings in the studio at Security → tab ‘Password Policy’ or with
select * from public.m_password_policy

4.1.3.2.5 System privilege DATA ADMIN

The system privilege DATA ADMIN must not be granted neither to a user nor to a role.
The following statement must result in no records:
select * from public.granted_privileges where object_type = 'SYSTEMPRIVILEGE'
and privilege = 'DATA ADMIN' and not ( (grantee = 'SYSTEM' or grantee =
'_SYS_REPO') and grantee_type = 'USER' )

24 Juli 2018 Document1 page 43 of 149

SAP SECURITY BASELINE TEMPLATE

4.1.3.2.6 System privileges must be Granted to Database Administrators Only

Privileges can be granted to users or roles (DB view public.granted_privileges).
Roles can be granted to users or other roles forwarding their privileges (DB view
public.granted_roles).
Get all users who are given a systemprivilege either directly or using a role(-hierarchy).
Verify that only HANA DB administrators or system users like SYS, SYSTEM and _SYS_% appear in
this list.

4.1.3.2.7 SQL Trace Level

The SQL trace level must not be ‘all_with_results’.
Execute:
select * from public.m_inifile_contents where file_name = 'indexserver.ini' and
section = 'sqltrace' and key = 'level'

Field VALUE must not be equal ‘all_with_results’ for all selected records.

4.1.3.2.8 Audit Trail

You find the HANA Audit Trail user interface in the HANA Studio at Security → Security → Tab
*Auditing
- Auditing Status must be Enabled
- Audit Trail Target must not be CSV Text File
- Audit Level Trail Targets must be Initial or contain at least one of the targets Syslog or
Database Table for each of the Audit Trail Targets. It may contain multiple selections including
CSV Text File.
Note: If Syslog is a selected target, the LINUX syslog must be configured to process the HANA
audit trail records.
Audit Policies must be configured according to the customer needs. Use following document as a
starting point to define the audit policy:
SAP HANA Audit Trail - Best Practice
https://scn.sap.com/docs/DOC-51098

4.1.3.3 SAP MaxDB Security

4.1.3.3.1 Changing Passwords of Standard Users

SAP MAXDB Standard Users (from Online Help 7.4)

Default User Name Default Password Description

DBADMIN SECRET Database system administrator

DBA DBA Database system administrator up to and including version 7.5

DBM SECRET First DBM operator with all DBM server authorizations
DBM DBM

24 Juli 2018 Document1 page 44 of 149

SAP SECURITY BASELINE TEMPLATE

SAP Standard Users for Databases (from Online Help 7.4)

User Name Description

SUPERDBA Database system administrator

CONTROL DBM operator with all server authorizations

SAPR3 In older SAP systems: Database administrator (database user of class DBA)

SAP <SAPSID> In newer SAP systems, in particular in MCOD systems (Multiple Components One
Database):
Database administrator for the SAP system with the ID <SAPSID> (database user
of class DBA)

SAP <SAPSID> DB In Java EE systems:

Database administrator for the SAP system with the ID <SAPSID> (database user
of class DBA)

Prevent unauthorized persons from learning the passwords of standard users, apply the following
measures:
 Do not adopt the default passwords.
 Use secure passwords.
 Change the passwords regularly.
 To enable another user to work temporarily with the account of the DBM operator, assign
temporarily a second password to the DBM operator.
 To change the Passwords for SAP MaxDB Standard Users, Use Database Manager CLI or,
in SAP systems, CCMS for changing the passwords

4.1.3.3.2 Restricting and Checking Log Files for Failed Logon Attempts
Regularly check the following log files for failed logon attempts:
 Database Manager log file: dbm.prt
 Loader Server log file: loader.log
As Users can access log files using operating system commands and functions and also using
Database Studio or Database Manager CLI, check that the file system permissions of the
RUNDIRECTORY are preventing the access for everyone:
 ls -la /sapdb/<database>/data/wrk/<database>
Permission of files and directories must be 550 for user sdb and group sdba.
Use also the alternative approach that can be used to check whether the permissions were already
revoked for everyone at higher directory level:
 su nobody -s /bin/sh -c 'ls
/sapdb/<database>/data/wrk/<database>/*'
To reset the permissions to the installation default the following command can be used:
 sdbverify -repair_permissions

24 Juli 2018 Document1 page 45 of 149

SAP SECURITY BASELINE TEMPLATE

4.1.3.3.3 Use secure Authentication

Secure authentication on DB-level must be ensured. If the type of authentication does not per-se
provide any security for the authentication process (e.g. user name and password authentication),
secure connection must be used (enable encrypted communication or use suitable encrypted
protocols).

Restrict authentication to SCRAM-MD5 :

As long the overall communication between client and server is not encrypted, the authentication
should be performed using SRAM-MD5 authentication and BASIC should be forbidden.

Older clients ( < 7.6.00.03) can only connect to the database using the BASIC authentication
method. Not allowing this method prevents these clients from being able to connect.
The extended parameter AllowAuthentication and DenyAuthentication can be used to either
explicitly allow SCRAMMD5 only or deny BASIC.

4.1.3.3.4 Implement Backup and Disaster Recovery Procedures

The backup procedure must ensure that following requirements are fulfilled:

 A backup process is established

 Clear responsibilities for performing the backups are defined
 Types of backups are specified (full, differential, incremental) and are scheduled
accordingly
 All relevant data for a successful recovery such as content/data and configuration is backed
up
 Backups must be checked for consistency after each backup event
 Backup media or backup infrastructure is secured in accordance with the IT Security
Standard for Operational Groups.
 Ensure that backup data is recoverable by performing recovery tests (for business-critical
systems at least once a year).

4.1.3.3.5 Network Split for Administrative Protocols

Ensure separation/isolation of end-user and administrative access to the database. Restrict direct
database access over wide network segments such as the corporate network or Internet.
Administrative access to database ports, database administrative applications or operating system
must be allowed from dedicated IPs, jump hosts or a restricted administrative network segment
only. (from Online Help 7.4)

Scope Default Function of the X Server Protocol Protocol

Port Identifier

All installations on the database 7210 Global listener TCP/IP remote://

computer
7269 Global listener with SAP NI sapni://
networtk protocol NI (for
(based on
connections via SAPRouter,
TCP/IP)
only available in SAP systems)

24 Juli 2018 Document1 page 46 of 149

SAP SECURITY BASELINE TEMPLATE

Scope Default Function of the X Server Protocol Protocol

Port Identifier

7270 Global listener with SAP NISSL remotes://

networtk protocol NI and SAP (based on
sapnis://
encryption library (for SSL/TLS)
connections via SAPRouter,
only available in SAP systems)

First 7200 X server TCP/IP remote://

installation<installation_1> on for <installation_1>
the database computer

Second 7203 X server TCP/IP remote://

installation<installation_2> on for <installation_2>
the database computer

Separate Database Studio installation 7299
X server for the separate TCP/IP remote://
Database Studio installation,
only used by the system to
access the local user
management database .UMDB

4.1.3.3.6 Implement Database Configuration Hardening

All unnecessary default functionality and components must be disabled or removed. This applies
for:
 Services
 communication protocols
 sample databases
 default stored procedures providing access to data and functionality the user should not
have access to

4.1.3.3.7 Use Dedicated Database Hosts for Productive Databases

For availability reasons it must be ensured that the productive database runs on a dedicated host
separated from the development and QA databases.

4.1.3.3.8 Defining Clear Authorizations for Users

 Create an authorization concept that specifies clear authorizations for individual users:
o Define which database users are to have access to which data and database
objects in the database.
o Define which DBM operators are to carry out which administration tasks.
 Create a separate database user for each person who works with the database.
 Use strong passwords that cannot be guessed by other users.

4.1.3.3.9 Securing Communication Channels

 Encrypt the data transferred between the client application and the global listener or the
installation-specific X server (SAP MaxDB communication server) using SSL/TLS.
 Encrypt Backups

24 Juli 2018 Document1 page 47 of 149

SAP SECURITY BASELINE TEMPLATE

4.1.3.3.10 Dispensable Functions with Impact on Security

 Install only those software components that is really needed.
 Switch off the Global Listener and SAP MaxDB X Servers for Local Communication
 Start SAP MaxDB X Server Without NI Support (Unix and Linux)
 Remove Demo Data

4.1.3.3.11 Checking User Input in SQL Statements

To prevent entering invalid values in SQL statements and thus causing unwanted changes to the
data records or to the behavior of the database application (SQL injection), use prepared
statements. (from Online Help 7.4)

Interface Implementation

JDBC PreparedStatement class

ODBC SQLPrepare method

SQLDBC SQLDBC_PrepareStatement class

PHP maxdb_prepare

Perl prepare

Python Method prepare (class SapDB_Session), Class SapDB_Prepared (module sdb.sql)

4.1.3.3.12 Trace and Log Files

 Use traces only to search for errors. Delete the trace files and disable trace writing when
evaluating is finished
 Restricting Access to Log Files
 Restricting Access for Operating System Commands and Functions
 Withdraw the server authorization for reading database files from all DBM operators that
should not have access to log files.
 In Database Manager CLI, withdraw the DBFileRead server authorization.

4.1.3.4 Oracle

4.1.3.4.1 User Management

To protect access to the SAPUSER table and the SAP database user SAP<SID>, or SAPR3 you
must do the following:
 Change the passwords for SAP<SID> or SAPR3, and <sapsid>adm regularly.
 Only define OPS$ ($ old version) users for the Windows users that are necessary for
operating the SAP system. These are typically the users SAPService<sid> and
<sid>adm; however, you may assign them other names. See SAP note 50088 for more
details.
 With the Oracle network protocol SQL*Net, you can also use the file sqlnet.ora to
restrict access to the database using IP addresses. In this file, you specify invited and
excluded IP addresses. In this way, you can make sure that only specific hosts (for
example, only the application server host) can access the database.

24 Juli 2018 Document1 page 48 of 149

SAP SECURITY BASELINE TEMPLATE

4.1.3.4.2 Secure Store Connect

Previously the connection of the SAP system (application server ABAP) and of SAP tools that use
the ABAP database interface (R3trans, R3load, and so on) to the database via SQLNet (using
the database alias name, for example, TNS) worked as follows. An OPS$ connection (with the
database user OPS$<SID>ADM) that was authorized by the operating system user <sid>adm was
created first ("connect /@TNS"). This permitted access only to the single table
OPS$<SID>ADM.SAPUSER. It contains the encrypted password for the actual database connection
of the SAP database user (default name SAPSR3).
As of Release 11g, OPS$ remote connect (using the TNS alias name) is no longer supported by
future Oracle versions. As of kernel release 7.20, SAP has therefore introduced a new method of
securely storing the database password and for connecting to the database: "Secure Storage in
File System" (SSFS). The encrypted password for the SAP database user is then no longer stored
in the database, but in the file system.
With the implementation of kernel 7.20 (11/2011) as a downward-compatible kernel (DCK for 7.x),
the new method is available in all 7.x systems (as of SAP 7.00).
This new method is recommended for security reasons.
For backwards compatibility, the conventional connect method continues to be supported up to
Version 11.2 for all SAP systems that have Oracle.
All SAP systems as of Kernel 7.20, which use future Oracle versions after 11g, can only be
operated with the new method.
For more information, see SAP notes 1622837 and 1639578.

4.1.3.4.3 Secure Data Storage

Additionally the following scenarios should be considered and evaluated:
 Protection from data loss on OS-Level:
o Encryption of Data Files of the database. SAP note 974876 contains information
related to transparent data encryption (TDE) for oracle databases
 Protection from data loss / violation of confidentiality by DB administrators
o Table encryption within database. SAP note 1355140 contains information on
Oracle Database Vault within Oracle DB

24 Juli 2018 Document1 page 49 of 149

SAP SECURITY BASELINE TEMPLATE

o Restrict access to tables by 3rd party software

 Protection from unauthorized access within as well as from the outside of the SAP
System
o Standard SAP, e.g.
 SAP note 1032588 - Secure handling of credit card data in ERP
 SAP note 1059333 - Secure handling of credit card data in SAP ERP HCM
 Passwords e.g. for RFC Connections, LDAP Connector are stored within
secure store area (symmetric encryption mechanism)
o Custom Code: Usage of SSF mechanism that provides an interface for appropriate
security features (similar to SNC). The application needs to make use of SSF by
calling appropriate SSF methods.

4.1.3.4.4 BRBACKUP, BRARCHIVE, and BRCONNECT

Since BRBACKUP has to start up and shut down the database, a special Oracle privilege like the
SYSDBA role is necessary, that is, <sid>adm has to belong to the UNIX group dba or to the
Windows local group ORA_<SID>_DBA.
But the SYSOPER role with reduced authorizations can also be used. The analogous UNIX group is
oper. On Windows, the local group is ORA_<SID>_OPER. BRBACKUP calls SQLPLUS with
connect / as sysoper.
Therefore, from the point of view of BRBACKUP, the UNIX group of the <sid>adm could be oper,
the Windows group ORA_<SID>_OPER.
Furthermore, BRBACKUP and BRARCHIVE must have full access to the SAP<SID> tables SDBAD,
SDBAH, and other DBA tables. The required privileges are part of the SAPDBA role. Thus
appropriate operating system groups and the SAPDBA role are sufficient for BRBACKUP and
BRARCHIVE to perform backups using cpio, dd or BACKINT interface.
BRCONNECT also needs the same privileges

24 Juli 2018 Document1 page 50 of 149

SAP SECURITY BASELINE TEMPLATE

4.1.3.4.5 BRRECOVER, BRRESTORE, and BRSPACE

BRRECOVER and BRRESTORE perform database recovery whereas BRSPACE performs, among
other things, tablespace management.
These tools need the SYSDBA privilege to perform these functions. This privilege is normally
granted through the UNIX group dba or the Windows group ORA_<SID>_DBA.
Since these tools also need special file system rights to create database files, make sure that you
only call them as the UNIX user ora<sid> or the Windows user <sid>sdm.

4.1.3.4.6 REQUIREMENTS FOR BACKUPS USING RMAN

BRBACKUP and BRARCHIVE support backups using the Oracle Recovery Manager (RMAN). To
perform database backups, RMAN requires SYSDBA privilege. To enable RMAN backups (for
example, incremental backups) from the transaction DBACOCKPIT or DB13 (DBA Planning
Calendar), the OS users <sid>adm (UNIX) and SAPSERVICE<SID> (Windows) must be entered
in the corresponding operating system groups:

UNIX
OS USER OS GROUP DB ROLE DB USER
ora<sid> dba SYSDBA
OPS$ORA<SID>
oper SYSOPER
SAPDBA
<sid>adm dba SYSDBA OPS$<SID>ADM
oper SYSOPER
SAPDBA

Windows
OS USER OS GROUP DB ROLE DB USER
<sid>adm ORA_<SID>_DBA SYSDBA
OPS$<SID>ADM
ORA_<SID>_OPER SYSOPER
SAPDBA
SAPSERVICE<SID> ORA_<SID>_DBA SYSDBA OPS$SAPSERVICE<SID>
ORA_<SID>_OPER SYSOPER
SAPDBA

4.1.3.5 IBM DB2

4.1.3.5.1 Password Security

Password security of DB2 authentication relies on the password security of system user accounts.
Ensure that strong passwords are used for the mapped DB2 user which must comply with the
following password policy:
 Minimum password length of 8 characters
 Password must consist of at least one character of each character group (letters, capital
letters, numbers, special characters)
 Must not contain any default passwords
 Must consist of at least 6 different characters
 Should have a maximum age of 180 days
 Username must not be part of password
 At least the 5 previous passwords must not be (nearly) equal

24 Juli 2018 Document1 page 51 of 149

SAP SECURITY BASELINE TEMPLATE

The passwords of the default accounts must also be changed according to the mentioned settings.
If the default account names are not changed at the installation (what is not needed), the well-
known account names are db2admin, db2inst1, dasusr1, db2fenc1.

4.1.3.5.2 Use Secure Authentication

The srvcon_auth parameter specifies how and where authentication is required for incoming
connections to the server. This parameter should not be set to CLIENT. If the authentication
setting at the database configuration level is set to DATA_ENCRYPT (HR001), then leave this
setting to NULL.
Configure the srvcon_auth parameter to SERVER: (requires a DB2 restart)
db2 => update database manager configuration using srvcon_auth server.

4.1.3.5.3 Implement Backup and Data Recovery Procedures

The backup procedure must ensure that following requirements are fulfilled:
 A backup process is established.
 Clear responsibilities for performing the backups are defined.
 Types of backups are specified (full, differential, incremental) and are scheduled
accordingly
 All relevant data for a successful recovery such as content/data and configuration is backed
up.
 Backups must be checked for consistency after each backup event
 Backup media or backup infrastructure is secured in accordance with the IT Security
Standard for Operational Groups.
 Ensure that backup data is recoverable by performing recovery tests (for business-critical
systems at least once a year)

4.1.3.5.4 Implement Authorization Concept

To prevent all DB administrators to have all DB Authorities, they should be mapped to local group
memberships.
Use the following commands to configure group mappings:
db2> update admin configuration using dasadm_group <valid system group>
db2> update admin configuration using sysadm_group <valid system group>
db2> update admin configuration using sysctrl_group <valid system group>
db2> update admin configuration using sysmaint_group <valid system group>
db2> update admin configuration using sysmon_group <valid system group>

4.1.3.5.5 Use Secure communication

The DATA_ENCRYPT authentication mechanism must be used to employ an encryption of
authentication credentials and user data as it traverses the network.
As DB2 can be configured to allow users that do not possess the SYSADM authority to catalog and
uncatalog databases and nodes it has to be established that the SYSADM authority is required to
catalog and uncatalog databases and nodes. The catalog_noauth parameter has to be set to NO.
Also, configure the database to require explicit authorization to catalog and uncatalog databases
and nodes:
db2> update database manager configuration using catalog_noauth no

24 Juli 2018 Document1 page 52 of 149

SAP SECURITY BASELINE TEMPLATE

SSL Communication:
the communication layer between a DB2 instance and the LDAP server should be encrypted. The
ENABLE_SSL parameter in the IBMLDAPSecurity.ini file has to be set to TRUE.

4.1.3.5.6 Use Dedicated Database Hosts for Productive Databases

For availability reasons it must be ensured the productive database runs on a dedicated hosted
separate from the development and QA databases.

4.1.3.5.7 Employ Database Encryption

DB2 Database encryption must be ensured and can be implemented on three levels:
 By Application with encryption SQL commands (ENCRYPT, DECRYPT_BIN, DECRYPT_CHAR
und GETHINT)
The application must support/use this SQL encryption commands and must eventually be
redesigned to use this options.
 By Database with configuration of the IBM Database Encryption Expert. This tool can be
used for online database encryption as well as encryption of database backups
 On file base by using file system encryption.

4.1.4 Frontend Security

4.1.4.1 SAP GUI for Microsoft Windows

When talking about SAP GUI security, the following important security measures have to be paid
attention. The first one is to deploy the latest available SAP GUI version on all end user
workstations. The second one is to use the SAP GUI security setting “customized” and default
action “ask”. It is strongly recommended to maintain and distribute corresponding administrator
rules to relieve the user from unnecessary pop ups and to achieve homogeneous security settings
across all workstations.
Following set up has to be implemented:
 No access to registry
 Restricting configuration options to local SAPGUI installations, e.g.
 Disallow changing systems / shortcuts within SAPGUI (SAP note 762661)
 Disallow saving passwords in SAP shortcuts (SAP note 146173)
 Disallow downloading data to local hard disk (SAP note 867260)
 Limiting the options within SAPGUI (SAP note 1669256)
 Avoid optional usage of SNC or Username / Password
 Security Warnings / trusting certain operations (file download, local execution of OS
commands)

4.2 Secure Code

4.2.1 Security Maintenance of SAP Code

4.2.1.1 General Information

SAP has a process for improving product security known as a „Product Security Response
Process‟ for delivered software components. Once a vulnerability has been identified, SAP
provides a suitable patch as soon as possible in the form of a security note. These notes are
published on the “SAP Security Patch Day” every second Tuesday of the month .
In some cases, SAP also publishes security notes outside the Patch Day cycle. This may be the
case, for example, if a security loophole is announced in other media shortly before the general
release of the patch.

24 Juli 2018 Document1 page 53 of 149

SAP SECURITY BASELINE TEMPLATE

It is recommended to set up recurring reminders to remind about the SAP Security Patch Day and
to initiate the necessary steps.

4.2.1.2 Implementation of a Security Patch Day Process

SAP publishes notes with different priority levels. So-called “HotNews” notes have very high
priority, and are classified as priority 1 (very high). The impacts on the system caused by the
incidents reported in a HotNews note are so serious that they demand urgent attention.

The following overview presents the support services for the SAP Patch Day offered within the
SAP Support portfolio. The central access point for information is the SAP Support Portal. For the
latest information on everything to do with SAP security notes, see
https://support.sap.com/securitynotes
→ Security Notes in the Launchpad

Now you can navigate to → All SAP Security Notes:

24 Juli 2018 Document1 page 54 of 149

SAP SECURITY BASELINE TEMPLATE

Entry point: https://support.sap.com/securitynotes

SAP
Support FAQ Documents
Best Portal and SAP Whitepapers about Secure Configuration
Practice SDN
Documents Blogs on SAP Developer Network
RunSAP for Security
Standards
SAP Security Standard
SAP
Patch EarlyWatch Alert / RSECNOTE (don’t use it anymore!)
Day
Security Notes Report in SAP Support Portal
Get
System Recommendations I n the SAP Solution Manager
information
Tools Cross-system check on relevant security notes
E-Mail notification by SAP Support Portal
EarlyWatch Alert
Monitoring
Configuration Validation in the SAP Solution Manager

The following sample procedure for establishing an SAP Patch Day process describes the
necessary steps.
It is recommended to always import the latest published SAP security notes as soon as possible.
Any delay may increase the security risk to the SAP landscape.

24 Juli 2018 Document1 page 55 of 149

SAP SECURITY BASELINE TEMPLATE

4.2.1.3 SAP Security Patch Day Process

nd
The Security Patch Day of SAP takes place on every 2 Tuesday per month.
• At the end of that day you can inspect the updated list of Security Notes on the page
https://support.sap.com/securitynotes in the SAP Support Portal. Here you see the
complete list of all Security Notes.
• Use the application System Recommendations to check which of the Security Notes are
relevant for the various systems of your system landscape. (Usually you have scheduled
the check as a background job, therefore you check the results e.g. on Wednesday.) You
can create change requests directly from that tool.
• You will run a Risk Assessment concerning the criticality of the Security Note as well as
concerning the risk of applying a change which might touch productively used business
processes. As a result you decide which Security Notes should be applied as part of a
monthly patch cycle and which will be part of the next maintenance cycle.
• Using the application Configuration Validation you can create a report which checks
which systems comply with your security policy. Therefore you add all notes which should
be installed into the target system definition of the Configuration Validation.
• Within the current month you apply the selected Security Notes and you run regression
tests (if necessary) to ensure productively used business processes are working properly.
• As part of the next maintenance cycle you will update the Kernel, apply Java Patches and
ABAP Support Packages. As part of this update you will get the corrections of the
Security Notes, too. However, some of the Security Notes describe configuration changes
which you can apply now as well. While working on the update it might be the case that
you will get new Security Notes from newer Patch Days. You should include these if
possible. Finally you run a complete test of your business processes.
Hot News

24 Juli 2018 Document1 page 56 of 149

SAP SECURITY BASELINE TEMPLATE

SAP HotNews are priority 1 (very high priority) SAP customer notes. These notes tell you how to
resolve or avoid problems that can cause the SAP system to shut down or lose data. If you are
affected by these problems, you must ensure that you are aware of these notes.
Recommendation: Set up regular procedures to check for new HotNews. Define a responsible
person to check for new HotNews and create Change Requests (for example, Change Control
Engineer). Change requests are forwarded to the person responsible for the process.

4.2.1.4 SAP Solution Manager “System Recommendations” Function

Overview of the functions in System Recommendations that have to be applied:
1. Combine different filter parameters to select the relevant notes (by product system and
technical system, application component, period), and save the filter settings for quick
launch.
2. Display the results by application component or software component
3. Assign a status to an entry, and display note information for a specific status
4. Define a background task to automatically update note information
5. Trigger a change request, or select a Java patch and start a maintenance process

Set up System Recommendations in SAP Solution Manager 7.1:

- All systems to be monitored must be connected to SAP Solution Manager, and documented
in transaction SMSY.
- The SAP Support Portal RFC connection SAP-OSS must be established correctly.
- The functionality is only available within the Change Management Work Center (transaction
SOLMAN_WORKCENTER or SM_WORKCENTER), therefore access to the Work Centers is a
prerequisite.
- To control access to System Recommendations, the authorization object SM_TABS (in SAP
Solution Manager 7.0) or SM_FUNCS (as of SAP Solution Manager 7.1) can be used to
grant or deny access to the different tabs of System Recommendations.
- The background job SM:SYSTEM RECOMMENDATIONS in SAP Solution Manager collects
the required information of all managed systems, and should therefore be scheduled using
the “settings” functions within System Recommendations.
- Before using System Recommendations, it is strongly recommended to implement relevant
SAP notes of applications component SV-SMG-SR, e.g. 1554475 and 1577059 (in SAP
Solution Manager 7.0) or 1739266, 1734182, 1727924, 1709291 (in SAP Solution Manager
7.1).
Cross-System Check Report ZSYSREC_NOTELIST in SAP Solution Manager 7.1:
The report ZSYSREC_NOTELIST is used to display cross-system results of the System
Recommendations function. This is used for SAP Solution Manager Release 7.10 SP 2 and lower
because there is no other way to run cross-system analyses. As of SAP Solution Manager 7.10 SP
3, the results from System Recommendations can then be analyzed with the Configuration
Validation function.

4.2.1.5 Solution Manager Configuration Validation

Check with the Configuration Validation in the Solution Manager whether the systems in the SAP
landscape are consistent and correctly configured to meet the requirements and to check
compliance with security guidelines and standards in the connected systems.
Specify a “target system” that meets the latest standards while complying with the company’s
guidelines.

24 Juli 2018 Document1 page 57 of 149

SAP SECURITY BASELINE TEMPLATE

4.2.1.6 Transporting SAP Security Notes

Combine all of the SAP security notes into one transport request during the implementation but
don’t mix it with anything else which is not related to these security notes.

4.2.1.7 Implementing SAP Security Notes with Transaction SNOTE

Use Transaction SNOTE to install the corrections contained in an SAP security note. Ensure that
you read all notes and the descriptions they contain, and do not ignore any information regarding
regression tests.

4.2.2 Custom Code Security

4.2.2.1 Custom Code Lifecycle Management

The management of custom code (Custom Code Lifecycle Management, CCLM) supplements
tools is already available in SAP Solution Manager 7.1 such as the Custom Development
Management Cockpit (CDMC). CCLM was developed especially for the purpose of accompanying
your ABAP enhancements and new developments throughout their whole lifecycles. This cycle
begins when you create an object (program, transaction, table, class, etc.), followed by its use in
production systems and extends through the retirement of the object in case of non-use or a
reorientation of the development.

4.2.2.1.1 CCLM High level architecture

CCLM is an application that collects periodically data from managed systems, thus providing up to
date information about custom code. Multiple landscape and systems can be configured to get
data from.
The information is saved locally on Solution Manager internal tables, thus allowing the quick
display of figures without having to log on to the individual systems or wait for the information to
come from them.

24 Juli 2018 Document1 page 58 of 149

SAP SECURITY BASELINE TEMPLATE

4.2.2.1.2 Authorization Concept

This chapter describes the necessary authorization roles for a Solution Manager user using CCLM:
Assign the required authorization roles. Copy the SAP roles below in your name space. Adjust the
role e.g. in transaction PFCG.
This could be checked via SU53 or call transaction SM_WORKCENTER.
 Role SAP_CCLM_DIS contains authorization to run CCLM in display mode.
This role does not allow changes to configuration.
 Role SAP_CCLM_ALL contains the authorization object SM_CC_AUTH with the authorization
field SM_CC_LIB
Activities:
01 = Create
02 = Change
03 = Display
06 = Delete
11 = Upload Library Definition
12 = Download Library Definition
15 = Schedule jobs
20 = Change library definition (add/delete customer-specific attributes - Only valid for SP05)
 Roles for workcenter access (available in SP05 and up):
o SAP_SMWORK_BASIC_CCLM: Work Center: Basic Authorization Objectsfor CCLM
o SAP_SMWORK_CCLM: Work Center: Custom Code Lifecycle Management
Contain the authorizations to display CCLM in the Solution Manager workcenter (available in SP05
and up).

4.2.2.1.3 RFC Set Up

CCLM is set up in such a way that it uses already existing RFC connections. By default, READ
RFCs will be proposed via the configuration report.

4.2.2.1.4 CCLM Library

The core of CCLM software is a generic library definition that classifies custom code objects and
contains the set of information that can be collected. The data collectors then retrieve custom code
attributes from the connected systems (also called managed systems) automatically. The main
advantage of the data collectors is that they need to be set up only once as a periodic job, which
means that after the initial set up, the information continues to be automatically retrieved, thus
providing always and up-to-date status without any additional effort.
These attributes and the relationship among them lie at the heart of the application in what is called
“the library”. This generic library model (provided via XML file in SAP note 1547234) allows the
classification and management of data about all ABAP-based custom code objects which are by
definition not SAP standard.

4.2.2.1.5 Lead System

Typically, each landscape will have one development system, one quality system and one
production system:

24 Juli 2018 Document1 page 59 of 149

SAP SECURITY BASELINE TEMPLATE

The lead system is where an object is created, normally the development system. All objects are
registered at a technical level in the TADIR table at creation time with the name of the original
source system. CCLM checks whether objects with the same name are created with different
source systems and shows them as custom code duplicates.
The recommendation is to the Lead System flag for the central development system.
The setting for the leading system has another important meaning for the management of custom
code. The attribute ObjectFound is automatically updated when the object is found in a leading
system by the collector. If an object is deleted, this attribute is no longer updated and the attribute
Deleted_Flag can be set by a periodically scheduled job. This makes the deletion of objects
transparent without the connection to a transport repository.
If there are several landscapes, each with its own development system, then each of those
development systems can be set as Lead Systems.

4.2.2.1.6 CCLM - Summary

Using the Custom Development Management Cockpit (CDMC), it Is possible to determine how
custom code is used (based on the call statistics provided by the system) and which customer-
specific developments are obsolete. The CDMD then evaluates the effects of an upgrade or a

24 Juli 2018 Document1 page 60 of 149

SAP SECURITY BASELINE TEMPLATE

Support Package installation on custom code. The business process documentation for custom
code is also determined (maintenance using transaction SOLAR02).
CDMC supports the project or release manager in evaluating risk by analyzing objects from
transport orders before importing them into the production system.
It has to be ensured that planned changes are implemented in line with business requirements.
CDMC simplifies upgrade projects by reducing the amount of obsolete custom code.

4.2.2.2 Selected Attack Vectors and Recommended Countermeasures

4.2.2.2.1 Overview
The aim is to protect SAP Systems based on SAP NetWeaver from malicious code. Malicious code
is a quite general term: Malicious code could be contained in any kind of bytestream that is
processed by the SAP system.
The following three major topics are distinguished:
1. Cross-side scripting, SQL Injection and similar (Web based) threads that are inserted in
(web) forms. This has to be prevented by
a. Reverse Proxy Security Solutions filtering the content of HTTP requests, for
instance.
b. Secure Programming (e.g. secure function modules performing validation of input
data to avoid cross side scripting) as well as penetration testing in terms of Quality
Assurance.
2. Malicious Source Code that is compiled and then run on productive SAP Systems.
3. Infected Files that are uploaded to the SAP System

4.2.2.2.2 Cross-Site Request Forgery

Notes on how to use security mechanisms
Web Dynpro - ABAP SAP notes 1430970, 1436936
Web Dynpro - JAVA SAP notes 1521024, 1327872
SAP NetWeaver AS JAVA SAP note 1450166
BSP Applications SAP note 1458171
ITS Services SAP note 1481392

4.2.2.2.3 SQL Injection

Vulnerabilities
 change the semantics of a dynamic SQL statement
 SAP applications will not accept arbitrary input for dynamic SQL statements.
 SAP note 1520356

Example based on following pseudo SQL statement:

statement = 'SELECT *
FROM spfli
INTO TABLE itab
WHERE CARRID = ''&carrid&'''.
REPLACE '&carrid&' IN statement WITH userinput.
execute_sql( statement ).

24 Juli 2018 Document1 page 61 of 149

SAP SECURITY BASELINE TEMPLATE

The normal input

userinput = 'LH'
leads to following statement which reads data for one carrier:
SELECT *
FROM spfli
INTO TABLE itab
WHERE CARRID = 'LH'
An SQL injection attack
userinput = 'LH'' OR CARRID LIKE ''%'
leads to a modified statement which reads data for all carriers:
SELECT *
FROM spfli
INTO TABLE itab
WHERE CARRID = 'LH' OR CARRID LIKE '%'

4.2.2.2.4 Directory Traversals

Methology
 Directory traversal attacks in ABAP applications work by manipulating file name or path
information by feeding special characters into a string that represents a file locator.
 an application can be tricked into opening files to which the user should not have access.
 the application fails to detect and remove the command characters in the input that is used as
part of the file locator.
 It affects files in all directories that the vulnerable application has access to
 affects improper use of the ABAP commands OPEN DATASET, READ DATASET, DELETE
DATASET, and TRANSFER
 SAP note 1497003

4.2.2.2.5 Invoker Servlet

Methology
 The invoker servlet is intended only to be used for rapid prototyping and allows HTTP clients to
invoke servlets that have not been declared in the application’s /WEB-INF/web.xml file.
 Using the invoker servlet, it is possible to call arbitrary servlets by servlet name
Countermeasures
 The invoker servlet feature has to be disabled  EnableInvokerServletGlobally
property
 SAP note 1445998
 Identify whether any requested scenarios rely on the invoker servlet.
 SAP NetWeaver Portal Usage: SAP note 1467771

24 Juli 2018 Document1 page 62 of 149

SAP SECURITY BASELINE TEMPLATE

4.2.2.2.6 ABAP Code Injection

Methology
 The ABAP command generate subroutine pool/insert report is used to dynamically construct an
ABAP program or ABAP report.
 done by appending strings that are usually read from a data source to an internal table
Countermeasures
 SAP closes vulnerabilities in standard code with the SAP notes
 For custom code, make sure that no external input is used as part of a dynamically generated
ABAP program or ABAP report.

4.3 Secure Setup

4.3.1 Secure Configuration

4.3.1.1 Secure Configuration of ABAP systems

As of SAP_BASIS release 7.31 you can use “Security Policies for Users” in addition respective
instead of profile parameters to define the password settings for users. You define them using
transaction SECPOL.
If a user is assigned to a security policy, then only these settings are used but the profile
parameters are ignored for that user.
If a security policy does not contain a specific value for an attribute, then the Kernel default value is
used. Therefore, you always should maintain all policy attributes.

4.3.1.1.1 Profile Parameters

The following settings are recommended for all systems. If you are using “Security Policies for
Users” with transaction SECPOL then you should at least follow the same rules for every policy.

Password Policy
Profile Parameter / Policy Attribute Name Description Value
login/min_password_lng Minimum Password Length ≥8
MIN_PASSWORD_LENGTH

24 Juli 2018 Document1 page 63 of 149

SAP SECURITY BASELINE TEMPLATE

Profile Parameter / Policy Attribute Name Description Value

login/min_password_digits min. number of digits enforce at
MIN_PASSWORD_DIGITS least 2
min. number of letters
login/min_password_letters different
MIN_PASSWORD_LETTERS min. number of special character
characters categories
login/min_password_specials
MIN_PASSWORD_SPECIALS min. number of lowercase
letters
login/min_password_lowercase
MIN_PASSWORD_LOWERCASE min. number of uppercase
letters
login/min_password_uppercase
MIN_PASSWORD_UPPERCASE ... in passwords

login/password_max_idle_initial max. validity of initial ≤ 14

MAX_PASSWORD_IDLE_INITIAL passwords
login/password_downwards_compatibility password downwards ≠5
(no corresponding Policy Attribute Name) compatibility (8 / 40
characters, case-sensitivity).
Value 5 is prohibited since it
would enforce that passwords
are only saved using old /
unsecure hash algorithms.

Even if Single Sign-On is in place, the above mentioned password parameters should be set.

Table USR40 can be used to prohibit the use of typical weak passwords and password patterns. If
you are using table USR40 you should not use the policy attribute name
CHECK_PASSWORD_BLACKLIST to disable the check against these forbidden passwords.

Password Hashes:
Restrict access to tables USR02, USH02, and if later releases are in place USRPWDHISTORY
containing password hashes by changing the table authorization group of these tables to the
recommended value SPWD.9 Users must not have access to this new table authorization group via
authorization object S_TABU_DIS (dedicated users might get authorizations for table USR02 via
authorization object S_TABU_NAM.
Activate the latest password hashing mechanism (code version) available for the actual release by
setting the profile parameters below. Downward compatible password hashes should not be stored
on releases 7.0 onward.

Ensure that the central user administration system (CUA) has at least the same or a higher release
than all attached systems and that the appropriate SAP notes are implemented.

9 SAP note 1484692 lists some more tables. You may want to include these tables as well.

24 Juli 2018 Document1 page 64 of 149

SAP SECURITY BASELINE TEMPLATE

Releases Recommended Profile Parameters Code Version

Up to 4.5 No special profile parameter needed B
4.6 – 6.40 login/password_charset = 2 E
7.00 – 7.01 login/password_downwards_compatibility = 0 F
7.02 onward login/password_downwards_compatibility = 0 H

Delete redundant password hashes from the relevant tables after activation of the latest password
hashing mechanism using report CLEANUP_PASSWORD_HASH_VALUES.
ABAP recommended settings for password hash algorithms, see SAP notes: 1458262, 1484692

Authentication and Encryption

Profile Parameter Description Value
snc/enable Enable SNC-Module (Secure Network =1
Communications)
Enforce encryption for SNC using
snc/data_protection/min = 3 and set
the other SNC parameters to appropriate
values.
If your SAP system is isolated by means of
packet-filtering routers and you want to
accept conventional connections that are
not protected with SNC parallel to SNC-
protected connections, then you must also
set the appropriate parameters
(snc/accept_insecure_gui,
snc/accept_insecure_rfc,
snc/accept_insecure_cpic).
Keep in mind that only profile parameters
snc/only_encrypted_gui and
snc/only_encrypted_rfc would ensure
that only SNC secured connections are
possible – which is beyond the scope of this
security baseline (see SAP Notes 1690662
and 2122578 for details).
icm/server_port_<num> Configure ICM for SSL usage10 PROT=HTTPS,
….
SAP Logon Ticket

10This requirement holds for the parameter defining the web protocol. Keep in mind that other protocols like
P4 or SMTP should be secured as well.

24 Juli 2018 Document1 page 65 of 149

SAP SECURITY BASELINE TEMPLATE

Profile Parameter Description Value

login/ticket_only_by_ht generate ticket that will only be sent via =1
tps https
This setting requires according entries in
customizing table HTTPURLLOC to force the
URL generation to produce https URLs
only.11
login/ticket_only_to_ho ticket will only be sent back to creating host =1
st
Logging
Profile Parameter Description Value
rsau/enable Enable Security Audit =1
rsau/selection_slots Count of filter slots ≥ 10
rsau/user_selection Allow generic user names =1

4.3.1.1.2 Profile Parameters to control SAP Logins

ABAP Password Login Parameter / Policy Attribute
Profile Parameter / Policy Attribute
login/disable_password_logon
DISABLE_PASSWORD_LOGON
login/password_logon_usergroup
DISABLE_TICKET_LOGON
MAX_FAILED_PASSWORD_LOGON_ATTEMPTS
PASSWORD_LOCK_EXPIRATION
SERVER_LOGON_PRIVILEGE
Description
Only Single Sign-On Access possible
Password deactivation for special user groups
Disable Ticket Logon
Maximum Number of Failed Attempts
Automatic Expiration of Password Lock
Logon if server_logon_restriction=1

ABAP Password Change Parameter / Policy Attribute

Profile Parameter / Policy Attribute Description
login/password_max_idle_productive Period of unused password before it gets
MAX_PASSWORD_IDLE_PRODUCTIVE unusable
login/password_max_idle_initial Period of initial password before it gets
MAX_PASSWORD_IDLE_INITIAL unusable

11 Documentation: Configuration Table HTTPURLLOC

https://help.sap.com/saphelp_nw70ehp2/helpdata/en/42/d547ab30b6473ce10000000a114e5d/frameset.htm
Blog: HTTPURLLOC demystified
https://scn.sap.com/community/netweaver-as/blog/2014/06/04/table-httpurlloc-demystified

Blog: Using Proxies

https://wiki.scn.sap.com/wiki/display/BSP/Using+Proxies

24 Juli 2018 Document1 page 66 of 149

SAP SECURITY BASELINE TEMPLATE

login/password_expiration_time Validity period of password

PASSWORD_CHANGE_INTERVAL
login/password_change_for_SSO
PASSWORD_CHANGE_FOR_SSO
login/password_history_size
PASSWORD_HISTORY_SIZE
login/password_change_waittime
MIN_PASSWORD_CHANGE_WAITTIME
MIN_PASSWORD_DIFFERENCE
login/password_compliance_to_curre
nt_policy
PASSWORD_COMPLIANCE_TO_CURRENT_POL
ICY
Enforces password change even in case of
SSO
Count of old password which cannot be reused
Number of days before next password change
Number of different character between old and
new password.
Enforce compliance of password with current
password policy. With this configuration, users
with incompatible password will be prompted
for a password change in the next logon. Users
of type "System" and "Service" are not affected
by this setting.Password change required after
password rule tightening

Customizing Parameters in table PRGN_CUST

Parameter Recommended Description
value
ASSIGN_ROLE_AUTH ASSIGN CHANGE (Default), ASSIGN : Checks When
Assigning Users to Functions (SAP note
312682)
CHECK_S_USER_SAS YES NO (Default), YES - Activation of Authorization
Object S_USER_SAS (SAP note 536101)
GEN_PSW_MAX_DIGITS 2 Values between
login/min_password_digits and 40
(default) - max. number of digits in generic
password (SAP note 662466)
GEN_PSW_MAX_LENGTH 10 Values between login/min_password_lng
- 40 (default)- max. password length of
generated password (SAP note 915488)
GEN_PSW_MAX_LETTERS 40 Values between
login/min_password_letters and 40
(default) - max. number of letters in generated
password (SAP note 662466)
GEN_PSW_MAX_SPECIALS 1 Values between
login/min_password_specials and 40
(default) - max.number of special characters in
generated password (SAP note 662466)
REF_USER_CHECK W W (Default), E, S, I (Ignore) - Message Type
When Assigning Reference Users with Other
User Type (SAP note 513694)

24 Juli 2018 Document1 page 67 of 149

SAP SECURITY BASELINE TEMPLATE

JAVA Password Policy (from Online Help 7.03)

Property Value Description

ume.logon.security_pol Default value is 60 . Number of minutes before the system unlocks a

icy.auto_unlock_time logon ID after a series of failed logon attempts.
0 = Deactivate this
option. The user
remains locked.

ume.logon.security_pol Default value Determines if the system checks passwords

icy.enforce_policy_at_ is FALSE . against the security policy during password
logon logon and requires users to change their
password if it no longer meets the current
policy.

ume.logon.security_pol Default value is 6 . Number of failed logon attempts before user is

icy.lock_after_invalid locked.
Possible
_attempts
values: 0 to 9999 This is automatically set to 0 if you have a
combined SAP NetWeaver Application
0 = Infinite number of
Server (AS) Java and AS ABAP installation.
failed logon attempts
allowed.

ume.logon.security_pol See Security Audit .

icy.log_client_hostadd
ress

ume.logon.security_pol See Security Audit .

icy.log_client_hostnam
e

ume.logon.security_pol Default value Defines whether old password can be part of

icy.oldpass_in_newpass is FALSE . new password. The UME checks the old and
_allowed new password against each other when the user
attempts to change the password.

ume.logon.security_pol Default value is 1 . Minimum number of alphabetic and numeric

icy.password_alpha_num characters in passwords.
eric_required
For example if the property is set to 3 ,
passwords must contain at least 3 letters and at
least 3 numbers.

ume.logon.security_pol Default value Determines if user passwords can be changed.

icy.password_change_al is TRUE . We recommend you leave this property set
lowed to TRUE . You need this property for self-
management of passwords.
When FALSE , only an administrator (a user
with change rights for users) can change a user's
password. A user, whose password has expired,
cannot change it. An administrator must reset it.

24 Juli 2018 Document1 page 68 of 149

SAP SECURITY BASELINE TEMPLATE

Property Value Description

You can set this property to FALSE , when you

have a directory server as the data source and
you do not perform password management
with SAP NetWeaver or the portal.

ume.logon.security_pol Default value is 90 . Number of days before password expires.

icy.password_expire_da
ys

ume.logon.security_pol Default value = 0 .
icy.password_history
The UME can store the hash value of user
passwords. Set this value to prevent users from
reusing the same password after their old
password expires. The system does not enter
passwords set by the administrator in the
password history.
Although this value is for practical purposes
freely configurable (you can set the value in the
trillions), a more useful value might be 5. Use a
value that is appropriate for your application.
Set this value to zero (0) if your data source
already has a password history checking
mechanism; unless you maintain users in the AS
Java database for whom you want to maintain a
password history..

ume.logon.security_pol Enter a comma-separated list terms or character

icy.password_impermiss combination, which the UME rejects when users
ible set their passwords. Use the asterisk (* ) and
question mark (? ) as variables. Asterisk (* )
stands for any sequence of characters, and
questions mark (? ) stands for a single character.
aaa* = The UME rejects all passwords that
start with aaa .

ume.logon.security_pol A date in the If a user has never changed his or her password
icy.password_last_chan format MM/DD/YYYY using the AS Java, this date counts as the last
ge_ date_default . date on which the user changed his or her
password.
Default value
is 12/31/9999 . See also:ume.logon.security_policy.
password_expire_days .

ume.logon.security_pol Default value is 0 . Number of days after the last successful logon
icy.password_max_idle_ with user ID and password that the UME locks
Possible
time the user's password.
Values: 0 to 214748
3647 . With the UME
propertyume.logon.security_policy.

24 Juli 2018 Document1 page 69 of 149

SAP SECURITY BASELINE TEMPLATE

Property Value Description

password_successful_
Value = 0 : This check
check_date_default you must set a
is deactivated.
default last successful password check date for
users who either have no last successful logon
date stored or whose last successful password
check date is older than the default date.
When a user's password is locked, he or she can
no longer log on with the password and must
contact the system administrator to get a new
password.
Before SPS 7, the UME sets the last successful
password check date when you create each user.
From SPS 7 and later, the UME only records a
user's last successful password check date if the
password idle time check is enabled; that is,
when maximum idle time is greater than zero.

ume.logon.security_pol Default value is 14 . Maximum password length. This must not be

icy.password_max_lengt less than the cumulated values of the
h properties password_mix_case_
required ,password_alpha_numeric
_required and password_special_
char_required .

ume.logon.security_pol Default value is 1 . Minimum password length.

icy.password_min_lengt
h

ume.logon.security_pol Default value is 0 . Minimum number of upper and lower case

icy.password_mix_case_ letters in passwords.
required
For example if the property is set to 3 ,
passwords must contain at least 3 lower case
letters and at least 3 upper case letters.

ume.logon.security_pol Default value is 0 . Minimum number of special characters in

icy.password_special_c passwords.
har_required

ume.logon.security_pol A date in the Defines the default date for last successful logon
icy.password_successfu format MM/DD/YYYY with user ID and password, when a user has no
l_check_date_default . successful logon with user ID and password
recorded or the last logon took place before the
Default value
default date.
is 12/31/9999 .
When you set ume.logon.
security_policy.
password_max_idle_ time , we
recommend you change the password successful

24 Juli 2018 Document1 page 70 of 149

SAP SECURITY BASELINE TEMPLATE

Property Value Description

check date default to the current date. This
ensures that the UME checks all logons that
follow for idle passwords and that you do not
accidentally lock out users with previously
recorded password check dates.

ume.logon.security_pol Default value is 0 . Minimum number of digits in user logon ID.

icy.userid_digits
Value < 0 : Digits are
not allowed.
Value = 0 : Digits are
allowed.
Value > 0 : Digits are
required.

ume.logon.security_pol Default value Defines whether user ID can be part of

icy.userid_in_password is FALSE . password.
_allowed

ume.logon.security_pol Deprecated.
icy.userid_lowercase

ume.logon.security_pol Default value is 0 . Minimum number of special characters in user

icy.userid_special_cha logon ID.
Value < 0 : Special
r_required
characters are
forbidden.
Value = 0 : Special
characters are allowed.
Value > 0 : Special
characters are
required.

ume.logon.security_pol Default value is 20 . Maximum length of user ID.

icy.useridmaxlength
This is automatically set to 12 if you have a
combined AS Java and AS for ABAP
installation.
If you are using a database as data source for
user data, this value must be less than or equal
to 200 .

ume.logon.security_pol Default value is 5 . Minimum length of user ID.

icy.useridminlength

Java Logon Ticket Properties (from Online Help 7.03)

24 Juli 2018 Document1 page 71 of 149

SAP SECURITY BASELINE TEMPLATE

Property Value Description

login.ticket_client A three-character The client that is written into the logon

numeric string, for ticket. This value is used to differentiate the
example 888 . AS for Java from the AS for ABAP. Systems
are identified by the client and system ID
Default value is 000 .
(SID). In a combined installation the AS for
Java and AS for ABAP have the same SID,
so you must identify the AS for Java with a
client number that is not in use by the AS
for ABAP.Set or change this value in a
combined AS for ABAP and Java
installation.

login.ticket_lifetime Default value is 8 . Number of hours that the logon ticket is valid.
You can also set the hours and minutes using the
following syntax: hh:mm .

login.ticket_portalid Default value The system always writes the ABAP user ID
is AUTO . into the log on ticket. You can configure the
system to write in the portal user ID only when
YES = The portal ID is
it is necessary, or you can force the system to
always written into the
always include the portal ID.
logon ticket.
When evaluating logon tickets the AS Java
NO = The portal ID is
reacts as follows:
never written into the
logon ticket. YES = The AS Java reads the portal ID from the
logon ticket.
AUTO = If a portal
installation is detected, NO = The AS Java reads the ABAP user ID
the portal ID is written from the logon ticket.
into the logon ticket.
AUTO = If a portal installation is detected, the
AS Java reads the portal ID from the logon
ticket.

ume.login.mdc.hosts Enter a comma This property enables the portal to solicit logon
separated list of tickets from servers outside the portal domain.
servers, with the For more information, seeLogon Tickets for
following syntax: Multiple Domains .
<protocol>://<h For example:
ost>:<port>/<pa
http://server.mycompany.de
th>
Only the host value is mandatory in all cases.
For more information about the syntax,
see Configuring Logon Tickets for Multiple
Domains .

ume.logon.httponlycook Default value If TRUE , the logon ticket is set to HttpOnly.

ie is TRUE . This prevents it from being read by malicious
client-side script code such as JavaScript.

24 Juli 2018 Document1 page 72 of 149

SAP SECURITY BASELINE TEMPLATE

Property Value Description

The setting is only effective for clients that use

Microsoft Internet Explorer 6.0 SP1 or higher.

ume.logon.security.enf Default value Marks the logon ticket as a secure cookie, to

orce_secure_cookie is FALSE. enforce that the client browser sends the cookie
only when an SSL connection to the J2EE
Engine or the reverse proxy is established.

ume.logon.security.rel Default value is 1 . Specifies the amount of sub domains to remove

ax_domain. level from the server name to obtain the domain for
which the logon ticket is valid.
For example, if the value is 1 and the logon
ticket is issued by the
serverserver.mycompany.com , the logon
ticket is valid for all servers in the
domainmycompany.com .

Java Properties for LDAP Directory Data Source (from Online Help 7.03)

Property Value Description

ume.ldap.access.action Default value is 2 . In a high availability scenario: Number of times

_retrial UME repeats an action on the LDAP directory
server, before switching to another server and
reinitializing the connection pools.
In a scenario with only one LDAP
server:Number of times UME repeats an action
on the LDAP directory server before throwing
an exception.

ume.ldap.access.additi When you configure multiple LDAP directory

onal_password.<number> servers, you can configure up to five passwords
for the respective communication users. For
more information, see Configuration of More
Than One LDAP Data Source . See also SAP
note 736471.

ume.ldap.access.auxili Auxiliary naming attribute of principal type

ary_naming_attribute.g group.
rup

ume.ldap.access.auxili Auxiliary naming attribute of principal type user

ary_naming_attribute.u account.
acc

24 Juli 2018 Document1 page 73 of 149

SAP SECURITY BASELINE TEMPLATE

Property Value Description

ume.ldap.access.auxili Auxiliary naming attribute of principal type

ary_naming_attribute.u user.
ser

ume.ldap.access.auxili Auxiliary object class of principal type group.

ary_objectclass.grup

ume.ldap.access.auxili Auxiliary object class of principal type user

ary_objectclass.uacc account.

ume.ldap.access.auxili Auxiliary object class of principal type user.

ary_objectclass.user

ume.ldap.access.base_p Distinguished name of branch of directory

ath.grup where information about groups is stored
If you have a ' groups in a tree ' hierarchy, this
property must have the same value
asume.ldap.access.base_path.user.
ou=CorporateGroups,c=us,
o=mycompany

ume.ldap.access.base_p Distinguished name of branch of directory

ath.user where information about users is stored.
If you have a ' groups in a tree ' hierarchy, this
property must have the same value
asume.ldap.access.base_path.grup.
ou=CorporateUsers,c=us,
o=mycompany

ume.ldap.access.base_p Distinguished name of branch of directory

ath.uacc where information about user accounts is stored

ume.ldap.access.creati Path where new groups are created.

on_path.grup
This path must be relative to the path defined
in ume.ldap.access.
base_path.grup .
If this property is not defined, groups are stored
in the path defined inume.ldap.access.
base_path.grup
If the properties are set as follows:
ume.ldap.access.base_path.grup
=ou=Groups,c=us,o=mycompany
ume.ldap.access.creation_path.us
er =ou=NewGroups

24 Juli 2018 Document1 page 74 of 149

SAP SECURITY BASELINE TEMPLATE

Property Value Description

New groups are created

atou=NewGroups,ou=Groups,c=us,o=m
ycompany

ume.ldap.access.creati Path where new user accounts are created.

on_path.uacc
This path must be relative to the path defined
in ume.ldap.access.
base_path.uacc .
If this property is not defined, user accounts are
stored in the path defined
inume.ldap.access.
base_path.uacc .

ume.ldap.access.creati Path where new users are created.

on_path.user
This path must be relative to the path defined
in ume.ldap.access.
base_path.user .
If this property is not defined, users are stored in
the path defined inume.ldap.access.
base_path.user .

ume.ldap.access.flat_g Default is TRUE . If this property is set incorrectly, the

roup_hierachy UMEcannot properly read the relationship
TRUE = A flat
between groups and their members.
hierarchy is used.
FALSE = A 'groups as
tree' hierarchy is used.
MIXED = A mixture of
the two hierarchies is
used.

ume.ldap.access.multid Default value Set this property to TRUE to support logon in a

omain.enabled is FALSE . multidomain Windows environment. If there are
multiple Windows domains in your
environment, your unique ID is defined through
logon ID and domain. See also SAP note
762419..

ume.ldap.access.naming <comma- Naming attribute of groups.

_attribute.grup separated_
In the LDAP directory a group is uniquely
list_of_attribu
identified by its distinguished name (DN). The
tes>
naming attribute is the attribute used to
distinguish the group from the next level above
it in the LDAP directory.

24 Juli 2018 Document1 page 75 of 149

SAP SECURITY BASELINE TEMPLATE

Property Value Description

If a group's DN is ou=mygroup,
ou=CorporateGroups,c=us,o=mycomp
any , the naming attribute for groups isou .

ume.ldap.access.naming <comma- Naming attribute of user accounts.

_attribute.uacc separated_
list_of_attribu
tes>

ume.ldap.access.naming <comma- Naming attribute of users.

_attribute.user separated_
list_of_attribu
tes>

ume.ldap.access.object <comma- Object class of groups.

class.grup separated_
list_of_object_
classes>

ume.ldap.access.object <comma- Object class of user accounts.

class.uacc separated_
list_of_object_
classes>

ume.ldap.access.object <comma- Object class of users.

class.user separated_
list_of_object_
classes>

ume.ldap.access.passwo Password of the communication user that is used

rd to connect (bind) to the LDAP directory server.
If you do not set the password, the system
attempts an anonymous bind. The configuration
of your directory server may not return data to
an anonymous user.

ume.ldap.access.server Hostname or IP address of the LDAP directory

_name server.
For a high availability scenario, you can enter a
comma-separated list of LDAP directory
servers.

ume.ldap.access.server The port that the LDAP directory server listens

_port at.
For a high availability scenario, you can enter a
comma-separated list of ports for the LDAP
directory servers (in the same order as the
servers).

24 Juli 2018 Document1 page 76 of 149

SAP SECURITY BASELINE TEMPLATE

Property Value Description

ume.ldap.access.server NOVELL = Novell Type of the LDAP directory server.

_type eDirectory
SUN = Sun ONE
Directory Server
ADS = Microsoft
Active Directory
Server
SIEMENS = Siemens
DirX

ume.ldap.access.size_l Default value is 0 . Defines the maximum number of entries the

imit UMEfetches from a search of a directory server.
0 = No limit.

ume.ldap.access.ssl Default value Use this property to enable the UME to use SSL
is FALSE . for the connection to the directory server.

ume.ldap.access.time_l Default value is 0. Defines the maximum length of time in

imit milliseconds, the UMEallows for a search of a
0 = No limit.
directory server. The UMEonly fetches the
results it found within the specified period of
time.

ume.ldap.access.user Distinguished name (DN) of the communication

user on the directory server with which the
UME connects (bind) to the LDAP directory
server.
cn=Directory Manager

ume.ldap.access.user_a Default value Defines if the UME user and account objects
s_account is TRUE. point to the same object in the directory server
or not. Set this property to FALSE , if the
directory server treats the user and account as
separate objects.

ume.ldap.blocked_accou <comma- Specifies the logon IDs of accounts ín the

nts separated list LDAP directory that are ignored by the UME.
of logon IDs>
See also LDAP Directory as Data Source.
Default value
isAdministrator,
Guest .

ume.ldap.blocked_group <comma- Specifies the unique names of groups in the

s separated list LDAP directory that are ignored by the UME.
of unique
See also LDAP Directory as Data Source.
names>

24 Juli 2018 Document1 page 77 of 149

SAP SECURITY BASELINE TEMPLATE

Property Value Description

Default value
isAdministrators
,Guests

ume.ldap.blocked_users <comma- Specifies the unique names of users in the

separated list LDAP directory that are ignored by the UME.
of unique
See also LDAP Directory as Data Source.
names>
Default value
isAdministrator,
Guest .

ume.ldap.cache_lifetim Default value is 300 . Lifetime in seconds of a search cache entry for
e LDAP directory.

ume.ldap.cache_size Default value is 100 . Number of entries in the search cache for LDAP
directory.

ume.ldap.default_group Default value Sets the name of the dummy group member
_member isDUMMY_MEMBER_F when the
OR_UME. propertyume.ldap.default_group_
member.enabled is enabled.

ume.ldap.default_group Default value Some directory servers require that groups have
_member.enabled is FALSE . a member when created. Enable this property to
have the UME include a dummy member when
creating a directory server group. This dummy
member is filtered out in the UME user
interface. If this feature is not set properly, you
cannot create new groups.

ume.ldap.record_access Default value
is FALSE .
TRUE = Trace file is
created.
Defines whether the UME creates the trace
file sapum.access.audit , which contains
additional information about the performance of
the LDAP directory. For more information,
see Directory Server Access Log .

ume.ldap.unique_grup_a Attribute used to create unique ID of a group.

ttribute We strongly recommend that you do not change
this property.

ume.ldap.unique_uacc_a Attribute used to create unique ID for the j_user.

ttribute See also SAP note 777640.

ume.ldap.unique_user_a Attribute used to create unique ID for the j_user.

ttribute By default, the unique ID is the distinguished
name (DN) of the user in the LDAP directory.
See also SAP note 777640.

24 Juli 2018 Document1 page 78 of 149

SAP SECURITY BASELINE TEMPLATE

JAVA Servlet Parameters

Property Value Description

EnableInvokerServletGlobally Default value Defines whether the Invoker Servlet can be

is false as of used.
release 7.20.
We strongly recommend that you disable the
Invoker Servlet. (see SAP note 1445998)

4.3.1.1.3 Virus Scan Interface

SAP itself does provide a Virus Scan interface12. There are many scenarios in which files have to
be uploaded to SAP application servers and which are therefore relevant for Malicious Software
Detection, especially if the source from where the upload is performed is not trusted.
One typical example in which malicious software detection is highly recommended is the SAP
eRecruiting Scenario. In this scenario, files have to be uploaded by unknown users (the applicants)
from the internet.
Therefore, SAP provides the NetWeaver – Virus Scan Interface (NW-VSI) as of SAP NetWeaver
6.40. The NW-VSI allows files to be checked for malware and virus infections.

4.3.1.2 Secure Configuration of Java systems

 Authentication Configuration
 Deactivate unused J2EE Engine Services
 Deactivate unused J2EE Applications
 Assign to all custom-created J2EE Applications appropriate Security Roles
 Apply SAP note 943336 (Session Cookies)
 Are “run-as” identities manually configured for servlets or JSP pages?
If yes, is it secure?
 Disabled Server Header by setting UseServerHeader to false in the “HTTP Provider
Service” in the Global Configuration of Dispatcher and Server Nodes
 Delete the following public accessible information
Delete the following directory win all server nodes:
/usr/sap/<SID>/<Instance>/j2ee/cluster/server0/apps/sap.com/com.sap.e
ngine.docs.examples/servlet_jsp/_default/root/apidocs
 Activate the encryption for the Secure Store.
 Disable Application Aliases of unused Applications as another option to reduce the complexity
of the system and to reduce the risk of a penetration of the system.
 Server Node  Services  Http Provider  On the tab Runtime  Virtual Hosts  General
(which is shown by default) there's a check box 'Directory List', which must not be active.

12 SAP NetWeaver - SAP Virus Scan Interface 2.0 (NW-VSI 2.0)

https://scn.sap.com/docs/DOC-7838

24 Juli 2018 Document1 page 79 of 149

SAP SECURITY BASELINE TEMPLATE

 Check if the parameters MaxRequestHeadersLength and MaxRequestContentLength

are set in the HTTP Provider Service of the Java Dispatcher. The size of request can be
reduced e.g. to 1kB for the header and 2MB for the content if no larger file uploads are
necessary.

4.3.1.2.1 UME Parameters

The value of ume.logon.selfreg has to be set FALSE.

Configuration Description Value

ume.logon.selfreg UME Self FALSE
Registration
ume.logon.security_policy.password_min_length Minimum 8
Password Length
ume.logon.security_policy.userid_in_password_a User ID in FALSE
llowed Password allowed
ume.logon.security_policy.oldpass_in_newpass_a Old Password in FALSE
llowed Password allowed
ume.logon.security_policy.userid_special_char_ Special Characters TRUE
required in Password
required
ume.logon.security_policy.password_alpha_numer Letters and TRUE
ic_required numbers in
Password required
ume.logon.security_policy.password_mix_case_re Mix case password 3
quired required.

4.3.1.2.2 SAP Logon Ticket

Configuration Description Value

ume.logon.httponlycookie TRUE
ume.logon.security.enforce_secure_cookie Send SAP Logon TRUE
Ticket only via
HTTPS
login.ticket_lifetime SAP Logon Ticket 8h
Lifetime

4.3.2 Communication Security

Depending on the protocol used, all data (including passwords) is usually transmitted through the
network (intranet or Internet) in plain text. To maintain the confidentiality of this data, transport-
layer encryption for both internal communication and message exchange has to be applied. (from
Online Help 7.40)

Server Protocol Security Mechanism

Component

AS ABAP HTTP SSL

LDAP

24 Juli 2018 Document1 page 80 of 149

SAP SECURITY BASELINE TEMPLATE

Server Protocol Security Mechanism

Component

Dialog SNC SNC is an interface that you can use to secure connections between SAP
system components.
RFC

AS Java HTTP SSL

P4
LDAP

RFC SNC

Network and Transport Layer Security (from Online Help 7.40)

Transport Transport Authentication mechanism

protocol security

XI protocol HTTP HTTPS User/password, client certificate, SAP assertion ticket

(SSL)

WS protocol HTTP HTTPS User/password, client certificate, SAP assertion ticket,

(SSL) X.509 authentication token, SAML assertion

IDoc adapter RFC SNC User/password, client certificate

RFC adapter RFC SNC User/password, client certificate, SAP assertion ticket

Plain HTTP HTTP HTTPS User/password, client certificate

adapter (SSL)

File/FTP adapter FTP FTPS User/password, client certificate

(SSL/TLS)

SOAP adapter HTTP HTTPS User/password, client certificate, SAP assertion ticket
(SSL)
In Axis mode also digest and NTLM

Mail adapter IMAP4, HTTPS User/password, CRAM-MD5

POP3, SMTP (SSL)

Marketplace HTTP HTTPS User/password, client certificate

adapter (SSL)

Java based IDoc RFC SNC User/password

adapter

Java based HTTP HTTPS User/password, client certificate

HTTP adapter (SSL)

24 Juli 2018 Document1 page 81 of 149

SAP SECURITY BASELINE TEMPLATE

Transport Transport Authentication mechanism

protocol security

RNIF 2.0 HTTP HTTPS User/password, client certificate

adapter (SSL)

RNIF 1.1 HTTP HTTPS User/password, client certificate

adapter (SSL)
CIDX adapter

The following rules should be considered within the SAP landscape:

- Password must never be transmitted unencrypted
- Information classified with confidentiality must be transmitted encrypted
The focus of this document is on the following connection types:
- HTTP connection ABAP (client / server – server)
- RFC connection ABAP (server – server)
- HTTP connection Java (client / server – server)

Access Control List (ACL)

Server ports of an SAP system have to be accessible only from certain address areas.
The client network must not be able to reach the following server ports and they must be protected
using an ACL:
- Enqueue server: parameter enque/acl_file
- Start service: parameters service/http/acl_file and service/https/acl_file
- Internal message server port: parameter ms/acl_info
Restrict also the access to additional ports:
- Dispatcher: parameter rdisp/acl_file
(Further information see SAP note 1495075)

4.3.2.1 Transport Layer Security on the AS ABAP

There are two types of transport layer security mechanisms available on the AS ABAP:
SSL for standard Internet protocols like HTTP and SNC for the SAP protocols RFC and DIAG and
have to be used.
Use the Secure Sockets Layer (SSL) protocol to secure HTTP connections to and from SAP
NetWeaver Application Server (AS) ABAP. When using SSL, the data being transferred between
the two parties (client and server) is encrypted and the two partners can be authenticated.
Use Secure Network Communications (SNC) based on the product SAP Single Sign-On or an
external security product to secure the network communication from SAP GUI and RFC based
clients to the AS ABAP.

4.3.2.2 Transport Layer Security on the AS JAVA

To perform cryptographic functions with the AS Java, the use of an external security provider is
needed. For securing server-to-server connections with SNC and SSL, the SAP CommonCryptoLib
has to be used. (from Online Help 7.40)

24 Juli 2018 Document1 page 82 of 149

SAP SECURITY BASELINE TEMPLATE

Protocol Security Comment

Method Used

HTTP, P4, SSL SSL is a quasi-standard protocol developed by Netscape. It is used with an
LDAP application protocol, for example, HTTP.

RFC or SNC SNC is an interface that you can use to secure connections between SAP
DIAG system components.

Overview:

24 Juli 2018 Document1 page 83 of 149

SAP SECURITY BASELINE TEMPLATE

4.3.2.3 Transport Layer Security When Using the SAP Web Dispatcher
The SAP Web Dispatcher is an intermediary server that should be used to control the
communication between a client and the back-end server (either AS ABAP or AS Java). It also
should be used to control incoming connections, to accept or reject requests based on URLs, and
to load balance and to select the back-end application server.
As the SAP Web Dispatcher supports the use of SSL to secure both incoming and outgoing
connections SSL has to be configured SSL accordingly.

24 Juli 2018 Document1 page 84 of 149

SAP SECURITY BASELINE TEMPLATE

It has to be noted that the security session cookie (SAP_SESSIONID_ <sid> _ <client>) is
always set only host-specific. If, however, a common WebDispatcher (because of same-origin
policy, SOP) is put in front of several different systems, it is unfortunately inevitable that the cookie
is potentially sent to all this system. So, there is no possibility to make sure that the session
cookies are only set for one specific SAP System and not for the parent domain.

4.3.2.4 RFC Security

To avoid privilege escalation by improper management of RFC destinations the following
guidelines have to be applied:
RFC destinations are allowed to be used between systems of the same security classification (that
is, from a production system to another production system).They are also allowed from systems of
higher security classification to systems of lower classification (such as from a test system to a
development system).
Destinations from system of lower security classification to systems of higher security classification
are not allowed to store user credentials or to use trusted system logon (DEV system to PROD
system). These destinations are only allowed to store technical connectivity configuration and
authenticate the user for each access.

24 Juli 2018 Document1 page 85 of 149

SAP SECURITY BASELINE TEMPLATE

Meanwhile SAP recommends to block connections from high-security systems to low-security

systems as well. (see SAP note 1686632 “Positive lists for RFC callback”, SAP note 2008727
“Whitepaper: Securing Remote Function Calls” https://scn.sap.com/docs/DOC-60424 and SAP
note 2058946 “Maintenance of callback positive lists before Release 7.31”

One exception to this guideline is transport management system (TMS) destinations.

If these destinations are required, they must be considered security risks and must only be used
after thorough risk analysis.
Systems of higher security classification have to be generally forbidden to trust systems of lower
security classification otherwise the security level of the trusting system is reduced to the security
level of the trusted system.
As summary, the following security measures have to be taken to mitigate the risk of unauthorized
access via RFC destinations:
- Analyze all system trust relationships between ABAP systems using transactions SMT1 and
SMT2. Identify the trust relationships in which systems of higher security classification trust
systems of lower security classification (development to test, test to production, or
development to production). Remove this system trust wherever possible
- Identify RFC destinations with stored user credentials from systems of lower security
classification to systems of higher security classification. The stored credentials should be
removed wherever possible. This way, user authentication is enforced for every access.
RFC Homework:
 Identify RFC-client destinations with stored login credentials, esp. from systems of lower
security classification to systems of higher security classification
 Analyze all system trust relationships (SMT1 and SMT2). Identify the trust relationships in
which systems of higher security classification trusts systems of lower classification.
 Check report RSRFCCHK
 Cardinality of system users : RFC connections is 1:1

24 Juli 2018 Document1 page 86 of 149

SAP SECURITY BASELINE TEMPLATE

4.3.2.5 Securing the RFC Gateway

The RFC Gateway is part of every AS ABAP instance as well as part of a Java system. It can also
be installed standalone. In all cases, the same profile parameters and the same Access Control
Lists fit. The RFC Gateway is required for all communications using RFC or CPI-C protocol.The
newest available RFC library should be used.
RFC Communication Using the Gateway according to the Online Help:

As the gateway is an application server interface to other systems (to other SAP systems, to
external programs, and so on), security conditions must be met, as appropriate. In particular, if
external programs are started via the gateway, the following security options have to be used.
- Authorizations for the side info file: set the file attributes to ensure the file is protected from
unauthorized access.
- Secure connections between gateways of different SAP Systems by setting up SNC or use of
SAProuter between the gateways, which de-encrypts and encrypts the data by SNC
- Activate gateway logging and configure the gateway so that actions executed by the gateway
and requests that it receives are written to a log file to define security settings for external
programs.
- Any unauthorized starting of external programs has to be prevented by maintaining the file
secinfo in the data directory of the gateway instance (gw/sec_info)
- Unauthorized registration of programs has to be prevented by maintaining the file reginfo in
the data directory of the gateway instance (gw/reg_info)

24 Juli 2018 Document1 page 87 of 149

SAP SECURITY BASELINE TEMPLATE

There are four different use cases of the RFC Gateway. Each of them has to be analyzed
separately for security aspects.

4.3.2.5.1 Monitoring: gwmon (case 1)

The following set up scenario is possible with integrated as well as with standalone SAP Gateway
Server.

gwmon case 1 Gateway Server

The server application gwmon can be called remotely without authentication. The following actions
can be performed:
- Display profile parameters
- Change gateway parameters
- Display secinfo, reread reginfo
- Display connection table
- Hard shutdown Gateway Server
- Etc.
For compliance, perform the following actions:
- Set gw/monitor=1 (local access only)

4.3.2.5.2 RFC connections to ABAP stack (case 2)

The following set up scenario is just possible with integrated RFC Gateway.

AS ABAP
Dialog Instance

RFC Dispatcher / Work Processes

case 2
client

case 2

Gateway Server

Function modules within the AS ABAP are called in this way. AS ABAP then takes care of
authentication and authorization. The following actions can be performed by the clients:

24 Juli 2018 Document1 page 88 of 149

SAP SECURITY BASELINE TEMPLATE

- Call any function module within AS ABAP

Authorizations
- The authorization object S_RFC is required by the user that is used for the function call.
Therefore, just assign this authorization object to users that require it, and maintain the
required function modules in the authorization object.

The authorization check S_RFC is just an additional one for remote calls. Other authorization
checks are the same for remote calls as for internal calls.
Strong Authentication and Encryption
Strong authentication to AS ABAP and end-to-end encryption can be performed using SNC and
should be done. The parameter snc/permit_insecure_com defines if the RFC Gateway may
accept connections that are not SNC secured and the parameter
snc/permit_insecure_start defines if programs (e.g. AS ABAP) may establish connections
without using SNC.

4.3.2.5.3 Starting of RFC server programs (case 3)

The following set up scenario is possible with integrated as well as with standalone RFC Gateway.

RFC case 3 Gateway Server

client

case 3

local executable

In this case, executables on the server itself can be called, without using security mechanisms of
AS ABAP. The primary authentication is performed by the RFC Gateway itself that uses the file
secinfo which contains an ACL. The following actions can be performed by the clients:
- Start of server programs on the server
Authorizations using ACLs for IP Adresses or Host Names
Maintain the secinfo file with an appropriate ACL for RFC clients
Strong Authentication and Encryption
Strong authentication to the RFC Gateway and end-to-end encryption can be performed using
SNC and is recommended. The parameter snc/permit_insecure_com defines if the RFC
Gateway may accept connections that are not SNC secured.

4.3.2.5.4 Registration of RFC server programs (case 4)

The following set up scenario is possible with integrated as well as with standalone RFC Gateway.

24 Juli 2018 Document1 page 89 of 149

SAP SECURITY BASELINE TEMPLATE

Registered
RFC case 4 Server
case 4
client Gateway Server Program

In this case, an external RFC server program registers itself using a program ID, without using
security mechanisms of AS ABAP. This RFC server program can then accept calls from RFC
clients, similar to case 3, using the RFC Gateway. The following actions can be performed by the
client or by the RFC server program:
- An arbitrary RFC server program can register using a program ID (that could be attended to
another server program)
- An arbitrary RFC client can call any of such registered server programs
Authorizations using ACLs for IP Adresses or Host Names
- Maintain the reginfo file with an appropriate ACL for registering RFC server programs
- Maintain the secinfo file with an appropriate ACL for RFC clients
Strong Authentication and Encryption
Strong authentication and encryption to the RFC Gateway can be performed using SNC and is
recommended. The parameter snc/permit_insecure_com defines if the RFC Gateway may
accept connections that are not SNC secured and the parameter
snc/permit_insecure_start defines if programs may establish connections without using
SNC.

4.3.2.5.5 Gateway Logging

To use gateway-logging within the gateway-monitor (transaction SMGW) kernel release 7.00,
Patch #119 SP 13 is required.
To log the required events, gateway logging needs to be activated. The recommended values for
the corresponding parameter are: gw/logging: ACTION=SPXMZR.
Note that “SPXMZR” are parameter to activate certain action (see SAP note 910919).

4.3.2.5.6 RFC Gateway Hardening

For system security, it is of utmost importance that the gateway access control lists (ACL) are
created and maintained properly.

1. With transaction RZ11 check if at least bit 1, 2, 3, and 4 (bit 1 as of Kernel 7.40) of
gw/reg_no_conn_info are set. If not, maintain the DEFAULT.PFL either on operating system
level or with transaction RZ10 and enter (or change) the line gw/reg_no_conn_info = <value>,
this means the parameter must be one of the values 15, 31, 47, 63, 79, 95, 111, 127, 143, 159,
175, 191, 207, 223, 239, or 255 (respective 1, 65, 129, 193 as of Kernel 7.40).
2. Review content in transaction SMGW > Goto > Expert Functions > External Security > Display
secinfo; for entries where all variables have a * value (e.g. TP=* USER=* HOST=*)

24 Juli 2018 Document1 page 90 of 149

SAP SECURITY BASELINE TEMPLATE

3. If this is the case, centrally manage and monitor the ACLs.

Gateway hardening is a topic that is not covered in detail in this baseline document. However, it
has to be mentioned, that it is without doubt very important to take appropriate measures to harden
the RFC Gateway.

4.3.2.6 Message Server Security

The Message Server provides load balancing information to clients using external message server
port. This information is updated by application servers using internal message server port. Clients
should not be authorized to access the internal message server port and update the load balancing
information.
Administration ports should not be accessible from client network:

Profile parameter Description Value

ms/monitor External Monitoring of Message Server 0
forbidden, the Message Server can just
be monitored from own SAP instances
ms/acl_info Path to ACL File for Message Server
rdisp/msserv_internal The parameter specifies a port which has <Internal Port
to be used by application servers for Number>
internal communication.
Should be
different from
external message
server port
ms/admin_port The parameter specifies a port which can 0
be used for remote administration of
Message Server. If set to 0, remote
administration is deactivated
icm/http_admin Internet Communication Manager can be Should not be
configured via a Web Interface Remotely. used
This can be configured using this Profile
Parameter.

The following settings are to be applied:

1. set whether external monitors such as the msmon monitoring program are allowed to connect to
the message server;
2. set the separation of the internal and external communication
3. set the use of an ACL list (Access Control List) for the message server

Enhanced protection and allowed ports:

24 Juli 2018 Document1 page 91 of 149

SAP SECURITY BASELINE TEMPLATE

4.3.2.7 Limit Web-Enabled Content

ABAP systems offer Web-enabled content that can be accessed using web browsers. This content
is managed by the Internet communication framework (ICF) and maintained via transaction SICF.
Some of the ICF services could potentially be misused and unauthorized access to system
functionality might be possible.
To avoid unauthorized access apply the following for handling of Web-enabled content in the ICF.
- Enable only ICF services that are required for the business scenarios. Especially on productive
SAP Software systems, not all ICF services should be enabled
- Review all ICF services using report RSICFCHK that do not require user authentication,
including all services in /sap/public as well as services with stored logon data
- Deactivate at least the below listed ICF services if existing in the actual release and not used in
business scenarios:

SICF Service SAP Note

/sap/bc/echo SAP note 626073
/sap/bc/FormToRfc
/sap/bc/report
/sap/bc/xrfc
/sap/bc/xrfc_test
/sap/bc/error
/sap/bc/webrfc SAP note 865853
/sap/bc/soap/rfc SAP note 1394100
/sap/bc/bsp/sap/certreq SAP note 1417568
/sap/bc/bsp/sap/certmap
/sap/bc/gui/sap/its/CERTREQ
/sap/bc/gui/sap/its/CERTMAP

24 Juli 2018 Document1 page 92 of 149

SAP SECURITY BASELINE TEMPLATE

SICF Service SAP Note

/sap/bc/bsp/sap/bsp_veri SAP note 1422273
/sap/bc/bsp/sap/icf
/sap/bc/IDoc_XML SAP note 1487606
/sap/bc/srt/IDoc

Attack surface reduction by limiting ICF services:

4.3.3 Data Security

Any kind of external data such as office documents, images, binaries are considered insecure
unless they are scanned for malicious and/or suspicious code. Virus scanning has to be
performed every time potentially polluted data is imported through input channels into the SAP
system. Possible input channels are:
File upload from front end PC’s or file system on the application server
● File upload using the Internet
● Document exchange with RFC, XML, XI
Since SAP-managed databases are central distribution points, it is very dangerous to store
malformed or otherwise dangerous data in them as this data might spread very quickly across the
network. Applications that are transferring files to or from SAP-managed databases must ensure
that the data is not vulnerable to any known threats.
The SAP provided interface is known as the NetWeaver Virus Scan Interface (NW-VSI) and is
available for both AS ABAP and AS Java.
Use the virus scan interface to include external virus scanners in the SAP system to increase the
security of your system. A third-party product (external anti-virus solution) is required to perform
the actual virus scan. The certifiable interface called “NW-VSI“ (SAP NetWeaver Virus Scan
Interface) needs to be activated.

4.4 Secure Operation

4.4.1 Users and Authorizations

4.4.1.1 Handling default users and passwords

The following users have to be handled:
SAP*

24 Juli 2018 Document1 page 93 of 149

SAP SECURITY BASELINE TEMPLATE

User needs to be created in all clients.

User needs to be locked and expired in all clients.
Profile Parameter login/no_automatic_user_sapstar needs to be set to 1.
DDIC
User needs to be locked and expired in all clients except from client 000.
SAPCPIC
Change the default password of this user in all clients. Check SAP note 29276 - SAPCPIC: At
which points are passwords visible.
EARLYWATCH
The user needs to be locked or removed in all clients.
TMSADM
The default password needs to be changed in client 000.
Follow SAP note 1414256 - Changing TMSADM password is too complex and plan carefully the
change, as the transport management system may be impacted.
Delete the user in all clients except from client 000.

4.4.1.2 Roles and Responsibilities

Authorizations provide the opportunity to restrict display / change access to information. The
information owner is the person responsible to decide who is allowed to access his information.
Within SAP, authorizations are grouped within roles, and roles are assigned to users. Therefore,
the following instances are required:
Role Content Approver:
The Role Content Approver defines the content of the roles and defines a role assignment
approver for each of his roles.
Role Assignment Approver:
The Role Approver is the information owner of the information that can be accessed be users
being assigned to the role.
Sample for a Segregation of Duties risk: The authorization
1. to change vendor master data and
2. to start the payment run for this vendor
must not be assigned to one person / one user account without proper control measures
(mitigating control). So, we have further roles to be considered in the authorization management
process, that is
Risk Owner (global):
Defined by process owner.
Control Owner (local):
Responsible for the mitigating control
Control Monitor (local):
Responsible for monitoring activities related to the mitigating control

24 Juli 2018 Document1 page 94 of 149

SAP SECURITY BASELINE TEMPLATE

4.4.1.3 Processes
Role Creation / Role Change / Role Deletion (on demand) including an impact analysis with regard
to access risks of affected composite roles / business roles / users
Role Recertification by Role Owner (on demand)
Role Risk Analysis (weekly) including follow up remediation / mitigation activities
Risk / Rule Changes

4.4.1.4 Creation / Change / Deletion of Mitigation Controls / Mitigation Control

Assignments
Critical Basis Authorizations & Segregation of Duties
The following authorizations are critical and require special attention:
- All change aspects of S_DEVELOP are dangerous (activities 01, 02, 06 etc.)
- Execution activity (16) of S_DEVELOP is very critical for object type CLAS and FUGR
because it enables unit testing for class methods and function modules (see SAP note
587410)
- You accept display (03) of S_DEVELOP for all object types and execution (16) for object
type PROG for support user and FireFighters
SAP note Optional system parameters:
– rfc/ext_debugging = 0 (dynamic)
– abap/ext_debugging_possible = 1 (static)
– rfc/disable_debugger_command_field = 2 (static)
Look behind the Role Name using the GRC Compliance Calibrator or the SAP standard report in
transaction SUIM:
- Report RSUSR008_009_NEW
- SoD rules can be maintained via this report in tables USRVARCOM and USCRAUTH
- Online Help: Find Users with Critical Authorizations (New Version, RSUSR008_009_NEW)
https://help.sap.com/saphelp_nw70ehp2/helpdata/en/f9/558f40f3b19920e10000000a1550b
0/content.htm
- Blog: How to Export/Import Critical Authorizations for RSUSR008_009_NEW
https://scn.sap.com/community/security/blog/2012/08/14/exportimport-critical-
authorizations-for-rsusr008009new

4.4.1.4.1 Developer Access to Production Systems

One of the main question is: Does any process require authorization object S_DEVELOP with an
activity other than 03 (Display) in production?
A clearly strong recommendation is not to grant this authorization in production.
• SE37 - ABAP Function Modules Maintenance
• SE38 – ABAP Program Maintenance
• SE80 – Object Navigator
Caution: Authorizations for S_DEVELOP with activity 01, 02, 06, 07 and object type FUGR, PROG,
CLAS, TABL, etc. allow creation and modification of programs and dictionary.
Authorizations for S_DEVELOP with activity 02 (Change) for object type = DEBUG allows
modifications of debug process.

24 Juli 2018 Document1 page 95 of 149

SAP SECURITY BASELINE TEMPLATE

Authorizations for S_DEVELOP with activity 16 (Execute) and object type = CLAS or FUGR allows
class methods or function modules to be called without security checks using transaction SE24
respective SE37 test function.
Authorizations for S_DEVELOP with activity 16 (Execute) and object type = PROG are useful to
submit reports using transaction SE38 or SE80 for support users and FireFighters who are allowed
to view programs using these transactions.

4.4.1.4.2 RFC Authorizations

As access to trusting systems is controlled by the authorization object S_RFCACL it must be strictly
controlled and full wildcard authorizations has to be avoided.
- Ensure that RFC authority checks are enabled by setting profile parameter
auth/rfc_authority_check
- Create a list of RFC destinations with stored credentials, and ensure that user accounts
have minimum authorizations (especially not SAP_ALL) assigned in the destination target
and that the user type is set to “SYSTEM.” Within its SAP Solution Manager 7.1 application
management solution SAP implemented diagnostics functionality (configuration validation
reporting) to ease this activity for managed SAP software systems.
 RFC authority checks are enabled with auth/rfc_authority_check >=
1.
 User Type SYSTEM for RFC Destinations.
 Develop a naming convention for RFC-server users.
 Authorizations in the destination target: minimum authorizations required for
business scenario (no SAP_ALL! )
 S_RFCACL: controls access to trusting systems, no full wildcard
authorizations should be granted.

4.4.1.4.3 Authorizations: Role Development

S_USER_AGR, S_USER_PRO, S_USER_TCD, and S_USER_VAL authorization objects are required
for role development.
The following key activities have to be restricted in production roles:
 01 – Create
 02 – Change
 06 – Delete
 64 - Generate
 UL – Upload
Separate the role development process from the role administration by maintaining the
PRGN_CUST table (as per SAP note 312682).

4.4.1.4.4 Authorization Setup

- clearly develop RAR rules you need to document critical processes and the related
transaction with authorization object values.
- setup Rules to identify violations of IT controls that violate company policies.
- Rules should include custom development that adds risk to a process.
- standards should be used as a guide for development of rules, roles and authorizations.
Effective security controls:
 Minimize Risk

24 Juli 2018 Document1 page 96 of 149

SAP SECURITY BASELINE TEMPLATE

 Protect Company Assets

 Control Access

4.4.2 Authentication and Single Sign-On

Single Sign-On is a solution for authentication. At the moment there are no other special
requirements for Single Sign-On Security.

4.4.2.1 Client – Server Authentication via SAPGUI or RFC clients

SAPGUI and RFC client (such as Business Explorer or Analysis for Office) access to ABAP
Systems can be performed by
- Authentication with Username / Password
- SNC based on Kerberos or X.509 certificates
- SAP Logon Ticket (no longer recommended as described in SAP note 2117110)
Use the SNC provided interface (GSS-API) with SAP Single Sign-On or third security products to
achieve the following security mechanisms:
- Authentication
- Integrity
- Confidentiality
If the communication path between SAPGUI and AS ABAP does not completely lie within trusted
networks, encryption is required. The usage of SNC is obligatory using the highest “Quality of
Protection” (i.e. using all three of the above described SNC mechanisms).
Note:
If the authentication mechanism username / password instead of SNC is being used, and SNC is
not being used to encrypt the communication from client to ABAP system, then the password is
transmitted over the network in a way that is close to plain text. This should NOT be the case.
To enforce access control a user must usually provide both a user ID and password. When
creating a user record it is obligatory to specify an initial password for the user. To enable logging
on without a password Single Sign-On can be used.
For additional security when using user id and password authentication, configure rules for
password complexity and require that users change passwords on regular time intervals. In
addition, develop authentication extensions to store the user's credentials in a secure medium, for
example smart cards.
- Set profile parameter login/min_password_lng ≥ 8
- Set profile parameters login/min_password_digits ≥ 1 and
- login/min_password_lowercase ≥ 1 and login/min_password_uppercase ≥ 1
and
- login/min_password_specials ≥ 0 and login/min_password_letters ≥ 0
- Maintain table USR40 with forbidden words. The usage of wildcards is recommended. The
table USR40 should not contain more than 1000 words, as this can have an impact on the
performance during the setting of new passwords.
To secure the Password Hashes, change authorization group of hash tables to SPWD according to
SAP note 1484692
 USR02
 USH02
 USRPWDHISTORY
 VUSR001
 USH02_ARC_TMP
 VUSR02_PWD

24 Juli 2018 Document1 page 97 of 149

SAP SECURITY BASELINE TEMPLATE

Nobody should have access to authorization group SPWD via authorization object S_TABU_DIS
(dedicated users might get authorizations for table USR02 via authorization object S_TABU_NAM.

ABAP Password Login Parameter

login/disable_password_logon Only Single Sign-On Access possible
login/password_logon_usergroup Password deactivation for special user groups
ABAP Password Change Parameter
login/password_max_idle_productive Period of unused password before it gets
unusable
login/password_max_idle_initial Period of initial password before it gets unusable
login/password_expiration_time Validity period of password
login/password_change_for_SSO Enforces password change even in case of SSO
login/password_history_size Count of old password which cannot be reused
login/password_change_waittime Number of days before next password change

Customizing Parameters in table PRGN_CUST

Parameter Recommended Description
value
ASSIGN_ROLE_AUTH ASSIGN CHANGE (Default), ASSIGN : Checks When
Assigning Users to Functions (SAP note
312682)
CHECK_S_USER_SAS YES NO (Default), YES - Activation of Authorization
Object S_USER_SAS (SAP note 536101)
GEN_PSW_MAX_DIGITS 2 Values between
login/min_password_digits and 40
(default) - max. number of digits in generic
password (SAP note 662466)
GEN_PSW_MAX_LENGTH 10 Values between login/min_password_lng -
40 (default)- max. password length of generated
password (SAP note 915488)
GEN_PSW_MAX_LETTERS 40 Values between
login/min_password_letters and 40
(default) - max. number of letters in generated
password (SAP note 662466)
GEN_PSW_MAX_SPECIALS 1 Values between
login/min_password_specials and 40
(default) - max.number of special characters in
generated password (SAP note 662466)
REF_USER_CHECK W W (Default), E, S, I (Ignore) - Message Type
When Assigning Reference Users with Other
User Type (SAP note 513694)

24 Juli 2018 Document1 page 98 of 149

SAP SECURITY BASELINE TEMPLATE

4.4.2.2 Client Server Authentication via Web Browser

To access ABAP as well as Java based SAP systems via HTTP one of the following authentication
mechanisms is permitted in order to access the systems:
- SSL X.509 client certificate (recommended)
- SPNEGO (requires SAP Single Sign-On on AS ABAP)
- Username / Password via SSL secured connection
- SAP Logon Ticket via SSL secured connection (no longer recommended as described in
SAP note 2117110)
Note:
Unencrypted transmission of passwords (Username / Password login without SSL) is not
permitted.

4.4.3 Support Security

4.4.3.1 Access by SAP Support

Data security and integrity must be ensured when using the remote connection by the
implementation of organizational and technical measures.
The following aspects have to be considered:
 Use of a hardware router (firewall) with:
o Filter functions (Access lists)
o Connection logging (optional)
 Use of the program SAProuter with:
o Application gateway function (restriction of direct TCP/IP communication)
o Connection password (optional)
o Access control via access lists
o Connection logging (optional)
 Installation of a firewall configuration (combination of different safety measures)
 Definition of administration authorizations for security-critical systems (hardware router,
SAProuter etc.)
 Release of only the required service types (on SAP Service Marketplace)
 Creation of special user profiles for the service types
 User monitoring:
 Logging of activities at operating system level
 Time limitation of the remote connection (on SAP Service Marketplace)
 Deactivating the remote connections upon completion of an activity (on SAP Service
Marketplace)
 Blocking the user or changing the password after closing the connection
Furthermore a clear process description describing the requirements has to be set up:
o when OSS connections can be opened (e.g. just with relation to an OSS Ticket / an
internal Solution Manager Incident)
o who is authorized to open OSS Connections (SAP Basis)
o how SAP Support may access the System (using a user with display authorizations
or using firefighter in production environments)

- The SAProuter connection between SAPnet and intranet might pass the internet:

24 Juli 2018 Document1 page 99 of 149

SAP SECURITY BASELINE TEMPLATE

The following measures to protect the connection have to be considered:

o a whitelist of dedicated IP addresses (those from SAP SAProuters) should be
allowed to access SAProuters from the internet
o Only SNC encrypted connections should be accepted by SAProuter
o update the SAProuter on a regular basis (crucial)
o retrieve actual recommendations / Security Notes from SAP

4.4.4 Security Review and Monitoring

4.4.4.1 Security Audit Log

Profile Parameters:
rsau/enable = 1
rsau/selection_slots = 10
rsau/user_selection = 1
Caution: The profile parameters are ignored if “Kernel Parameters” are used in transaction SM19
as of release 7.31.
Filter settings:
1. Activate everything which is critical for all users ‘*’ in all clients ‘*’.
1a. You may deactivate the messages of class “User master record change (32)” because you get
change documents in transaction SUIM anyway.
1b. Consider to add messages AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ
1c. If you maintain logical file names (see SAP note 1497003) than add messages CUQ, CUR, CUS,
CUT (use either use a single filter for all items or use one filter per line.)
2. Filter: Activate everything for special user SAP* in all clients '*'
You cannot use a filter SAP* because this would include the virtual user SAPSYS because of profile
parameter rsau/user_selection = 1. This virtual user SAPSYS performs many house-keeping
activities triggered by the system itself. You do not want to log these events.
However, you can use the special filter value SAP#* instead.
Hint: You can use this special filter value SAP#* in transaction SM20 or report
RSAU_SELECT_EVENTS as well to show log entries in for user SAP* only.
3+4. Filter: Activate everything for other support and emergency users, e.g. 'SAPSUPPORT*' (SAP
Support users) respective FF* (FireFighter) in all clients '*'.

24 Juli 2018 Document1 page 100 of 149

SAP SECURITY BASELINE TEMPLATE

5. Activate all events for audit classes dialog logon, RFC logon and transaction start for user DDIC
in all clients ‘*’
6. Filter: Activate everything for client 066. This client is not used anymore and can be deleted
(see SAP note 1749142 respective the blog “How to remove unused clients including client 001
and 066” on SCN).
7. Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identify RFC
connection problems easily

Filter Client User Name Audit Classes Event Level

1 * * all critical
2 * SAP#* all all
SAPSUPPORT*
3 * (User IDs for all all
SAP-Support)
FF*
4 * (Emergency all all
User IDs)
dialog logon,
5 * DDIC RFC logon, all
transaction start
6 066 * all all

7 * <detailed
* RFC events (AUL, AUK, AU6, AU5)
configuration>

4.4.4.2 Security Monitoring and Reporting using the SAP Solution Manager
Running secure business systems requires not only a secure configuration during implementation
but also regular validation to "stay clean".
It is strongly recommended to use the following tools to ensure a proper security monitoring and
reporting (please see also chapter 4 “Tools and Monitoring”):

 EarlyWatch Alert – Strong recommendations from SAP, including security topics

 SAP EarlyWatch Alert is an important part of making sure that the core business
processes work. It is a tool that monitors the essential administrative areas of SAP
components and keeps up to date on performance and stability.
(see more information: https://suppport.sap.com/ewa )

 Security Optimization Service – Extensive analysis about security, including

recommendations
 The SAP Security Optimization Service is designed to verify and improve the security of
the SAP systems by identifying potential security issues and giving recommendations on
how to improve the security of the system.
(see more information: https://support.sap.com/sos )
The complete list of checks is described in following documents:
Security Optimization Service - ABAP Checks
https://support.sap.com/dam/library/SAP%20Support%20Portal/support-programs-
services/support-services/security-optimization-service/media/SOS_ABAP_Checks.pdf

24 Juli 2018 Document1 page 101 of 149

SAP SECURITY BASELINE TEMPLATE

Security Optimization Service - JAVA Checks

https://support.sap.com/dam/library/SAP%20Support%20Portal/support-programs-
services/support-services/security-optimization-service/media/SOS_J2EE_Checks.pdf

 System Recommendations – Analysis about missing Security Notes

(see more information: https://support.sap.com/sysreg )

 Configuration Validation & Change Reporting – Cross system analysis of security

configuration (see more information:
https://wiki.scn.sap.com/wiki/display/TechOps/RCA_Home )

 Dashboards – Show summary about Configuration Validation results

(see more information: https://support.sap.com/dashboards )
 Alerting – based on SAP EarlyWatch Alert
 Alerting – based on Security Audit Log
 Alerting – based on Configuration Validation

(see:
https://help.sap.com/saphelp_sm71_sp08/helpdata/en/3b/a8413599b244b6a03ac9d2a3bdaf2f/
frameset.htm)

4.4.4.3 Baseline Document References Logging

Chapter 0 Profile Parameters: Enable Security

Audit/Activate/Deactivate table auditing
Chapter 4.3.2.5 Securing the RFC Gateway
Chapter 4.3.2.5.5 Gateway Logging
Chapter 4.4.3.1 Access by SAP Support

4.5 Security Compliance

4.5.1 Security Governance
The mission is to establish an IT Security Governance that covers all areas and to achieve a
homogeneous IT security level for systems that contain critical information.
It is indispensable to establish and enforce a corporate wide Security Policy and to respond to
regulations like ITIL, BASEL II, SOX, FDA, Data Protection and ISO 27000.
The Security Governance roadmap has to consist out of three key elements:
1. Definition of the Operational Model with clear defined roles and responsibilities as well as the
operational process ensuring that the requirements become real action in the different system
landscapes. Goal is to achieve a common understanding about the responsibilities of the different
parties involved and comparable results for implementation of measures and the regular reporting.

2. Definition of the Rule set showing the generic IT Security requirements per level of criticality of
the system in scope. The IT Security requirements have to be aligned with the business
requirements to achieve an adequate IT Security level as well as efficient processes and
procedures in the affected line of business.

24 Juli 2018 Document1 page 102 of 149

SAP SECURITY BASELINE TEMPLATE

3. To ensure full transparency on the implemented IT Security level each area has to implement
and operate the so called IT Risk and Security Lifecycle:

The execution of the IT Risk & Security Lifecycle leveraging the different roles and their
accountabilities is leading to increased transparency on the IT risk situation and the required
Security measures and the existing gaps. These have to be closed according to their priority.

4.5.2 Audit
When preparing for internal or external audits, it is required to base the plan of engagements on a
documented risk assessment conducted at least annually.
The organizations existing risk management framework to develop a risk based plan must be taken
into account as well as all relevant regulatory requirements. This means it is critical for the audit
management to be able to view risk information that has been gathered and documented by the
business. Furthermore, the following steps have to be taken:
- Identify relevant regulatory requirements
- define which logs and traces have to be collected
- analyze logs with appropriate tools
- perform security assessments like penetration-tests and vulnerability scanning
- Audit the different Secure Operations Tracks e.g.:
o infrastructure settings and communication interfaces (firewall, dispatcher and reverse
proxy, operating system, RFC destinations, ALE, ICF, WS, etc.)
o user and authorizations (spot checks, GRC access control, etc.)
If the organization does not have a risk management framework, then audit management must use
their own judgment about the entities risks, after consultation with senior management. The
requirement for consulting with management on risks makes collaborative tools essential.
The Chief Audit Executive has to be able to aggregate and summarize the risk based plans and
the resources required. It is important to understand that Boards and senior executives have a
responsibility to oversee the work of the internal audit department. The ability to summarize the
plan, the basis for the plan and the resource requirements is essential to meet these oversight
requirements.
Please see in the regulatory part in chapter 2.5.2, the summary of the steps that have to be
executed for gathering the needed information.

24 Juli 2018 Document1 page 103 of 149

SAP SECURITY BASELINE TEMPLATE

4.5.3 Cloud Security

As companies use software delivered through a Cloud model, their overarching concerns focus on
vulnerabilities related to identity management, data storage and location strategy, system
operations, data transmission and data protection.

According to an analysis of the European Network and Information Security Agency (ENISA) there
are nine top high risks related to Cloud services. The following table shows the risks according
ENISA and the respective SAP Cloud mitigation measures.

Risks Mitigation Measures to be in place

Loss of Governance
Service provider is in charge of Security
Isolation Failure
Customers can access data of other customers Security Architecture Concept in place to
Malicious Insider
Employees of service provider misuse high
privileges
Insecure or incomplete Data Deletion
Wiping of customer data when terminating the
contract
Management Interface Compromise
Customer management interfaces of public of
public cloud providers are internet accessible
and enable access to large sets of resources
Service Engine Compromise
Access to Hypervisor might enable access to
all customer data
Subpoena and e-discovery
Risk of disclosure of data to unwanted parties
in the event of confiscation of physical
hardware by law-enforcement agencies
Changes of jurisdiction
Customer data may be held in multiple
jurisdictions
Data protection risk
Security Incident Reporting to customers
established
Compliance Dashboard for customers
Single tenancy
secure landscapes
Technical Security Validation has to be
conducted to verify implementation of security
architecture concept
High- privileged generic accounts have to be
only assigned for a defined timeframe with
logging activated
Internal Controls have to be in place to govern
& review the usage of high-privileged user –
part of external audits
Single tenancy
Decomissioning process should be
documented and implemented
Security Architecture Concept has to be in
place to secure Hypervisor and customer
management interface
Technical Security Validation has to be
conducted to verify implementation of security
architecture concept
Vulnerability Scans have to be conducted
multiple times a year
Penetrations Tests have to be conducted
multiple times a year
Single tenancy
Dedicated Databases
Security Incident Reporting
Transparency on data centers where the data
is stored
Customer should have possibility to choose in
which region the data should remain
SOC 1 attestation covers proper data handling

24 Juli 2018 Document1 page 104 of 149

SAP SECURITY BASELINE TEMPLATE

Risks Mitigation Measures to be in place

practices
Processing data in another country might be
Security Incident reporting should be
considered unlawful by the responsible Data
established
Protection authority.

When talking about security in the cloud, then different scenarios have to be considered:

Cloud provider takes over full service, defined by SLAs, customer cares only about the secure
connection to the cloud provider.
Integration of infrastructure, Identity Management, Single Sign-On
Cloud provider takes over only parts of the service, in this case it also has to be defined precisely
in SLAs what is the responsibility of the cloud provider and what remains in the responsibility of the
customer

Even if parts remain on the customer side, it has to be made sure that the service level
agreements are met as well as when they are provided by external providers.
No matter whether it is about Cloud solutions or not, all addressed security topics apply equally for
standard scenarios as well as for cloud scenarios and have to be implemented.

4.5.4 Emergency Concept

Each IT unit (Global IT, Lines of Business IT) must have a plan for securing business operations in
accordance with the specifications of the “Crisis Management” and “Business Continuity” security
standards that have to be worked out. Each IT unit must keep this plan up to date.
Lines of Business that operate business-critical systems must create an emergency concept as
well as a procedure for IT service continuity management. When this is implemented, the
requirements and the content of the IT Emergency Management Processes must be taken into
account.
The steps that have to be executed are:
a) Prepare for incidents:
 define processes and responsibilities
 create and maintain emergency users for relevant systems
 collect required logs and data
 define rules and triggers for incident identification and classification
 define processes for incident response, impact remediation and incident recovery
 prepare for technical and non-technical (e.g. legal) follow-up and improvements
b) Establish a backup and recovery concept

4.6 Specific Topics

4.6.1 SAP HANA Security
This chapter gives a general introduction to security relevant topics regarding SAP HANA.

24 Juli 2018 Document1 page 105 of 149

SAP SECURITY BASELINE TEMPLATE

4.6.1.1 SAP HANA Network and Communication Security

The components of an SAP HANA landscape communicate via different network communication
channels.
It is recommended security practice to have a well-defined network topology to control and limit
network access to SAP HANA to only those communication channels required for the used
scenario, and to apply appropriate additional security measures, such as encryption, where
necessary.
This has to be achieved through different means, such as separate network zones and network
firewalls, and through the configuration options provided by SAP HANA (for example, encryption).
The exact setup depends on the environment, the implementation scenario, and the security
requirements and policies.
SAP HANA supports encrypted communication for network communication channels. It is
recommended to use encrypted channels in all cases where your network is not protected by other
security measures against attacks when your network is accessed from public networks.
Alternatively, virtual private network (VPN) tunnels can be used for the transfer of encrypted
information.
It is strongly recommended to operate the different components of the SAP HANA platform in
separate network zones. In order to prevent unauthorized access to the SAP HANA appliance and
the SAP HANA database through the network, we recommend the application of network firewall
technology to create network zones for the different components and to restrictively filter the traffic
between these zones implementing a "minimum required communication" approach.
The SAP HANA appliance has to be operated in a protected data center environment. Only
dedicated authorized network traffic should be allowed from other network zones (for example,
user access from the client network zone).

4.6.1.2 Secure Data Communication

SAP HANA supports encrypted communication for client-server and internal communication. The
communication between the following components can be secured using the secure sockets layer
(SSL) protocol.
External communication:

24 Juli 2018 Document1 page 106 of 149

SAP SECURITY BASELINE TEMPLATE

Internal Communication:

Separate personal secure environments (PSEs) are supported for internal communication between
sites in a system replication scenario on the one hand, and external communication on the other.
The keys and certificates for internal communication between sites are used only internally for the
communication between the different hosts and sites in an SAP HANA system. Therefore, they
must not be signed by an externally available Certification Authority (CA).
The certificates for external communication (for example, JDBC client access, http access) are
typically signed by an externally available CA because the CA certificates need to be integrated in
the relevant clients.
The locations of the different PSEs and trust stores can be configured by the relevant configuration
parameters.

24 Juli 2018 Document1 page 107 of 149

SAP SECURITY BASELINE TEMPLATE

4.6.1.3 User and Role Management

Every user who wants to work directly with the SAP HANA database must have a database user
with the necessary privileges.
After successful logon, the user's authorization to perform the requested operations on the
requested objects is verified. This is determined by the privileges that the user has been granted.
The user must have both the privilege to perform the operation and the privilege to access the
object (for example, a table) to which the operation applies.
Privileges can be granted to database users either directly, or indirectly through roles. A role is a
set of privileges. Roles are the standard mechanism of granting privileges as they allow you to
implement both fine-grained and coarse-grained reusable authorization concepts that can be
modeled on business roles. Several standard roles are also delivered with the SAP HANA
database (for example, MODELING, MONITORING). You can use these as templates for creating
your own roles.

4.6.1.3.1 Deactivating the SYSTEM User

SYSTEM is the database superuser. It has irrevocable system privileges, such as the ability to
create other database users, access system tables, and so on. It is highly recommended that you
do not use SYSTEM for day-to-day activities in production systems. Instead, use it to create
database users with the minimum privilege set required for their duties (for example, user
administration, system administration). Then deactivate SYSTEM.
As the most powerful database user, SYSTEM is not intended for use in production systems. Use it
to create lesser privileged users for particular purposes and then deactivate it.

4.6.1.4 HANA Authorization

When a user accesses the SAP HANA database using a client interface (for example, ODBC,
JDBC, or HTTP), his or her ability to perform database operations on database objects is
determined by the privileges that he or she has been granted.
The following table provides you with an overview of the privilege types used in SAP HANA.

Privilege Type Description

Object privilege Object privileges are used to allow access to and modification of
database objects, such as tables and views. Depending on the object
type, different actions can be authorized (for example, SELECT,
CREATE ANY, ALTER, DROP, and so on).
Schema privileges are object privileges that are used to allow access to
and modification of schemas and the objects that they contain.
Source privileges are object privileges that are used to restrict access to
and modification of remote data sources, which are connected through
SAP HANA smart data access.
In a multiple-container system, object privileges granted to users in a
particular database authorize access to and modification of database
objects in that database only. That is, unless cross-database access has
been enabled for the user. This is made possible through the association
of the requesting user with a remote identity on the remote database. For
more information, see Cross-Database Authorization in Multitenant
Database Containers in the SAP HANA Security Guide.
Analytic privilege Analytic privileges are used to allow read access to data in SAP HANA
information models (that is, analytic views, attribute views, and

24 Juli 2018 Document1 page 108 of 149

SAP SECURITY BASELINE TEMPLATE

Privilege Type Description

calculation views) depending on certain values or combinations of values.
Analytic privileges are evaluated during query processing.
In a multiple-container system, analytic privileges granted to users in a
particular database authorize access to information models in that
database only
Package privilege Package privileges are used to allow access to and the ability to work in
packages in the repository of the SAP HANA database.
Packages contain design time versions of various objects, such as
analytic views, attribute views, calculation views, and analytic privileges.
In a multiple-container system, package privileges granted to users in a
particular database authorize access to and the ability to work in
packages in the repository of that database only.
Application privilege Developers of SAP HANA XS applications can create application
privileges to authorize user and client access to their application. They
apply in addition to other privileges, for example, object privileges on
tables.
Application privileges can be granted directly to users or roles in runtime
in the SAP HANA studio. However, it is recommended that you grant
application privileges to roles created in the repository in design time.
Privileges on users In the SAP HANA studio, an additional privilege type can be granted.
Privileges on users are SQL privileges that users can grant on their user.
ATTACH DEBUGGER is the only privilege that can be granted on a user.
For example, User A can grant User B the privilege ATTACH
DEBUGGER to allow User B debug SQLScript code in User A's session.
User A is only user who can grant this privilege. Note that User B also
needs the object privilege DEBUG on the relevant SQLScript procedure.
For more information, see Debug an External Session in the SAP HANA
Developer Guide .

All the privileges granted directly or indirectly (through roles) to a user are combined. This means
that whenever a user tries to access an object, the system performs an authorization check on the
user, the user's roles, and directly granted privileges. It is not possible to explicitly deny privileges.
This means that the system does not need to check all the user's privileges. As soon as all
requested privileges have been found, the system aborts the check and grants access.

4.6.1.5 Data Storage Security

The data of the SAP HANA database (including its configuration data) is stored in the file system of
the operating system. You can configure the data path during installation.
The file permissions of the operating system are strictly configured. Therefore, do not change them
after the installation of the SAP HANA database.

4.6.1.5.1 Data Volume Encryption

To protect data saved to disk from unauthorized access at operating system level, the SAP HANA
database supports data encryption in the persistence layer.
The SAP HANA database holds the bulk of its data in memory for maximum performance, but it
still uses persistent disk storage to provide a fallback in case of failure. Data is automatically saved

24 Juli 2018 Document1 page 109 of 149

SAP SECURITY BASELINE TEMPLATE

from memory to disk at regular savepoints. The data belonging to a savepoint represents a
consistent state of the data on disk and remains so until the next savepoint operation has
completed.
Data volume encryption ensures that anyone who can access the data volumes on disk using
operating system commands cannot see the actual data. If data volumes are encrypted, all pages
that reside in the data area on disk are encrypted using the AES-256-CBC algorithm. Pages are
transparently decrypted as part of the load process into memory. When pages reside in memory
they are therefore not encrypted and there is no performance overhead for in-memory page
accesses. When changes to data are persisted to disk, the relevant pages are automatically
encrypted as part of the write operation.
Pages are encrypted and decrypted using 256-bit page encryption keys. Page keys are valid for a
certain range of savepoints and can be changed by executing SQL statements. After data volume
encryption has been enabled, an initial page key is automatically generated. Page keys are never
readable in plain text, but are encrypted themselves using a dedicated persistence encryption root
key.
During start-up, administrator interaction is not required. The persistence encryption root key is
stored using the SAP NetWeaver secure storage in the file system (SSFS) functionality and is
automatically retrieved from there. SAP HANA uses SAP NetWeaver SSFS to protect the root
encryption keys that are used to protect all encryption keys used in the SAP HANA system from
unauthorized access.
Data Not Encrypted
The persistence encryption feature does not encrypt the following data:
 Database redo log files
If database redo log files need to be protected, we recommend using operating system facilities,
such as encryption at the file system level.
 Database backups
In general, the contents of database backups are not encrypted. Only data that has been
encrypted internally in the database (that is, independently of the persistence encryption feature)
remains encrypted in backups. This applies to data stored in the secure internal credential store.
To ensure that all data restored during the data and log recovery phases is encrypted, encryption
must be enabled before the recovery is started.
If encryption of backups is required, we recommend using third-party solutions that integrate with
the Backint for SAP HANA functionality for backups.
 Database traces
For security reasons, we recommend that you do not run the system with extended tracing for
more than short-term analysis since tracing might expose security-relevant data that would be
encrypted in the persistence layer, but not in the trace. Therefore, you should not keep such trace
files on disk beyond the respective analysis task.

4.6.1.5.2 Secure Storage of Passwords in SAP HANA

All passwords in SAP HANA are stored securely.
Server Side
On the SAP HANA database server, passwords are stored securely as follows:
System passwords are protected by the standard operating system mechanism, /etc/passwd file.
All database user passwords are hashed with the secure hash algorithm SHA-256.

24 Juli 2018 Document1 page 110 of 149

SAP SECURITY BASELINE TEMPLATE

In addition, a secure database-internal credential store is available that allows you to securely
store in the SAP HANA database the credentials required by SAP HANA applications for outbound
connections. For example, in an SAP HANA smart data access scenario, in order to retrieve data,
credentials are required to access a remote source.
Client Side
On the client side, the following facilities are available for storing user passwords:
 The SAP HANA user store (hdbuserstore)
The SAP HANA user store can be used to store user logon information for connecting to an SAP
HANA system. This allows client applications to connect to the database without having to enter a
user's password explicitly.
 Eclipse secure storage
For users using the SAP HANA studio to connect to an SAP HANA system, the Eclipse secure
storage can be used to store passwords. If this is not desired, the feature can be disabled for the
SAP HANA studio.

4.6.1.6 Security Configuration Checklist

This checklist provides general recommendations on security settings for SAP HANA.
This list is not exhaustive. In addition, depending on the specific implementation scenario and
technical environment, some of these recommendations may not apply or be different.
Database Users and Roles
Area Recommendation
Users The SYSTEM user is deactivated.
Users In 3-tier scenarios with an application
server only technical accounts for the
database connection of the application
server have a password with an
unlimited lifetime (for example,
SAP<sid> or DBACOCKPIT).
Note:
Such technical users should have a
clearly identified purpose and the
minimum authorization required in SAP
HANA.
Password policy The password policy is configured
according to your company's policies.
How to Verify
In the USERS system view, check
the values in columns
USER_DEACTIVATED,
DEACTIVATION_TIME, and
LAST_SUCCESSFUL_CONNECT
In the USERS system view, check
the value in the column
PASSWORD_CHANGE_TIME. If
it is NULL, password lifetime
checks are disabled.
The password policy is configured
using the parameters in the
password_policy section of the
system properties file
indexserver.ini. You can view and
change the parameters of system
properties files in the
Administration editor of the SAP
HANA studio. You can view the
parameters and their current

24 Juli 2018 Document1 page 111 of 149

SAP SECURITY BASELINE TEMPLATE

Area Recommendation How to Verify

values in the system views
M_INIFILE_CONTENTS and
M_PASSWORD_POLICY.
System privileges The system privilege DATA ADMIN is a Users' privileges can be verified in
powerful privilege. It authorizes a user the EFFECTIVE_PRIVILEGES
to read all data in system views, as system view. Executing select *
well as to execute all data definition from GRANTED_PRIVILEGES
language (DDL) commands in the SAP where privilege = 'DATA ADMIN';
HANA database. No user in a should return only SYSTEM and
production system should have this _SYS_REPO
privilege, with the exception of the
SYSTEM and _SYS_REPO users,
which have this privilege by default.
System privileges The system privilege DEVELOPMENT You can verify whether a user has
authorizes some internal ALTER the DEVELOPMENT privilege by
SYSTEM commands. No user should executing select * from
have this privilege, with the exception granted_privileges where privilege
of the SYSTEM and _SYS_REPO = 'DEVELOPMENT'
users, which have this privilege by
default.
System privileges Only administrative or support users Users' privileges can be verified in
should have the system privileges the EFFECTIVE_PRIVILEGES
CATALOG READ and TRACE ADMIN system view.
in a production system. Only
administrative users should have the
following system privileges in a system
of any usage type:
ADAPTER ADMIN
AGENT ADMIN
BACKUP ADMIN
BACKUP OPERATOR
CERTIFICATE ADMIN
CREDENTIAL ADMIN
EXTENDED STORAGE ADMIN
INIFILE ADMIN
LICENSE ADMIN
SAVEPOINT ADMIN
SERVICE ADMIN
SESSION ADMIN
SSL ADMIN
TENANT ADMIN
TRUST ADMIN
VERSION ADMIN
RESOURCE ADMIN
TABLE ADMIN
AUDIT ADMIN
AUDIT OPERATOR
OPTIMIZER ADMIN
CREATE REMOTE SOURCE
LOG ADMIN
MONITOR ADMIN

24 Juli 2018 Document1 page 112 of 149

SAP SECURITY BASELINE TEMPLATE

Area Recommendation How to Verify

System privileges System privileges should only be
assigned to administrative users who
actually need them.
System privileges Critical combinations of system
privileges should not be granted
together, for example:
USER ADMIN and ROLE ADMIN
CREATE SCENARIO and SCENARIO
ADMIN
AUDIT ADMIN and AUDIT
OPERATOR
CREATE STRUCTURED PRIVILEGE
and STRUCTUREDPRIVILEGE
ADMIN
Debug privileges The privileges DEBUG and ATTACH
DEBUGGER should not be assigned to
any user in production systems.
Users' privileges can be verified in
the EFFECTIVE_PRIVILEGES
system view. You can check
whether too many system
privileges have been assigned to
too many users.
Users' privileges can be verified in
the EFFECTIVE_PRIVILEGES
system view.
Users' privileges can be verified in
the EFFECTIVE_PRIVILEGES
system view.

Auditing
Area Recommendation How to Verify
Audit trail SAP HANA can write the audit trail to
syslog or a database table. If you are
using syslog, it needs to be installed
and configured according to your
requirements (for example, for writing
the audit trail to a remote server).

File System and Operating System

Area Recommendation How to Verify
OS users Only operating system (OS) users that
are needed for operating SAP HANA
should exist on the SAP HANA system,
that is:
sapadm (required to authenticate to
SAP Host Agent)
adm (required by the SAP HANA
database)
Dedicated OS users for every tenant
database in a multiple-container
system required for high isolation
Note:

24 Juli 2018 Document1 page 113 of 149

SAP SECURITY BASELINE TEMPLATE

Area Recommendation How to Verify

There may be additional OS users that
were installed by the hardware vendor.
Check with your vendor.
OS users Change the passwords of standard OS
users after handover of the SAP HANA
system from your certified hardware
partner:
 root
 Other OS users (see above)
OS File System Review the access permissions of files Use OS commands to check and if
Permissions exported to the SAP HANA server. necessary change file
permissions.
In revisions lower than revision 102.03
(SPS 10), files generated on the server
from a data export have the file
permission 644 by default. As a result,
exported files can be read by all OS
users on the server.
We recommend that you restrict users
with access to the server and set
access permissions for the exported
files to the intended values (using OS
commands).
In addition, ensure that only a limited
number of database users have the
system privilege IMPORT and
EXPORT.
As of revision 102.03, an administrator
can set the permissions of exported
files using the [import_export]
file_security parameter in the
indexserver.ini configuration file. The
default permission set is 640
([import_export] file_security=medium)
OS patches Install SLES security patches as soon To check if security patches are
as they become available. If a security available, execute the following
patch impacts SAP HANA operation, command: zypper list-patches –
SAP will publish an SAP Note where category security
this fact is stated. It is up to you to
Note:
decide whether to install such patches
The correct update repositories for
SLES need to be set up (test:
zypper lr)

Network
Area Recommendation How to Verify
Ports Only ports that are needed for running
your SAP HANA scenario should be

24 Juli 2018 Document1 page 114 of 149

SAP SECURITY BASELINE TEMPLATE

Area Recommendation How to Verify

open. For a list of required ports, see
the SAP HANA Master Guide.
Ports In single-host systems, the select * from "PUBLIC" .
[communication] listeninterface "M_INIFILE_CONTENTS" where
parameter should be .local section = 'communication' and key
= 'listeninterface' ;
Ports In multiple-host systems, the select * from "PUBLIC" .
[communication] listeninterface "M_INIFILE_CONTENTS" where
parameter should be .internal if a section = 'communication' and key
separate network is defined for internal = 'listeninterface';
communication. In addition, the
select * from "PUBLIC" .
[communication]
"M_INIFILE_CONTENTS" where
internal_hostname_resolution
section =
parameter should be set to the IP
'internal_hostname_resolution ';
address of the network adapters used
for SAP HANA internal communication
only.
If a separate network is not defined for
internal communication, the
[communication] listeninterface
parameter is set to .global. This
exposes the internal SAP HANA
service ports. To avoid a vector for
security attacks, it is strongly
recommended to secure internal SAP
HANA ports with an additional firewall.
For more information, see Configuring
the Network for Multiple Hosts in the
SAP HANA Administration Guide.
Ports In systems with system replication select * from "PUBLIC" .
enabled the "M_INIFILE_CONTENTS" where
[system_replication_communication] section =
listeninterface parameter should be set 'system_replication_communica
to .internal if a separate internal tion' and key = 'listeninterface';
network channel is configured for
select * from "PUBLIC" .
system replication. In this case, the
"M_INIFILE_CONTENTS" where
[system_replication_communication]
section =
internal_hostname_resolution
'system_replication_communica
parameter also needs be set to the IP
tion' and key =
addresses of the network adapters for
'internal_hostname_resolution ';
the system replication.
select * from "PUBLIC".
If a separate internal network channel
"M_INIFILE_CONTENTS"where
is not configured for system replication,
section =
the
'system_replication_communica
[system_replication_communication]
tion' and key = 'allowed_sender';
listeninterface parameter must be
.global. In this case, it is important to
secure communication using TSL/SSL
and/or protect the SAP HANA
landscape with a firewall. In addition,

24 Juli 2018 Document1 page 115 of 149

SAP SECURITY BASELINE TEMPLATE

Area Recommendation How to Verify

the parameter
[system_replication_communication]
allowed_sender should be set to
restrict possible communication to
specific hosts. The parameter value
must contain a list of the foreign hosts
that are part of the SAP HANA system
replication landscape.
For more information, see Host Name
Resolution for System Replication in
the SAP HANA Master Guide.

Database Configuration
Area Recommendation How to Verify
Compatibility Parameter [jsvm] select * from m_inifile_contents
disable_access_check is not set/set to where section='jsvm' and key =
false 'disable_access_check'
For more information, see SAP
Note 1940436 (XS resource
cannot be used in package any
more on SPS 07).
Compatibility Parameter [httpserver] select * from m_inifile_contents
anonymous_from_entry is not set/set where section='httpserver' and key
to false = 'anonymous_from_entry'
For more information, see SAP
Note 1940440 (Retrieving
anonymous connection fails on
SPS 07).

4.6.2 Process Integration (SAP PI) Security

From a security perspective, the focus has to be on the topics:
 Protecting integrity of transferred messages
 Protecting confidentiality of transferred messages
 Ensuring availability of interfaces

4.6.2.1 PI Service Users for internal and external communication

In general, SAP PI uses internal service users for internal communication.
A very simple Denial of Service attack would just require technical system access and the user ids.
The attacker simply tries to login with known service users until they are locked.
This can be avoided by
 Changing default user IDs (to be updated exchange profile)
 Changing passwords of default users regularly (to be updated in exchange profile)
In addition, it might be an option to completely block access to SAP PI production from client
network; application support would then need to get exceptional access.

24 Juli 2018 Document1 page 116 of 149

SAP SECURITY BASELINE TEMPLATE

Regarding external communication, it is recommended not to use one service users for all
integration scenarios, but to use different service users for each connected system. This simplifies
to solve error situations.

4.6.2.2 PI Authorizations
Generally, authorizations for SAP PI can be configured within (ABAP) as well as Java (UME).
Additional authorizations restricting access to ES Repository and Integration Directory can be
configured application specific.
It is also possible to restrict access to message payloads via authorizations, depending on the
sender / receiver system.
For ABAP, this is possible using authorization object S_XMB_MONI. For Java by deploying
scenario specific actions (refer to SAP note 1370334).
So it is possible to prevent access to message payload containing sensitive HR information by
Application Support, for instance.
At least the following administrators will still have options to access the messages:
 Administrators with direct Access to the database
 Authorization Administrators
Access Control should be used to monitor who is allowed to display the content of all messages.

4.6.2.3 Message Level Security

If there are higher security requirements, messages can be cryptographically encrypted or signed
to ensure confidentiality and integrity. Within intermediate stations during message transport, there
will be no option to display the encrypted message content or to violate the message integrity. This
would be an alternative to protect sensitive HR Data from administrative access within SAP PI.

4.6.2.4 Specific Topics related to “Business Warehouse” (SAP BW)

SAP Business Warehouse retrieves data from target systems using extractor programs,
consolidates and summarizes the data in so called “Info Areas” and “Info Cubes”, and provides
reporting capabilities to end users via reporting tools (e.g. BexAnalyzer).
Sensitive data has to be protected within SAP BW in two ways:
 Protect extracted data stored in info area tables / info cube tables
 Restrict reporting authorizations on sensitive data
A best practice approach for protecting the relevant tables is to programmatically assign those
infoarea / infocube tables containing sensitive data to specific authorization groups (table TDDAT).
Then, access to these tables can be avoided by not granting table access authorizations
(S_TABU_DIS) for this table group. Of course you can use authorization object S_TABU_NAM
together with an exact list of tables as well.
To restrict reporting on this data, there is a specific authorization objects (S_RS_COMP) that protect
the reporting functions on different levels.
Access Control should be used to monitor who is allowed to access this kind of critical data.

24 Juli 2018 Document1 page 117 of 149

SAP SECURITY BASELINE TEMPLATE

5 Tools and Monitoring

5.1 Solution Manager
This security guide provides an overview of the security-relevant information. Since SAP Solution
Manager covers several scenarios, this document first provides general security recommendations
for SAP Solution Manager.
The Solution Manager system is the platform for administrative tasks in implementing, operating
and upgrading systems in the system landscape. It relies heavily on mandatory and optional
components implemented in addition to SAP Solution Manager. This guide cannot describe all
relevant details for integrated components, like third party product or other SAP components.
Further information can be found in the applicable guides.
The following table gives an overview of these additional components, where to find more details,
and what they are used for in connection with SAP Solution Manager.
Additional Information on SAP Solution Manager:
Component Where in the Service Marketplace / SAP Support IMG Activities
Portal /SAP Developer network? and Other
Information
Sources
Master Guide for https://service.sap.com/instguides  SAP Components
SAP Solution  SAP Solution Manager
Manager
Upgrade Guide https://service.sap.com/instguides  SAP Components
for SAP Solution  SAP Solution Manager
Manager
Operations https://service.sap.com/instguides  SAP Components
Guide for SAP  SAP Solution Manager
Solution
Manager
Installation https://service.sap.com/instguides  SAP Components
Guide for SAP  SAP Solution Manager
Solution
Manager
Implementation no link Transactions
Reference Guide SOLMAN_SETUP
for SAP Solution and SPRO in the
Manager SAP Solution
Manager system
Solution http://wiki.sdn.sap.com/wiki/display/TechOps/RCA_Home
Manager
Diagnostics

Additional Information on Infrastructure:

24 Juli 2018 Document1 page 118 of 149

SAP SECURITY BASELINE TEMPLATE

Component Where in the Service Marketplace / SAP Support IMG Activities

Portal /SAP Developer network? and Other
Information
Sources
Guide Landscape https://service.sap.com/instguides  SAP Components
Management  SAP Solution Manager  Release7.1  Additional
Database Guides
System https://www.sdn.sap.com/irj/sdn/nw-sld or Transaction
Landscape https://sdn.sap.com  SAP NetWeaver Capabilities  SOLMAN_SETUP
Directory (SLD) Lifecycle Management  Application Management  in the SAP
System Landscape Directory Solution Manager
system
Software Life- Information and
Cycle Manager Configuration
(SLM) Prerequisites
Change Control
scenario
(technical name:
SOLMAN_MOPZ_S
LM_INFO)

This section provides you with a number of steps, you should perform to secure your SAP Solution
Manager system.
Step What to Do? Further Information in
Source/Section in This
Guide, See...
Phase: Setup SAP Solution Manager (Installation)
Check Security Settings according to Installation Guide
0 Check Security Settings according to Installation Guide
1 Network 7.1
2 SSL 7.4
3 Apply all relevant Security Patches Application System
Recommendations
Phase: Configuration Preparation of SAP Solution Manager
Check steps in System Preparation view in transaction SOLMAN_SETUP
4 ICF Services (change default settings if you do not use 7.3
HTTPS)
5 Step 2: Check Recommended Profile Parameters according activity
documentation
6 Step 4.1: Check Web Dispatcher Configuration documentation link in the
HELP text
7 Step 4.2: Authentication Types for Web Services according activity
documentation
8 Step 4.4: Set Authentication Policy for Agents according activity
documentation

24 Juli 2018 Document1 page 119 of 149

SAP SECURITY BASELINE TEMPLATE

Step What to Do? Further Information in

Source/Section in This
Guide, See...
9 Step 4.5: Gateway Configuration (optional) 7. 7
recommended documentation
in the HELP text
Phase: Configuration of SAP Solution Manager
Check steps in Basic Settings view in transaction SOLMAN_SETUP
10 Step 3.2: Configure SAProuter (optional) 7. 6
recommended documentation
in the HELP text
Phase: Configuration of Managed Systems
Check steps in Managed Systems view in transaction SOLMAN_SETUP
11 Step 3: RFC - Connections 9.10
Phase: Additional Activities
12 HTTP Connect Service 7.5
Phase: User and Roles Management
13 SSO / SNC 7.6
8.4
SAP note 1121248
14 Familiarize with SAP Solution Manager Authorization 9
Concept
15 Check the scenario-specific Security Guides

5.1.1 Communication Channels and Communication Destinations

SAP Solution Manager is based on AS ABAP and AS Java. To use SAP Solution Manager you
need either client: SAP GUI, Web Browser or SAP NetWeaver Business Client (NWBC) (for
workcenter functionality). Communication with other systems is via RFC technology and web
services. The security guidelines and recommendations described in the SAP NetWeaver Security
Guide also apply to the Solution Manager.
As the SAP Solution Manager’s task is to manage your system landscape it is necessary to
configure various connections to/from the managed systems.
Trusted RFC
In the web of your system landscape, SAP Solution Manager receives data from all the systems
you have connected to it via various RFC - connection. The most security relevant RFC-
connection is the trusted RFC, which allows for immediate access to/from your managed systems
without any additional login. The RFC is required for several scenarios within SAP Solution
Manager, but not all.
READ RFC
The RFC for Read access is an RFC- connection with a specific RFC user of type system. It is
required to read information from managed systems in many scenarios.
TMW RFC

24 Juli 2018 Document1 page 120 of 149

SAP SECURITY BASELINE TEMPLATE

An additional RFC, which may be used for some scenarios, is TMW RFC. This RFC allows for read
access as well as batch authorizations in the managed system. If you require TMW, you have all
authorization for READ access included.
BACK RFC
The BACK RFC allows the managed system to send data to SAP Solution Manager for further
usage.
This is required for Services and Incidents.
RFCs to SAP
Apart from the communication to its managed systems, SAP Solution Manager needs connections
to SAP. Many of Solution Managers scenarios rely on a close communication with its backbone. In
addition to SAPOSS RFC, Solution Manager requires two further RFCs, which are copied from
SAPOSS RFC.
Communication channels
Communication Channel Protocol Type of Data Transferred / Function
Solution Manager to OSS RFC Exchange of problem messages,
retrieval of services
Solution Manager to managed RFC Reading information from managed
systems and back systems
Solution Manager to remote RFC Reading information from remote BW -
BW - system system
Solution Manager to managed FTP Update route permission table, content:
systems within customer IP addresses, see section File Transfer
network Protocol (FTP)
Solution Manager to SAP HTTP(S) Search for notes
Service Marketplace
Third Party SOAP over HTTP (S) Third Party Data
SLD - LMDB

5.1.2 Use of Gateway

In transaction SOLMAN_SETUP, view System Preparation, it is possible to configure Gateway
settings for Solution Manager applications on mobile devices. It is possible to configure it in the
Solution Manager system or a separate system.
It is recommended to use a separate system.

5.1.3 User management and user types

The User Management for SAP Solution Manager uses the mechanisms provided by the SAP
NetWeaver ABAP, and Java tools, user types, and password policies. Since SAP Solution
Manager is based on SAP NetWeaver ABAP and Java, the User Management Engine (UME) of
the Java stack is to be configured against the ABAP stack.
Dialog user
It has to be used for individual, interactive sessions in the SAP system. An end user requires this
user type. With dialog users, it is possible to check for expired/initial passwords, to change
passwords, and the system checks for multiple logons. It is recommended to assign to a dialog

24 Juli 2018 Document1 page 121 of 149

SAP SECURITY BASELINE TEMPLATE

user exactly the authorizations that he or she requires to perform his or her tasks, in accordance
with an established roles concept and authorization concept.
Service user
A service user is available to a larger user community that is anonymous for the moment, and
allows interactive system access. Although a service user does not log on interactively, it is
authenticated and the attributes contain a valid ticket. This user type is used, for example, for guest
accesses, or to connect to a remote system with certain rights. With this user type, the system
does not check for expired or initial passwords, only a user administrator can change the
password, and multiple logons are permissible. Since it is security‒relevant, these users should be
assigned exactly the authorizations that are required by a large number of users of equal status. In
the IMG, it is explicitly mentioned, if an user should be of user type Service.
System user
A system user does not allow interactive system access. This user is used to be able to perform
certain system activities, such as background processing, ALE, workflow, and so on. The system
excludes a user of this type from the expiry date of passwords. Therefore, the password of these
users can only be changed by user administrators in transaction SU01. You should also ensure for
users of this type that you assign only the rights that are required in the system. This user type is
used for user SOLMAN_BTC or RFC - users.
Reference user
Instead of assigning roles to each user individually, a reference user is created for a selection of
roles that are to be assigned to a larger group of users, and the selected roles are assigned to this
user. The reference user must now be assigned to the dialog users in the roles tab of the user
master record.

5.1.4 RFC- Authorization

Apart from user authorizations, a quintessential part for SAP Solution Manager to function are its
RFC connections to and from other systems (managed systems). For many scenarios they form
the basis for a successful built up. In SAP Solution Manager we have different RFC - connections
for different purposes. In the following sections, these RFC connections are explained in more
detail. For each RFC connection a technical user is created who receives the corresponding
authorizations. In the following, main critical authorizations for these users are explained in more
detail.

5.1.5 End User Roles in SAP Solution Manager

Considering SAP Solution Manager as a management platform for other systems (system
landscape), and business solutions (application cycle), we differentiate between:
 users who administer the SAP Solution Manager system itself, and
 the users who use SAP Solution Manager to manage other systems.
The user responsible for the tasks area of setup, configuration, and operation of the SAP Solution
Manager system is called SAP Solution Manager Administrator, with user ID by default
SOLMAN_ADMIN.
It is recommended to use the delivered Standard SAP roles as displayed in the User Interface by
the guided procedure in the system.
Note:
There are no specific administration users for the scenario - specific setup. Roles for scenario -
specific configuration are not delivered.
It is recommended to create so called configuration roles from projects.

24 Juli 2018 Document1 page 122 of 149

SAP SECURITY BASELINE TEMPLATE

For each scenario, user definitions are delivered according to composite roles with the technical
name ending *_COMP according to the principle of segregation of duty.

5.1.6 Authorizations for user interfaces

Since SAP Solution Manager is based on a variety of software components, its user interface
technologies are also varied. SAP Solution Manager uses the following technologies, which are
integrated with each other:
- ABAP WebDynpro
- BSP based technology (CRM 7.01 WebClient UI)
- ABAP SAPGUI transactions
- Java WebDynpro (Java stack)
All user interfaces can be called via the different clients.
The use of user interface authorizations can lead to misleading ST01 traces (Tip: Use transaction
STAUTHTRACE instead of transaction ST01 to trace authorization checks.). If you trace one
application due to authorization error messages, the analysis of the trace displays all authority
checks executed by the system. This also includes user interface authorizations. In case of
restrictions to user interfaces by the above-mentioned objects any missing authorizations for them
are marked with return - code (RC) = 4. If you are not tracing for the user interface element, you
can ignore this entry.

5.1.6.1 Critical RFC connections and authorization objects

<SM_<SIDofManSystem>CLNT<ClientofManSystem>_TRUSTED>
In a heterogeneous system landscape with SAP Solution Manager as the managing platform, you
need RFC connections between SAP Solution Manager and the managed systems.
The most critical RFC - connection in SAP Solution Manager with its managed systems is the so
called Trusted RFC - connection. This connection allows for a seamless integration of both
systems involved. This means, that if the according configuration is done, you can log on to one
system and work within the other system without logging on again.
Therefore, this connection has only to be used in defined cases in which such an integration is
absolutely necessary.
Authorization Object S_RFCACL
To create the trusted RFC connection, it is needed to have the authorization object S_RFCACL in
the Solution Manager and in the managed system assigned to the user. This authorization object is
not contained in profile SAP_ALL due to its highly critical nature.
Authorization Object S_RFC_TT
Authorization object S_RFC_TT is only required for trusted authorization for managed systems as
of SAP_BASIS_7.02 SP03 and higher.
Authorization Object S_RFC and S_DEV_REMO
Due to the nature of SAP Solution Manager, the number of RFC calls to and from other systems is
high. Therefore, a high number of function modules are affected. In the context of security of RFC
calls three areas have to be looked at:
Authentication
Incoming RFC connections must authenticate in the system. Therefore, a user must be present in
the managed system to authenticate the RFC call. Here, user of type system is used.
System Profile Parameter

24 Juli 2018 Document1 page 123 of 149

SAP SECURITY BASELINE TEMPLATE

The RFC authorization check can be activated / deactivated with the system profile parameter
auth/rfc_authority_check. This parameter must not be set to the value ‘0’.
Authorization objects
The authorization object S_RFC is used to check, whether the called RFC user is authorized to
execute RFC function modules. The authorization object is delivered with dedicated values.

5.1.6.2 Authorization Object S_TABU_DIS, S_TABU_NAM and S_TABU_CLI

In many scenarios for SAP Solution Manager, the system needs to read table entries. The direct
access to tables has to be limited wherever possible, because a huge number of changes might be
executed this way.
The majority of users in a production environment do not need direct access to tables. They view
data through transaction codes. However, a few users might need access. When providing direct
access to tables, transaction SM30 has to be used. Extra precautions should be taken for the
selected users who require access to transaction SE16 or SE16N, because powerful access to a
variety of data might be incorporated.
SE16 can be made safer by creating a custom transaction code. With a custom transaction code,
the user executes SE16 with a view of the table they require. This means they do not enter the
table name, instead the custom transaction code takes them into transaction SE16 and directly into
the table.
Using authorization object S_TABU_NAM instead of S_TABU_DIS you can restrict access to
individual tables instead of (large) groups of tables.
Authorization object S_TABU_CLI grants authorization to maintain cross-client tables with the
standard table maintenance transaction SM31, extended table maintenance transaction SM30, the
Data Browser. It acts as an additional security measure for cross-client tables and enhances the
general table maintenance authorization S_TABU_DIS.

5.1.7 Required TCP/IP Ports

You find the complete list of ports used by SAP software in a wiki:
https://wiki.scn.sap.com/wiki/display/TCPIP/SAP+NetWeaver
Put the SAP Solution Manager system in the same subnet or DMZ of your managed landscape. If
you manage systems in different subnets, adapt your security settings and firewall accordingly.
Ports for Communication to SAP Solution Manager - Established Connection
From Hosts/Source To Host/Destination Host Service on Format
Host Destination Host (example)
(Protocol)
Outside (or DMZ) All Solution Manager J2EE engine (HTTP) 5<instance
Instances no.>00 (50100)
Outside (or DMZ) All Solution Manager ITS (HTTP) 80<instance
Instances no.> (8000)
Outside (or DMZ) All Solution Manager Introscope Manager (HTTP) Default:
Instances 8081
Diagnostics Server All Solution Manager IGS (HTTP) 4<instance
Instances no.>80 (40180)
Diagnostics Agent All Solution Manager J2EE engine (P4) 5<instance
(managed system Instances no.>04 (50104)
Host)

24 Juli 2018 Document1 page 124 of 149

SAP SECURITY BASELINE TEMPLATE

From Hosts/Source To Host/Destination Host Service on Format

Host Destination Host (example)
(Protocol)
Diagnostics Agent Solution Manager Java Message Server 81<instance
(managed system Message Server (HTTP) no.> (8101)
Host)
Diagnostics Agent Relevant Introscope Introscope Enterprise Default: 6001
(managed system Enterprise Manager Host Manager (TCP/IP)
Host)

Consider the following lines when operating a SAP Solution Manager system 7.1 SP03 or higher,
setup with a Web Dispatcher, especially when having multiple dual-stack instances.
From Host/Source To Hosts/Destination Service on Format
Host Hosts Destination Hosts (example)
(Protocol)
All Solution Manager Web Dispatcher Web Service (HTTP) (80)
Instances
Diagnostics Agent Web Dispatcher Web Service (HTTP) (80)
(managed system host)
Web Dispatcher All Solution Manager Web Service via ICM 80<instance
(forwarded HTTP Instances (HTTP) no.>8000
requests)

Consider the following line when operating a Solution Manager system 7.1 SP03 or higher, having
one single dual-stack instance and setup without a Web Dispatcher.
From Host/Source To Hosts/Destination Service on Format
Host Hosts Destination Hosts (example)
(Protocol)
Diagnostics Agent Solution Manager Single Web Service via ICM 80<instance
(managed system host) Instance (HTTP) no.>8000

Consider the following line when operating a Solution Manager system prior to 7.1 SP03.
From Host/Source To Hosts/Destination Service on Format
Host Hosts Destination Hosts (example)
(Protocol)
Diagnostics Agent All Solution Manager Web Service via 81<instance
(managed system host) Instances ABAP Message no.>8100
Server (HTTP)

5.2 Early Watch Alert (EWA)

It is crucial to use tools that monitors the essential administrative areas of SAP components and
keeps the systems up to date on their performance and stability. This process identifies potential
problems early, avoids bottlenecks and monitors the performance of your systems.
Use the EWA Report to observe selected information on critical security:

24 Juli 2018 Document1 page 125 of 149

SAP SECURITY BASELINE TEMPLATE

 Default Passwords of Standard Users

 Password Policy
 RFC Gateway and Message Server Security
 Users with Critical Authorizations
Prerequisites
 set up RFC connections between the satellite systems and the SAP Solution Manager
system, and an RF connection between the SAP Solution Manager and the SAP
Service Marketplace.
 check the availability of the required tools for the SAP service session (ST-A/PI add-
on), with the report RTCCTOOL.
 activate Alert Monitoring for all SAP satellite systems, and the central SAP Solution
Manager of your solution, and set up the Automatic Session Manager (ASM) in
the Service Data Control Center (transaction SDCC respective SDCCN) of the satellite
systems (SAP note 91488).
 set up the systems in a solution landscape in the SAP Solution Manager.

5.3 SAP Security Optimization Service

Use the SAP Security Optimization Service to verify and improve the security of the SAP systems
by identifying potential security issues and giving recommendations on how to improve the security
of the system.
 Decrease the risk of a system intrusion
 Ensure the confidentiality of business data
 Ensure the authenticity of users
 Substantially reduce the risk of costly downtime due to wrong user interaction

5.4 Configuration Validation

Configuration validation is recommended to use to determine whether the systems in the
landscape are configured consistently and in accordance with the requirements. It is possible to
check the current configuration of a system in the landscape using a defined target state or
compare it with an existing system.
Configuration Validation provides a reporting to understand how homogeneous the configuration of
systems is. Using centrally stored configuration data in Solution Manager to perform a
configuration validation of a large number of systems using a sub set of the collected configuration
data.

24 Juli 2018 Document1 page 126 of 149

SAP SECURITY BASELINE TEMPLATE

Configuration Validation is used in the following use cases:

Security Compliance: check compliance with the defined policy such as RFC Gateway
configuration, authority and users, security relevant instance parameters, etc.
Transports: evaluate missing, failed transports requests and for example validation of Production
backlog
OS / Host: compare the configuration of Operating System and Host
Database: validate Configuration of Database parameters and level
Software: validate ABAP / JAVA Software packages
SAP Kernel: evaluate SAP Kernel level compliance
Reporting: Reporting on the software / SAP Kernel level and other configuration items is
done without validation

You can find the documentation and best practices about Configuration Stores in the WIKI on
SCN.
Tipp: You can use your favorite search engine to search for specific configuration stores within this
WIKI. In case of Google you can use following modifiers to restrict the search:
site:wiki.scn.sap.com inurl:TechOps <name of target system>

24 Juli 2018 Document1 page 127 of 149

SAP SECURITY BASELINE TEMPLATE

6 Appendix: SAP Secure Operations Map

Security Security Cloud Emergency
Compliance Governance Audit Security Concept

Secure Users and Authentication and Support Security Review

Operation Authorizations Single Sign-On Security and Monitoring

Communication
Secure Setup Secure Configuration Data Security
Security

Security Maintenance
Secure Code Custom Code Security
of SAP Code

Infrastructure Operating System and

Network Security Frontend Security
Security Database Security

The tracks of the Secure Operations Map cover the following topics
Security Compliance
1. Security Governance: Adopt security policies for your
SAP landscape, create and implement an SAP Security Baseline
2. Audit: Ensure and verify the compliance of a company’s IT infrastructure and operation with
internal and external guidelines
3. Cloud Security: Ensure secure operation in cloud and outsourcing scenarios
4. Emergency Concept: Prepare for and react to emergency situations
Secure Operations
5. Users and Authorizations: Manage IT users and authorizations including special users like
administrators
6. Authentication and Single Sign-On: Authenticate users properly – but only as often as really
required
7. Support Security: Resolve software incidents in a secure manner
8. Security Review and Monitoring: Review and monitor the security of your SAP systems on
a regular basis
Secure Setup
9. Secure Configuration: Establish and maintain a secure configuration of standard and
custom business applications
10. Communication Security: Utilize communication security measures available in your SAP
software
11. Data Security: Secure critical data beyond pure authorization protection
Secure Code
12. Security Maintenance of SAP Code: Establish an effective process to maintain the security
of SAP delivered code
13. Custom Code Security: Develop secure custom code and maintain the security of it
Infrastructure Security
14. Network Security: Ensure a secure network environment covering SAP requirements
15. Operating System and Database Security: Cover SAP requirements towards the OS and
DB level

24 Juli 2018 Document1 page 128 of 149

SAP SECURITY BASELINE TEMPLATE

16. Frontend Security: Establish proper security on the frontend including workstations and
mobile devices

6.1 Security Governance

Create and implement an SAP Security Baseline, containing the governing SAP-specific
regulations to be applied for all SAP systems in the customer’s landscapes.
Define and implement an operational model with clear defined roles and responsibilities as well as
the operational process ensuring that the requirements become real action in the different system
landscapes. Goal is to achieve a common understanding about the responsibilities of the different
parties involved and comparable results for implementation of measures and the regular reporting.
To ensure full transparency on the implemented IT Security level each area has to implement and
operate and appropriate Risk Management and IT Risk and Security Lifecycle
Identify systems or landscapes for which – on a first informal assessment – the standard SAP
Security Baseline may not be sufficient. This may be the case if specific security requirements or
restrictions apply to a certain system. For such systems – after covering the SAP Security Baseline
requirements – a detailed risk analysis is required. Measures required beyond the Baseline need
then to be included into the rule set, operations and risk management for such systems.

6.2 Audit
Prepare for internal and external audits
 Identify relevant regulations like ITIL, BASEL II, SOX, FDA, Data Protection or ISO 27000
and derive required measures and controls from there.
 Ensure the auditability of systems by enforcing appropriate and effective security, e.g. no
unrestricted authorizations (e.g. “SAP_ALL”) or debug/change authorizations on production
systems.
 Define logs and traces to be collected (consider data protection laws, put limits on
production environment, define clipping levels etc.). Restrict access to log data and logging
facilities.
Assess your systems on a regular basis
 Analyze logs with appropriate tools (Audit Information System, Security Audit Log, User
Information System (SUIM), SAP Solution Manager, etc.)
 Perform Security Assessments (Security Optimization Services, penetration tests)
 Audit the different Secure Operations Tracks e.g.
o infrastructure settings and communication interfaces (firewall, RFC destinations,
ALE, ICF, WS, etc.)
o users and authorizations (spot checks, GRC access control, etc.)
Respond to audit results
 resolve audit complaints appropriately
 improve operations and rule sets to avoid similar findings in future

6.3 Cloud Security

Define minimum security requirements for Service Level Agreements (SLAs)
 Definition of roles and responsibilities (e.g. basis administration by the outsourcing partner,
application administration by the company itself)
 Definition of interfaces, communication and controls between the parties
 Regulations for security maintenance, secure configuration and secure operation of
systems

24 Juli 2018 Document1 page 129 of 149

SAP SECURITY BASELINE TEMPLATE

For those parts, that remain in the customer’s responsibility (e.g. application operations for HEC
systems) the standard recommendations and Secure Operation Tracks recommendations remain
unchanged
Establish suitable infrastructures (Identity Management, Single Sign-On) and secure connections
to integrate the cloud service into your landscape and to connect hybrid scenarios.

6.4 Emergency Concept

Prepare for incidents
 Define processes and responsibilities
 Create and maintain emergency users for relevant systems
 Collect required logs and data
 Define rules and triggers for incident identification and classification
 Define processes for incident response, impact containment and remediation and incident
recovery
 Prepare for technical and non-technical (e.g. legal) follow-up and improvements
Ensure a suitable backup and recovery concept (which targets availability; not part of the Security
standard)

6.5 Users & Authorizations

Define a User Authorization Concept including
 Define appropriate authorizations for business users and roles
 Ensure cross-system and –landscape consistency of authorizations
 Segregate basis authorization from application-level authorizations
 Define appropriate roles and authorizations for all administration topics (security
administrator, IT administrator, data custodian, auditor, etc.)
Define and maintain support and emergency users with appropriate roles and authorizations as
well as activation/deactivation rules and documentation requirements.
Clarify the overall identity and authorization provisioning architecture
 Define and implement processes for the proper creation, modification and removal of users
and authorizations (led by HCM)
 Implement Identity Management or integrate with an existing Identity Management
Infrastructure.
 Integrate with any existing Corporate Directory. Check replication and synchronization
among user stores (IdM, LDAP, UME, CUA, etc.)
Implement proper Segregation of Duty (SoD) rules, controls and mechanisms

6.6 Authentication and Single Sign-On

Establish appropriate single- or multi-factor authentication mechanisms
Decide and implement central authentication and Single Sign-On to connected systems – or
integrate with existing Single Sign-On infrastructures. This may include
 Maintenance and Operation of corresponding Public Key Infrastructures
 Managements of certificates (maintenance of key stores, revocation lists, certification
requests, etc.)
 Operation of initial authentication points and Identity Provider / Identity Consumer services
Prepare for authenticator (password, certificate, token) renewal and revocation.

24 Juli 2018 Document1 page 130 of 149

SAP SECURITY BASELINE TEMPLATE

6.7 Support Security

Address the needs for getting support in a secure manner on the different levels
 Secure internal support by the internal support group of the respective company or
organization
 Secure external support from third parties
 Secure support from SAP as the vendor
 “Advanced Secure Support” offering from SAP for companies and organization with
enhanced security needs like cleared support personnel or secure support rooms
Define requirements for support connections and select accordingly (NetViewer, opening of remote
connections etc.)
Manage support user accounts and authorizations (password policies, validity period etc.)
Allow reproduction of errors on development and test systems (TDMS)
Develop guidelines for message handling (interaction employee and support etc.)

6.8 Security Review and Monitoring

Monitor and review security settings, which includes external or internal assessments as well as
tools and services like the EarlyWatch Alert Security chapter or the Security Optimization Self or
Remote Service
Monitor and review activity logs (including the security audit logs)
Periodically review security relevant configuration settings of all systems and installed software
components, e.g. via Configuration Validation and Security Dashboards.
Integrate security monitoring with Alerting (e.g. SAP Solution Manager Monitoring and Alerting
Infrastructure), Operation Control Centers (OCC) or Risk Management and Mitigation (e.g. GRC
Process Control)

6.9 Secure Configuration

Maintain security configuration settings and changes
 Especially refer to the SAP Security Guides and to the SAP Security Baseline Template
Setup and maintain the transport management system for ABAP and Java (protect transport
directory)

6.10 Communication Security

Secure data in transit via communication encryption, e.g. via SSL/TLS or SNC
Maintain and operate the corresponding Public Key Infrastructure
Secure RFC communication by
 respecting system security hierarchy and setting up connections appropriately
 restricting RFC access e.g. via UCON
 assigning proper network / RFC authorizations
 using RFC Gateway security mechanisms to secure the usage of started or registered RFC
servers
Limit ICF / Web services to the required minimum

24 Juli 2018 Document1 page 131 of 149

SAP SECURITY BASELINE TEMPLATE

6.11 Data Security

Message-level security, including data encryption (e.g. of credit card numbers) and digital
signatures e.g. via the Secure Store and Forward (SSF) framework.
Anti-Virus scanning of files and documents, e.g. via the Virus Scan Interface (VSI)

6.12 Security Maintenance of SAP Code

Security Maintenance approach for handling Security Notes published on the SAP Patch Days.
 Note risk evaluation and note implementation
 Kernel updates
 General software maintenance (Support Packages (SP), new versions, new patch levels)
including corresponding Security Notes planning
Implementation and use of corresponding tools like
 Maintenance Optimizer
 System Recommendations
 Configuration Validation

6.13 Custom Code Security

Custom Code Lifecycle Management and Custom Code Clean-Up
Custom Code Secure Development Lifecycle
 Knowledge & Awareness
o Introduce security in the SW development organizations and processes
 Procedures & Guidelines
o Define and implement Secure Software Development Lifecycle
o Provide guidelines, best practices etc.
o Develop test concept for in-house and 3rd party development
 Tool Support
o Implement Code Security Scanners as e.g. the Code Vulnerability Analyzer (CVA)

6.14 Network Security

Maintain an appropriate network topology, network segregation and domain concept
Limit network services and protocols
Implement and secure SAP network components like SAProuter and SAP Web Dispatcher
Cover key SAP requirements towards the network layer, e.g. introduce at least a separation
between server and client networks.

6.15 Operating System and Database Security

Operating Systems (OS)
 Verify OS hardening, update and test systems, maintain and perform anti-virus checks,
ensure integrity of critical system files and configurations, keep user base up-to-date
 Cover SAP security needs, e.g. OS level protection of critical directories like the transport
directory
Databases (DB)
 Restrict use of database, proprietary database tools and database specific functions by
proper authorization management at the database level
 Log and analyze database security events

24 Juli 2018 Document1 page 132 of 149

SAP SECURITY BASELINE TEMPLATE

 Cover SAP security needs, e.g. avoid database usage bypassing the SAP DB abstraction
layer (if not required e.g. for direct access to a HANA database)

6.16 Frontend Security

Manage devices and applications – especially for mobile devices.
Manage secure software distribution and configuration
Monitor usage of licenses and installations of unauthorized software
Maintain secure communication channels.
Configure, distribute and activate SAPGUI security mechanisms including the SAPGUI Access
Control Lists.

24 Juli 2018 Document1 page 133 of 149

SAP SECURITY BASELINE TEMPLATE

7 Appendix : References + Links whitepapers / best practices

[1] SAP Homepage [public available]
[2] SAP Help Portal [public available]
[3] SAP Service Marketplace / SAP Support Portal [“S-User” ID and Password required]
[4] SAP Security on Service Marketplace [“S-User” ID and Password required
[5]  Security in Detail  SAP Security Guides SAP notes on Support Portal [“S-User” ID and
Password required]
[6] SAP Community Network [public available]
[7] RFC Gateway Security
SAP note 1036936 - Security Note: External RFC Server
The following SAP notes provide additional information to the above mentioned Security
Guides in case that the configuration does not exist:
SAP note 64016 - Using the SAP Gateway monitor GWMON
SAP note 110612 - Using the secinfo file (gateway ACL)
SAP note 866732 - Security check when executing external commands/programs (2)
SAP note 618516 - Security-related enhancement of RFCEXEC program
SAP Note 2269642 - GW: Validity of parameter gw/reg_no_conn_info as of Kernel 7.40
SAP Note 1298433 - Bypassing security in reginfo & secinfo (bit value 1)
SAP Note 1434117 - Bypassing sec_info without reg_info (bit value 2)
SAP Note 1465129 - CANCEL registered programs (bit value 4)
SAP Note 1473017 - Uppercase/lowercase in the files reg_info and sec_info (bit value 8)
SAP Note 1480644 - gw/acl_mode versus gw/reg_no_conn_info (bit value 16)
SAP Note 1633982 - ACCESS option in the file reginfo (bit value 32)
SAP Note 1697971 - GW: Enhancement when starting external programs (bit value 64)
SAP Note 1848930 - GW: Strong gw/prxy_info check (bit value 128)
WIKI Gateway security settings - extra information regarding SAP note 1444282
https://wiki.scn.sap.com/wiki/display/SI/Gateway+security+settings+-
+extra+information+regarding+SAP+note+1444282
[8] Security Guides for SAP NetWeaver
https://service.sap.com/securityguides Web Version
Examples from basis release 7.02:
Book Chapter
ABAP Workbench Tools ABAP Workbench Tools
Administration Manual An Overview of the Security-Related Services
Administration Manual Creating a New Connection Entry
Administration Manual IIOP Provider Service
Administration Manual Java Mail Client Service
Administration Manual JCo RFC Provider Service
Administration Manual P4 Provider Service
Administration Manual Secure Storage Service
Administration Manual SSL Provider Service
Administration Manual Visual Administrator

24 Juli 2018 Document1 page 134 of 149

SAP SECURITY BASELINE TEMPLATE
Book
Auditing and Logging
Authentication and Single Sign-On
Authentication and Single Sign-On
Authentication and Single Sign-On
Authentication on the Portal
Authentication on the Portal
Background Processing
Background Processing
Background Processing
Background Processing
Change and Transport System
Changing the SAP Standard (BC)
Collaboration Security Guide
Components of SAP Communication
Technology
Components of SAP Communication
Technology
Components of SAP Communication
Technology
Configuration of Usage Type Process
Integration (PI)
Enabling User Collaboration
Enabling User Collaboration
Enabling User Collaboration
Enabling User Collaboration
Enabling User Collaboration
Enabling User Collaboration
Identity Management
Identity Management
Identity Management
Identity Management
Identity Management
Identity Management
Identity Management
Internet Communication Manager (ICM)
Knowledge Management
Knowledge Management
Knowledge Management
Knowledge Management Security Guide
Knowledge Management Security Guide
24 Juli 2018
Chapter
Security Audit Log
Configuring SAP Systems to Accept and Verify
Logon Tickets
Configuring the J2EE Engine to Accept Logon
Tickets
Configuring UME to Use an LDAP Server as Data
Source
Configuring a Portal Server for SSO with Logon
Tickets
Single Sign-On
Authorizations for Background Processing
Background Processing
Managing Jobs from the Job Overview
Standard Jobs
Client Control
SAP Software Change Registration Procedure
(SSCR)
Active Code
HTTP Communication Using the SAP System as
a Client
Internet Communication Framework
Setting Up Error Pages
Security Configuration at Message Level
Activating Synchronous Collaboration Service
Types
Configuring Client Browsers to Accept the RTC
ActiveX Control
Enabling User Collaboration
Installing and Configuring Calendar Connectivity
Installing and Configuring Lotus Domino
Connectivity
Installing and Configuring Microsoft Exchange
Connectivity
Configuring Identity Management
Configuring the Security Policy for User ID and
Passwords
Logging and Tracing
Logon and Password Security in the ABAP
System
Password Rules
Profile Parameters for Logon and Password
User Management Engine
Internet Communication Manager
External Repositories
Providing Portal Drive to Client PCs
WebDAV
Further Security-Relevant Information
Knowledge Management Security Guide
Document1 page 135 of 149
SAP SECURITY BASELINE TEMPLATE
Book
Network and Transport Layer Security
Network and Transport Layer Security
Network and Transport Layer Security
Network and Transport Layer Security
Network and Transport Layer Security
Network and Transport Layer Security
Network and Transport Layer Security
Network and Transport Layer Security
Network and Transport Layer Security
Network and Transport Layer Security
Portal
Portal
Portal
Portal
Portal
Portal
Portal
Portal
Portal
Portal
Portal
Portal
Portal
Portal Security Guide
Portal Security Guide
Portal Security Guide
Portal Security Guide
Running an Enterprise Portal
SAP Gateway
SAP NetWeaver Application Server ABAP
Security Guide
SAP NetWeaver Application Server ABAP
Security Guide
SAP NetWeaver Application Server ABAP
Security Guide
SAP NetWeaver Application Server ABAP
Security Guide
SAP NetWeaver Application Server Java
Security Guide
SAP NetWeaver Application Server Java
Security Guide
SAP NetWeaver Application Server Java
Security Guide
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
24 Juli 2018
Chapter
Configuring SNC Between the UME and an
ABAP-Based System
Configuring SSL Between the UME and an LDAP
Directory
Configuring the SAP Web AS for Supporting SSL
Configuring the Use of SSL on the J2EE Engine
Creating an SNC PSE for the SAP J2EE Engine
Deploying the SAP Java Cryptographic Toolkit
Destination Service
Maintaining HTTP and Web Service Destinations
Maintaining RFC Destinations
Managing Cryptography Providers
Creating iViews for Databases (JDBC)
Creating SAP Application iViews
Creating Web Dynpro Java iViews
Creating Web-based URL iViews
Creating XML iViews
Editing HTTP System Properties
Editing JDBC System Properties
Editing SAP System Properties
iViews
Pre-configured Roles
Security Zones
System landscape
System Properties for Proxy Server
Dispensable Functions with Impacts on Security
Network and Communication Security (Portal)
Portal Security Guide
User Management
Creating Web Dynpro ABAP iViews
SAP Gateway
As of Release 4.0
Protecting Standard Users
Protecting Your Productive System (Change &
Transport System)
User Types
Authorizations
Standard User Groups
Standard Users
Communication Channel Configuration
Communication Channel Configuration RNIF
Communication Channel Configuration RNIF 2.0
Communication Channel Configuration Sender
Configuring a Communication Channel for single-
action initiator
Document1 page 136 of 149
SAP SECURITY BASELINE TEMPLATE
Book
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Exchange Infrastructure
SAP NetWeaver Process Integration
Security Guide
SAP NetWeaver Process Integration
Security Guide
SAP NetWeaver Process Integration
Security Guide
SAP NetWeaver Process Integration
Security Guide
SAP NetWeaver Process Integration
Security Guide
SAP NetWeaver Process Integration
Security Guide
24 Juli 2018
Chapter
Configuring a Communication Channel for single-
action responder
Configuring a Communication Channel for two-
action initiator
Configuring a Communication Channel for two-
action responder
Configuring the Receiver File/FTP Adapter
Configuring the Receiver JDBC Adapter
Configuring the Receiver JMS Adapter
Configuring the Receiver Mail Adapter
Configuring the Receiver Marketplace Adapter
Configuring the Receiver RFC Adapter
Configuring the Receiver SAP Business
Connector Adapter
Configuring the Receiver SOAP Adapter
Configuring the Sender File/FTP Adapter
Configuring the Sender JDBC Adapter
Configuring the Sender JMS Adapter
Configuring the Sender Mail Adapter
Configuring the Sender Marketplace Adapter
Configuring the Sender Plain HTTP Adapter
Configuring the Sender RFC Adapter
Configuring the Sender SAP Business Connector
Adapter
Configuring the Sender SOAP Adapter
Configuring the Sender XI Adapter
IDoc Adapter
JDBC Adapter
JMS Adapter
Marketplace Adapter
Plain HTTP Adapter
RFC Adapter
RNIF Adapters
SAP Business Connector Adapter
Security Services in the RNIF Adapter 1.1
Security Services in the RNIF Adapter 2.0
Single-Action Initiator
Single-Action Responder
SOAP Adapter
XI Adapter
CIDX Adapter
File/FTP, JDBC, JMS, and Mail Adapters
Message-Level Security
Network and Communication Security
RFC and SNC
RosettaNet RNIF Adapters
Document1 page 137 of 149
SAP SECURITY BASELINE TEMPLATE

Book Chapter
SAP NetWeaver Process Integration Service Users for Internal Communication
Security Guide
SAP NetWeaver Process Integration Service Users for Message Exchange
Security Guide
SAP NetWeaver Process Integration Technical Communication
Security Guide
SAP NetWeaver Security Guide Security Guide for SAP NetWeaver 6.40
SAP NetWeaver Security Guide Security Guide for SAP NetWeaver 7.0
SAP NetWeaver Security Guide Security Guides for Usage Types EPC and EP
SAP Web Dispatcher is/HTTP/show_detailed_errors
SAP Web Dispatcher Metadata Exchange Using SSL
SAPconnect (BC-SRV-COM) Secure Email
SAProuter Route Table Examples
SAProuter SAProuter
SAProuter SAProuter Options
Search Configuration of the TREX Security Settings
Search Configuring TREXNet for Secure Communication
Search and Classification (TREX) Security Search and Classification (TREX) Security Guide
Guide
Secure Programming Password Security
Secure Programming Secure Programming - ABAP
Security Guide for Connectivity with the Configuring the J2EE Engine for IIOP Security
J2EE Engine
Security of the SAP NetWeaver File Access Rights for the NWDI Transport
Development Infrastructure Directory
Security of the SAP NetWeaver Working with the SDM
Development Infrastructure
System Security Key Storage Service
System Security Secure Storage (ABAP)
Technical Operations Manual for mySAP The PSE Types
Technology
User Authentication and Single Sign-On Authentication on the AS Java
User Authentication and Single Sign-On Authentication Schemes
User Authentication and Single Sign-On Login Modules
Using Java Creating JCo Destinations
Using Java Custom Error Pages
Using Java Default Configurations of the Web Container
Using Java Java Messaging
Using Java Remote Authentication
Using Java RMI-IIOP
Using Java RMI-P4
Using Java Setting Up the Development Landscape:
Landscape Configurator
Using Java Transports with the NWDI: Transport Studio
Using Java UME Properties for the Security Policy
Using Java User Authorization in the Design Time Repository
Using Java Using P4 Protocol Over a Secure Connection
Using Java Version Control
Using Java Web Dynpro Architecture
Using Java Web Dynpro Content Administrator
Using the SAP Cryptographic Library for Using the SAP Cryptographic Library for SNC
SNC

24 Juli 2018 Document1 page 138 of 149

SAP SECURITY BASELINE TEMPLATE

Book Chapter
Working with Folders in Windows (Portal Working with Folders in Windows (Portal Drive)
Drive)

[9] SNC User’s Guide [“S-User” ID and Password required]

https://service.sap.com/security  Security in Detail  Secure User Access  Authentication
& Single Sign-On  SNC user’s guide
[10] Secure Store & Forward
https://www.sdn.sap.com/irj/sdn/sdnservices/icc
 Integration Scenarios (alphabetical)
 BC – SSF
[11] SSF Documents
SSF-User-Guide
SSF API specifications
[12] TCP/IP Ports used by SAP
[13] https://wiki.scn.sap.com/wiki/display/TCPIP/Home+of+TCP-IP+PortsPartner Directories
https://www.sap.com
 Partners  Global & Local Partner Directories  Search  Search for Solutions  SAP
Defined Integration Scenarios
[14] Integration Scenarios – Interface Reference Table
https://www.sdn.sap.com/irj/sdn/icc  Integration Scenarios (alphabetical)
[15] Front-End Network Requirements for mySAP Business Solutions
https://service.sap.com/sizing
 Sizing Guidelines
 Solutions & Platforms
 Frontend Network Requirements for SAP Solutions
[16] Security Whitepapers
https://support.sap.com/securitywp
Securing Remote Function Calls (RFC), November 2014
https://support.sap.com/dam/library/SAP%20Support%20Portal/kb-incidents/notes-knowledge-
base-notification/security-notes/white-papers/securing_remote-function-calls.pdf
Secure Configuration SAP NetWeaver Application Server ABAP
https://support.sap.com/dam/library/SAP%20Support%20Portal/kb-incidents/notes-knowledge-
base-notification/security-notes/white-papers/secure-config-netweaver-app-server-abap.pdf
[17] Blogs on SCN

Security Patch Process FAQ

https://scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq
Report ZSYSREC_NOTELIST - Show results of System Recommendation
https://scn.sap.com/community/security/blog/2011/07/18/report-zsysrecnotelist--show-
results-of-system-recommendation

How to get RFC call traces to build authorizations for S_RFC for free!

24 Juli 2018 Document1 page 139 of 149

SAP SECURITY BASELINE TEMPLATE

https://scn.sap.com/community/security/blog/2010/12/05/how-to-get-rfc-call-traces-to-build-
authorizations-for-srfc-for-free

Recommended Settings for the Security Audit Log (SM19 / SM20)

https://scn.sap.com/thread/3298688

How to remove unused clients including client 001 and 066

https://scn.sap.com/community/security/blog/2013/06/06/how-to-remove-unused-clients-
including-client-001-and-066
or SAP note 1749142

Security of the SAProuter

https://scn.sap.com/community/security/blog/2013/11/13/security-of-the-saprouter

Life (profile SAP_NEW), the Universe (role SAP_NEW) and Everything (SAP_ALL)
https://scn.sap.com/community/security/blog/2014/02/17/life-profile-sapnew-the-universe-
role-sapnew-and-everything-sapall

ABAP Development Standards concerning Security

https://scn.sap.com/community/security/blog/2010/05/28/abap-development-standards-
concerning-security

Export/Import Critical Authorizations for RSUSR008_009_NEW

https://scn.sap.com/community/security/blog/2012/08/14/exportimport-critical-
authorizations-for-rsusr008009new

SAP Solution Manager - Configuration Validation WIKI

https://scn.sap.com/docs/DOC-58830

SAP HANA Audit Trail - Best Practice

https://scn.sap.com/docs/DOC-51098

How to Define Standard Roles for SAP HANA Systems

https://scn.sap.com/docs/DOC-53974
[18] Documentation: Configuration Table HTTPURLLOC
https://help.sap.com/saphelp_nw70ehp2/helpdata/en/42/d547ab30b6473ce10000000a114
e5d/frameset.htm

Blog: HTTPURLLOC demystified

https://scn.sap.com/community/netweaver-as/blog/2014/06/04/table-httpurlloc-demystified

Blog: Using Proxies

https://wiki.scn.sap.com/wiki/display/BSP/Using+Proxies

24 Juli 2018 Document1 page 140 of 149

SAP SECURITY BASELINE TEMPLATE

8 Index

A AUTH_COMB_CHECK_USER ................................ 27
Authorization objects
S_DEV_REMO ..................................................... 123
S_DEVELOP .................................................... 95, 96
S_RFC ......................................23, 89, 123, 124, 139
S_RFC_TT .......................................................... 123
S_RFCACL .................................................... 96, 123
S_RS_COMP ........................................................ 117
S_TABU_CLI ..................................................... 124
S_TABU_DIS ............................18, 64, 98, 117, 124
S_TABU_NAM ............................18, 64, 98, 117, 124
S_USER_AGR .......................................................... 96
S_USER_PRO .......................................................... 96
S_USER_SAS ................................................. 67, 98
S_USER_TCD ....................................................... 96
S_USER_VAL ....................................................... 96
S_XMB_MONI ..................................................... 117
SM_CC_AUTH ....................................................... 59
SM_FUNCS ............................................................ 57
SM_TABS .............................................................. 57
Authorization profiles
S_A.SYSTEM ....................................................... 27
SAP_ALL ............................. 22, 24, 27, 96, 123, 140
SAP_NEW ................................................ 22, 27, 140
B cpio .......................................................................... 50
Background jobs
SM:SYSTEM RECOMMENDATIONS.................... 57
BACKINT .................................................................. 50
C srvcon_auth ..................................................... 52
Configuration Stores
ABAP_COMP_RELEASE....................................... 28
ABAP_INSTANCE_PAHI .............................. 27, 28
ABAP_NOTES ....................................................... 28
ABAP_TRANSPORTS ........................................... 28
AUDIT_CONFIGURATION .................................. 28
AUTH_PROFILE_USER ....................................... 27
AUTH_ROLE_USER .............................................. 27
AUTH_TRANSACTION_USER ............................. 27
CLIENTS ............................................................... 27
com.sap.security.core.ume.service . 29
GLOBAL ................................................................. 27
GW_REGINFO........................................................ 28
GW_SECINFO........................................................ 28
HDB_LEVEL .......................................................... 27
HDB_PARAMETER ................................................ 27
http ...................................................................... 29
JAVA_NOTES........................................................ 28
MESSAGE_SERVER_PORT .................................. 28
MS_SECINFO........................................................ 28
Parameters (of SAP START SERVICE) ................. 29
RFCDES_TYPE_3_CHECK .................................. 28
SAP_KERNEL........................................................ 28
SAP_KERNEL........................................................ 28
SECURITY_POLICY............................................ 27
SICF_SERVICES ................................................ 28
SPECIAL_PRIVILEGES .................................... 27
STANDARD_USERS .............................................. 27
USER_PASSWD_HASH_USAGE ........................... 27
D
DATA_ENCRYPT ....................................................... 52
Database parameters
DBFileRead ................................................................. 16
dd............................................................................... 50
E
ENABLE_SSL ........................................................... 53
Executables
disp+work .......................................................... 40

24 Juli 2018 Document1 page 141 of 149

SAP SECURITY BASELINE TEMPLATE
disp+work.exe ................................................ 40
saprouter.exe ................................................ 35
F login.ticket_lifetime ................................... 19, 72, 80
Files
.rhosts ................................................................ 41
/etc/hosts.equiv ......................................... 41
/WEB-INF/web.xml ......................................... 62
dbm.prt .............................................................. 45
DEFAULT.PFL ..................................................... 90
IBMLDAPSecurity.ini .................................. 53
loader.log ....................................................... 45
reginfo...................................................20, 87, 88, 90
saprouttab ....................................................... 35
secinfo.............................................20, 87, 88, 89, 90
sqlnet.ora ....................................................... 48
G
Groups
dba .................................................................. 50, 51
oper...................................................................... 50
ORA_<SID>_DBA .......................................... 50, 51
ORA_<SID>_OPER .............................................. 50
ORA_<SID>_OPER. BRBACKUP ...................... 50
SAP_<SAPSID>_GlobalAdmin ...................... 40
SAP_<SAPSID>_LocalAdmin ........................ 40
sdba...................................................................... 45
H ........................................................................... 75
HANA Parameters
force_first_password_change ......... 15, 43
internal_hostname_resolution .... 15, 115
listeninterface ................................... 15, 115
maximum_unused_initial_password_lif
etime ......................................................... 15, 43
minimal_password_length .................. 15, 43
HANA System privilege
DATA ADMIN ................................................. 15, 43
hdbuserstore .................................................... 111
J
Java parameters
24 Juli 2018
EnableInvokerServletGlobally .......................... 19, 79
login.ticket_client .................................. 72
login.ticket_portalid ............................. 72
ume.ldap.access.action_retrial ........ 73
ume.ldap.access.additional_password
.<number> ...................................................... 73
ume.ldap.access.auxiliary_naming_at
tribute.grup ............................................... 73
ume.ldap.access.auxiliary_naming_at
tribute.uacc ............................................... 73
ume.ldap.access.auxiliary_naming_at
tribute.user ............................................... 74
ume.ldap.access.auxiliary_objectcla
ss.grup ........................................................... 74
ume.ldap.access.auxiliary_objectcla
ss.uacc ........................................................... 74
ume.ldap.access.auxiliary_objectcla
ss.user ........................................................... 74
ume.ldap.access.base_path.grup ........ 74
ume.ldap.access.base_path.uacc ........ 74
ume.ldap.access.base_path.user ........ 74
ume.ldap.access.creation_path.grup
........................................................................... 74
ume.ldap.access.creation_path.uacc
........................................................................... 75
ume.ldap.access.creation_path.user
........................................................................... 75
ume.ldap.access.flat_group_hierachy
ume.ldap.access.multidomain.enabled
........................................................................... 75
ume.ldap.access.naming_attribute.gr
up....................................................................... 75
ume.ldap.access.naming_attribute.ua
cc....................................................................... 76
ume.ldap.access.naming_attribute.us
er....................................................................... 76
ume.ldap.access.objectclass.grup ... 76
ume.ldap.access.objectclass.uacc ... 76
ume.ldap.access.objectclass.user ... 76
ume.ldap.access.password ...................... 76
ume.ldap.access.server_name ............... 76
ume.ldap.access.server_port ............... 76
Document1 page 142 of 149
SAP SECURITY BASELINE TEMPLATE
ume.ldap.access.server_type ............... 77
ume.ldap.access.size_limit ................. 77
ume.ldap.access.ssl .................................. 77
ume.ldap.access.time_limit ................. 77
ume.ldap.access.user ............................... 77
ume.ldap.access.user_as_account ..... 77
ume.ldap.blocked_accounts.................... 77
ume.ldap.blocked_groups ........................ 77
ume.ldap.blocked_users ........................... 78
ume.ldap.cache_lifetime ........................ 78
ume.ldap.default_group_member .......... 78
ume.ldap.default_group_member.enabl
ed ...................................................................... 78
ume.ldap.record_access ........................... 78
ume.ldap.unique_grup_attribute ........ 78
ume.ldap.unique_uacc_attribute ........ 78
ume.ldap.unique_user_attribute ........ 78
ume.login.mdc.hosts .................................. 72
ume.logon.httponlycookie......................... 19, 72, 80
ume.logon.security.enforce_secure_cookie ... 19, 73,
80
ume.logon.security.relax_domain.
level ............................................................... 73
ume.logon.security_policy.auto_unlo
ck_time .......................................................... 68
ume.logon.security_policy.enforce_p
olicy_at_logon .......................................... 68
ume.logon.security_policy.lock_afte
r_invalid_attempts ................................ 68
ume.logon.security_policy.log_clien
t_hostaddress ............................................ 68
ume.logon.security_policy.log_clien
t_hostname ................................................... 68
ume.logon.security_policy.oldpass_in_newpass_allo
wed ........................................................ 19, 68, 80
ume.logon.security_policy.password_alpha_numeri
c_required .............................................. 19, 68, 80
ume.logon.security_policy.password_
change_allowed .......................................... 68
ume.logon.security_policy.password_
expire_days ................................................. 69
ume.logon.security_policy.password_
history .......................................................... 69
24 Juli 2018
ume.logon.security_policy.password_
impermissible ............................................ 69
ume.logon.security_policy.password_
last_change_ date_default ................ 69
ume.logon.security_policy.password_
max_idle_time ............................................ 69
ume.logon.security_policy.password_
max_length.................................................... 70
ume.logon.security_policy.password_min_length 19,
70, 80
ume.logon.security_policy.password_mix_case_req
uired ....................................................... 19, 70, 80
ume.logon.security_policy.password_
special_char_required ......................... 70
ume.logon.security_policy.password_
successful_check_date_default ...... 70
ume.logon.security_policy.userid_di
gits .................................................................. 71
ume.logon.security_policy.userid_in_password_allo
wed ........................................................ 19, 71, 80
ume.logon.security_policy.userid_special_char_req
uired ....................................................... 19, 71, 80
ume.logon.security_policy.useridmax
length ............................................................. 71
ume.logon.security_policy.useridmin
length ............................................................. 71
ume.logon.selfreg ............................................ 19, 80
UseServerHeader ................................................... 19
Java Parameters
EnableInvokerServletGlobally ............. 62
M
MaxRequestContentLength............................. 80
MaxRequestHeadersLength............................. 80
N
Notes
Note 29276 ............................................................ 94
Note 50088 ...................................................... 16, 48
Note 64016 .......................................................... 134
Note 91488 .......................................................... 126
Note 110612 ........................................................ 134
Note 146173 .......................................................... 53
Note 312682 .............................................. 67, 96, 98
Note 513694 .................................................... 67, 98
Document1 page 143 of 149
SAP SECURITY BASELINE TEMPLATE
Note 536101 .................................................... 67, 98
Note 538405 .............................................. 12, 22, 36
Note 587410 .......................................................... 95
Note 618516 ........................................................ 134
Note 626073 .......................................................... 92
Note 662466 .................................................... 67, 98
Note 736471 .......................................................... 73
Note 762419 .......................................................... 75
Note 762661 .......................................................... 53
Note 777640 .......................................................... 78
Note 865853 .......................................................... 92
Note 866732 ........................................................ 134
Note 867260 .......................................................... 53
Note 910919 .......................................................... 90
Note 915488 .................................................... 67, 98
Note 943336 .................................................... 19, 79
Note 974876 .......................................................... 49
Note 1032588 ........................................................ 50
Note 1036936 ...................................................... 134
Note 1059333 ........................................................ 50
Note 1121248 ...................................................... 120
Note 1157137 ........................................................ 18
Note 1298433 ...................................................... 134
Note 1327872 ........................................................ 61
Note 1355140 ........................................................ 49
Note 1370334 ...................................................... 117
Note 1394100 ........................................................ 92
Note 1399324 ........................................................ 18
Note 1414256 .................................................. 22, 94
Note 1417568 ........................................................ 92
Note 1422273 ........................................................ 93
Note 1430970 ........................................................ 61
Note 1434117 ...................................................... 134
Note 1436936 ........................................................ 61
Note 1444282 ........................................................ 20
Note 1445998 ............................................ 19, 62, 79
Note 1450166 ........................................................ 61
Note 1458171 ........................................................ 61
24 Juli 2018 Document1
Note 1458262 ........................................................ 65
Note 1465129 ...................................................... 134
Note 1467771 ........................................................ 62
Note 1473017 ...................................................... 134
Note 1480644 ...................................................... 134
Note 1481392 ........................................................ 61
Note 1484692 ...................................... 18, 64, 65, 97
Note 1487606 ........................................................ 93
Note 1495075 ........................................................ 82
Note 1497003 ................................................ 62, 100
Note 1520356 ........................................................ 61
Note 1521024 ........................................................ 61
Note 1547234 ........................................................ 59
Note 1554475 ........................................................ 57
Note 1577059 ........................................................ 57
Note 1622837 ........................................................ 49
Note 1633982 ...................................................... 134
Note 1639578 ........................................................ 49
Note 1669256 ........................................................ 53
Note 1686632 ...................................................... 86
Note 1690662 .................................................. 17, 65
Note 1697971 ...................................................... 134
Note 1709291 ........................................................ 57
Note 1727924 ........................................................ 57
Note 1734182 ........................................................ 57
Note 1739266 ........................................................ 57
Note 1749142 .............................................. 101, 140
Note 1848930 ...................................................... 134
Note 2008727 ...................................................... 86
Note 2058946 ...................................................... 86
Note 2068872 ........................................................ 19
Note 2117110 .................................................. 97, 99
Note 2119627 ........................................................ 22
Note 2122578 .................................................. 17, 65
Note 2269642 ................................................ 20, 134
Note 2293011 ........................................................ 22
P
Policy Attribute Name
page 144 of 149
SAP SECURITY BASELINE TEMPLATE
CHECK_PASSWORD_BLACKLIST ...................... 64
DISABLE_PASSWORD_LOGON ........................... 66
DISABLE_TICKET_LOGON ............................... 66
MAX_FAILED_PASSWORD_LOGON_ATTEMPTS
........................................................................... 66
MAX_PASSWORD_IDLE_INITIAL.............. 64, 66
MAX_PASSWORD_IDLE_PRODUCTIVE ............ 66
MIN_PASSWORD_CHANGE_WAITTIME ............ 67
MIN_PASSWORD_DIFFERENCE ........................ 67
MIN_PASSWORD_DIGITS .................................. 64
MIN_PASSWORD_LENGTH .................................. 63
MIN_PASSWORD_LETTERS ............................... 64
MIN_PASSWORD_LOWERCASE ........................... 64
MIN_PASSWORD_SPECIALS ............................. 64
MIN_PASSWORD_UPPERCASE ........................... 64
PASSWORD_CHANGE_FOR_SSO ........................ 67
PASSWORD_CHANGE_INTERVAL ...................... 67
PASSWORD_COMPLIANCE_TO_CURRENT_POLI
CY ...................................................................... 67
PASSWORD_HISTORY_SIZE ............................. 67
PASSWORD_LOCK_EXPIRATION ...................... 66
SERVER_LOGON_PRIVILEGE ........................... 66
PRGN_CUST Parameter
ASSIGN_ROLE_AUTH ................................... 67, 98
CHECK_S_USER_SAS ................................... 67, 98
GEN_PSW_MAX_DIGITS .............................. 67, 98
GEN_PSW_MAX_LENGTH .............................. 67, 98
GEN_PSW_MAX_LETTERS ................................ 67, 98
GEN_PSW_MAX_SPECIALS .............................. 67, 98
REF_USER_CHECK ........................................ 67, 98
Profile parameters
abap/ext_debugging_possible ............... 95
auth/rfc_authority_check ...20, 28, 96, 124
dynp/checkskip1screen ......................................... 18
enque/acl_file .............................................. 82
gw/*...................................................................... 28
gw/acl_mode ......................................................... 20
gw/logging ....................................................... 90
gw/monitor ...................................................... 20, 88
24 Juli 2018 Document1
gw/reg_info ..................................................... 87
gw/reg_no_conn_info...................................... 20, 90
gw/sec_info ..................................................... 87
gw/sim_mode ........................................................ 20
icf/set_HTTPonly_flag_on_cookies ........................ 18
icm/* ................................................................... 27
icm/HTTP/admin_<num> .......................... 13, 37
icm/HTTP/error_templ_path ................................. 12
ICM/HTTP/error_templ_path .................... 36
icm/http_admin .............................................. 91
icm/server_port_<num> ...................... 13, 18, 37, 65
is/HTTP/show_detailed_errors ........................ 12, 36
login/* ............................................................... 27
login/disable_password_logon ....... 66, 98
login/min_password_digits ........ 17, 64, 97
login/min_password_letters ..... 17, 64, 97
login/min_password_lng ............... 17, 63, 97
login/min_password_lowercase . 17, 64, 97
login/min_password_specials ... 17, 64, 97
login/min_password_uppercase . 17, 64, 97
login/no_automatic_user_sapstar ............. 21, 27, 94
login/password_change_for_SSO .... 67, 98
login/password_change_waittime .. 67, 98
login/password_charset ........................... 65
login/password_compliance_to_curren
t_policy ........................................................ 67
login/password_downwards_compatibility.... 17, 64,
65
login/password_expiration_time .. 67, 98
login/password_history_size ......... 67, 98
login/password_logon_usergroup .. 66, 98
login/password_max_idle_initial..... 17,
64, 66, 98
login/password_max_idle_productive
..................................................................... 66, 98
login/ticket_only_by_https .............................. 18, 66
login/ticket_only_to_host ................................ 18, 66
ms/* ...................................................................... 28
ms/acl_info ......................................... 20, 82, 91
page 145 of 149
SAP SECURITY BASELINE TEMPLATE
ms/admin_port ................................................ 20, 91
ms/monitor ...................................................... 20, 91
password_compliance_to_current_policy ............ 17
rdisp/acl_file .............................................. 82
rdisp/msserv_internal ................. 20, 28, 91
rec/client ....................................................... 27
rfc/disable_debugger_command_field
........................................................................... 95
rfc/ext_debugging....................................... 95
rsau/* ................................................................. 28
rsau/enable .........................................18, 23, 66, 100
rsau/selection_slots ............................18, 23, 66, 100
rsau/user_selection ............................18, 23, 66, 100
service/http/acl_file ............................. 82
service/https/acl_file ........................... 82
snc/* ................................................................... 27
snc/accept_insecure_cpic ................... 17, 65
snc/accept_insecure_gui ............ 17, 20, 65
snc/accept_insecure_r3int_rfc .......... 28
snc/accept_insecure_rfc ..........17, 20, 28, 65
snc/data_protection/max ...................................... 17
snc/data_protection/min ................................ 17, 65
snc/data_protection/use ....................................... 17
snc/enable ....................................................... 17, 65
snc/only_encrypted_gui ..................... 17, 65
snc/only_encrypted_rfc ..................... 17, 65
snc/permit_insecure_com .................. 89, 90
snc/permit_insecure_start.............. 89, 90
Programs
BRARCHIVE .................................................... 50, 51
BRBACKUP ...................................................... 50, 51
BRCONNECT .......................................................... 50
BRRECOVER .......................................................... 51
BRRESTORE .......................................................... 51
BRSPACE .............................................................. 51
gwmon ................................................................... 88
msmon ................................................................... 91
R3load ................................................................. 49
24 Juli 2018
R3trans ............................................................... 49
R
Reports
CLEANUP_PASSWORD_HASH_VALUES ............. 65
RSAU_SELECT_EVENTS .................................. 100
RSICFCHK ............................................................ 92
RSRFCCHK ............................................................ 86
RSUSR003 ............................................................ 26
RSUSR008_009_NEW ................................. 95, 140
RTCCTOOL .......................................................... 126
ZSYSREC_NOTELIST ................................. 57, 139
RFC destinations
<SM_<SIDofManSystem>CLNT<ClientofMa
nSystem>_TRUSTED> ................................. 123
SAP-OSS ............................................................... 57
Roles
MODELING .......................................................... 108
MONITORING...................................................... 108
SAP_CCLM_ALL ................................................... 59
SAP_CCLM_DIS ................................................... 59
SAP_J2EE_ADMIN .................................................. 23
SAP_NEW ....................................................... 22, 140
SAP_SMWORK_BASIC_CCLM ............................. 59
SAP_SMWORK_CCLM............................................ 59
SAPDBA ................................................................. 50
SYSDBA ........................................................... 50, 51
SYSOPER ............................................................... 50
S
Security Policies for Users .................................... 27, 63
Standard users
<db><sid> .................................................... 14, 40
<sapsid>adm ..................................................... 48
<SID> OFR .......................................................... 41
<sid>adm ....... 13, 14, 16, 38, 39, 40, 48, 49, 50, 51
CONTENTSERV ....................................................... 22
dasusr1 ............................................................... 52
db2admin ............................................................ 52
db2fenc1 ............................................................ 52
Document1 page 146 of 149
SAP SECURITY BASELINE TEMPLATE
db2inst1 ............................................................ 52
DBA ........................................................................ 15
DBACOCKPIT ....................................................... 43
DBADMIN .............................................................. 15
DBM ....................................................................... 15
DDIC........................................................ 21, 94, 101
EARLYWATCH ................................................. 22, 94
OPS$<SID>ADM................................................... 49
ora<sid> ............................................................ 51
root...................................................................... 40
SAP*...................................................21, 24, 93, 101
SAP_<SID>_GlobalAdmin ............................. 38
SAP<SID> ......................... 14, 16, 41, 42, 43, 48, 50
SAPCPIC .................................................. 21, 22, 94
SAPR3 ............................................14, 16, 41, 42, 48
SAPService<sid> ..............................13, 14, 16, 39, 48
SAPSERVICE<SID> ........................................... 51
SAPSR3 ................................................................. 49
SAPSUPPORT .......................................................... 22
sdb ........................................................................ 45
SMD_ADMIN .......................................................... 22
SMD_AGT ............................................................... 22
SMD_BI_RFC .......................................................... 22
SMD_RFC ............................................................... 22
SMDAGENT_<SAPSolutionManagerSID> ............... 22
SOLMAN_ADMIN ........................................... 22, 122
SOLMAN_BTC ............................................... 22, 122
sysoper .............................................................. 50
SYSTEM ................................................... 14, 43, 108
TMSADM ........................................................... 22, 94
SYSADM ..................................................................... 52
T BL_S-3 ................................................................. 27
Table authorization groups
SPWD.....................................................18, 64, 97, 98
Tables
HCL*................................................................ 14, 41
HTTPURLLOC .................................................... 18, 66
OPS$<SID>ADM.SAPUSER ............................... 49
24 Juli 2018 Document1
PA* .................................................................. 14, 41
PRGN_CUST .......................................................... 96
RFCDES ........................................................... 14, 41
SAPUSER ..................................................... 14, 41, 48
SDBAD ................................................................... 50
SDBAH ................................................................... 50
T000 .......................................................... 14, 18, 41
TADIR...................................................................... 18
TDDAT ................................................................. 117
USCRAUTH ............................................................ 95
USH02 ........................................................ 18, 64, 97
USH02_ARC_TMP ................................................ 97
USR* ................................................................ 14, 41
USR02 ....................................................... 18, 64, 97
USR40 ............................................................. 64, 97
USRPWDHISTORY ....................................... 18, 64, 97
USRVARCOM .......................................................... 95
VUSR001 ............................................................... 97
VUSR02_PWD........................................................ 97
Target Systems
BL_I-13 ............................................................... 27
BL_I-5 ................................................................. 27
BL_O-1 ................................................................. 27
BL_O-2 ................................................................. 27
BL_O-3 ................................................................. 27
BL_O-4 ................................................................. 27
BL_O-5 ................................................................. 27
BL_O-6 ................................................................. 27
BL_O-8 ................................................................. 28
BL_S-1 ................................................................. 27
BL_S-2 ................................................................. 27
BL_S-4 ................................................................. 29
BL_S-5 ................................................................. 29
BL_S-6 ................................................................. 28
BL_S-7 ........................................................... 28, 29
BL_S-8 ................................................................. 28
BL_S-9 ................................................................. 28
page 147 of 149
SAP SECURITY BASELINE TEMPLATE
Transactions
DB13...................................................................... 51
DBACOCKPIT ....................................................... 51
PFCG...................................................................... 59
RZ10...................................................................... 90
RZ11...................................................................... 90
SDCC.................................................................... 126
SDCCN ................................................................. 126
SE06...................................................................... 18
SE16.................................................................... 124
SE16N ................................................................. 124
SE24...................................................................... 96
SE37................................................................ 95, 96
SE38................................................................ 95, 96
SE80................................................................ 95, 96
SECPOL ................................................................... 63
SICF...................................................................... 92
SM_WORKCENTER .......................................... 57, 59
SM19.................................................24, 28, 100, 140
24 Juli 2018 Document1
SM20 ............................................................ 100, 140
SM30 .................................................................... 124
SM31 .................................................................... 124
SMGW ...................................................................... 90
SMSY ...................................................................... 57
SMT1 ...................................................................... 86
SMT2 ...................................................................... 86
SNOTE ................................................................... 58
SOLAR02 ............................................................... 61
SOLMAN_SETUP ......................... 118, 119, 120, 121
SOLMAN_WORKCENTER ....................................... 57
SPRO .................................................................... 118
ST01 .................................................................... 123
STAUTHTRACE ................................................... 123
SU01 .................................................................... 122
SU53 ...................................................................... 59
SUIM .............................................................. 95, 100
U
UseServerHeader................................................ 79
page 148 of 149
www.sap.com