SAP Security Recommendations

Maintain  the SAP secure gateway:

There are various attacks to SAP gateway such as running operating system commands without authentication.

Restrict access to SAP gateway by proper network controls both internally and externally. If business case exists for customer networks to use RFC communications because of applications such as BEx (Business Explorer), apply proper security configuration on the SAP gateway for restricting TYPE E and TYPE R connections.

Please refer to secinfo, reginfo configuration for more information.

Make-sure that SAP landscape is free of weak or default passwords:

SAP systems contain hundreds or thousands of users. A single compromised account can cause issues for the rest of the landscape.

After SAP systems are configured for proper password policy, we recommend running password audits on SAP systems periodically to prevent weak passwords such as " Summer-2012 " or " Welcome01 " to be present. Although such passwords can be password policy compliant, please remember that "compliant" does not mean "secure".

Need to disable critical ICM/ITS or JAVA AS web services:

Disable or restrict access to web services such as SOAPRFC and WEBRFC. These services allow RFC communication over the Internet.

Disable the invoker servlet on SAP Java AS systems to prevent attackers from bypassing your system security controls.

Any application unnecessarily available increases exposure which results in elevated risk.

Update Patch SAP system and SAP GUI regularly

SAP AG releases security patches every month. Please setup proper patch management policies both for the SAP applications and other client components such as SAPGUI or SAP NetWeaver Business Client.

Secure the private key store for protection against Single Sign-on attacks

PSE files contain sensitive information which lets an attacker create valid system tokens. With these valid security tokens, attacker can connect to remote systems as any user WITHOUT A PASSWORD. The tokens are usually valid forever.

Protect PSE files with proper operating system security controls. Protect access to tables such as SSF_PSE_D by putting them to a separate table group and adjusting SAP authorizations accordingly. Restrict executing of OS commands from applications by securing the gateway and relevant application components. Introduce a regular key replacement process.