Security Guide for SAP on SQL v2.0x - MSDN Blogs

rabidwestvirginiaNetworking and Communications

Oct 26, 2013 (3 years and 9 months ago)

633 views










F
urther
. Forward. Faster.

Security Guide for SAP on SQL
Server 2012




Authors

Cameron Gardiner, Microsoft Senior Program Manager


SAP

Technical Reviewers

John Knie,
Eddie Teng

Published

May 2012

Applies To

SAP NetWeaver 7.0 (SR3) and above

Summary

This white paper discusses
how to secure

SAP on SQL Server
.

This document also proposes a
techniques to secure SAP on SQL Server

in a step by step guide
. The document also compares
UNIX patching requirements to Windows patching.










DISCLAIMER

This document may discuss sample coding or other information that does not include SAP official interfaces and
therefore is not supported by SAP. Changes made bas
ed on this information are not supported and can be overwritten
during an upgrade.

SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in
this document, and anyone using these methods does so
at his/her own risk.

SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this
technical article or code sample, including any liability resulting from incompatibility between the content within th
is
document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP
responsible or liable with respect to the content of this document.

The information contained in this document represents the current view of
Microsoft Corporation on the issues discussed
as of the date of publication. Because Microsoft must respond to changing market conditions, the information presented
herein should not be interpreted to be a commitment on the part of Microsoft, and Microsoft

cannot guarantee the
accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR
STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying

with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright,
no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form
or by any means (el
ectronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property righ
ts covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual
propert
y.

Unless otherwise noted, the example companies, organizations, products, domain names, e
-
mail addresses, logos,
people, places, and events depicted herein are fictitious, and no association with any real company, organization,
product, domain name, e
-
mai
l address, logo, person, place, or event is intended or should be inferred.

© 2012 Microsoft Corporation. All rights reserved.

Microsoft, the Microsoft logo, Hyper
-
V, SQL Server, Windows, Windows Server, and other product names are either
registered trade
marks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
3

of
57

Created:
28.05.2012



Table of Contents


Table of Contents

................................
................................
................................
.........................

3

1

Executive Summary

................................
................................
................................
...............

5

2

Microsoft and SAP Partnership
................................
................................
............................

7

3

SAP Solution Security Implementation
................................
................................
...............

9

3.1

S
ECURITY
L
AYERS

................................
................................
................................
................................
...........................
9

3.2

M
INIMUM
W
INDOWS
R
ELEASE
P
REREQUISITES

................................
................................
................................
...........
9

3.3

S
ECURITY
I
MPLEMENTATION

................................
................................
................................
................................
.......

10

3.3.1

Step 1


Create Dedicated SAP Management Station(s)

................................
................................

10

3.3.2

Step 2


Isolate SAP backend systems in a dedicated VLAN

................................
........................

12

3.3.3

Step 3


Close all inbound non
-
SAP ports

................................
................................
..........................

12

3.3.4

Step 4


Close Web outbound ports

................................
................................
................................
.....

14

3.3.5

Step 5

Change Windows Terminal Services Port

................................
................................
............

15

3.3.6

Step 6

Use Terminal Services Client 6.0

................................
................................
.............................

15

3.3.7

Step 7

Create dedicated SAP Active Directory Container

................................
............................

15

3.3.7.1

Create Development, management station, QAS and
production sub
-
containers

..........

15

3.3.7.2

Enable Policy block on SAP container
................................
................................
..............................

16

3.3.8

Step 8
-

Create a policy for the SAP servers using SCW

................................
................................
.

17

3.3.8.1

Windows firewall and network settings

................................
................................
..........................

21

3.3.8.2

Uninstall Internet Explorer

................................
................................
................................
...................

24

3.3.8.3

Check system auditing configuration

................................
................................
..............................

24

3.3.9

Step 9


Move Management Station & SAP Servers to AD Containers
................................
.....

25

3.3.10

Step 10


Apply

Policies to Management Station & SAP Containers
................................
.........

25

3.3.11

Step 11


Rename local administrator account using a function

................................
................

25

3.3.12

Step 12


Remove Domain Admins and all other user accounts

................................
.................

26

3.3.13

Step 13


MS SQL Server Security

................................
................................
................................
..........

26

3.3.13.1

SQL Server Security Configuration

................................
................................
...............................

26

3.3.13.2

Use of scripts & direct access to the database

................................
................................
........

27

3.3.13.3

Security Requirements for SQL Server Service Accounts

................................
......................

27

3.3.13.4

Admin Connection
................................
................................
................................
.............................

28

3.3.14

Step 14


Secure SAP Service Accounts

................................
................................
...............................

28

3.3.14.1

Validate & Adjust DOMAIN
\
<sid>adm & DOMAIN
\
SAPService<SID> security
..........

29

3.3.15

Web Dispatcher & SAP MMC

................................
................................
................................
..................

29

3.3.16

Step


Physical Data Centre Security
................................
................................
................................
.....

29

3.3.17

Windows Server Core Deployments

................................
................................
................................
......

29

4

A Scientific Comparison of AIX, HPUX, Solaris, Linux & Windows Server
Security
Vulnerabilities

................................
................................
................................
......................
31

4.1

W
INDOWS
P
LATFORM IN
C
OMPARISON TO
UNIX

S
ECURITY
-

R
EALITY

................................
................................
.

31

4.1.1

Security Threats


Internal versus External

................................
................................
..........................

31

4.1.1.1

External Threats

................................
................................
................................
................................
.......

32

4.1.
1.2

Internal Threats

................................
................................
................................
................................
.......

32

4.1.1.3

3
rd

Party Threats

................................
................................
................................
................................
......

33

4.1.2

Desktop versus Server


Server Patching versus Desktop Patching

................................
...........

33


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
4

of
57

Created:
28.05.2012



4.1.3

National Institute for Standards & Technology


CVE Database Comparisons

......................

33

4.1.4

How to Assess the Impact of a Security Vulnerability?

................................
................................
...

36

4.1.4.1

Example: Integer overflow in cdd.dll in the Canonical Display Driver (CDD)

......................

37

4.1.5

UNIX
Patching vs. Windows Patching: Reboot Requirement

................................
........................

38

5

Patch Management

................................
................................
................................
.............
41

5.1

M
ICROSOFT
W
INDOWS
S
ECURITY
P
ATCHES

................................
................................
................................
.............

41

5.1.1

Security Patch Evaluation

................................
................................
................................
..........................

41

5.1.1.1

Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code
Execution (2651026)

................................
................................
................................
................................
..................

42

5.1.1.2

Cumulative Security Update for Internet Explorer (2675157)

................................
..................

42

5.1.1.3

Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)
...........

43

5.1.1.4

Vulnerability in Windows Kernel
-
Mode Drivers Could Allow Remote Code Execution
(2525694)

43

5.2

SAP

P
ATCHING
S
TRATEGY
................................
................................
................................
................................
..........

46

5.2.1

Rolling Upgrades/Patching Reduces Downtime

................................
................................
...............

46

6

Auditing, Encryption & Additional Security Topics
................................
.........................
47

6.1

S
ECURE
S
OCKET
L
AYER

................................
................................
................................
................................
...............

47

6.2

T
RANSPARENT
D
ATA
E
NCRYPTION

................................
................................
................................
............................

47

6.2.1

Key Storage Devices

................................
................................
................................
................................
...

47

6.
3

A
DVANCED
SQL

S
ERVER
A
UDITING

................................
................................
................................
..........................

47

6.3.1

New Features in SQL Server 2012

................................
................................
................................
..........

47

6.4

A
NTI
-
VIRUS
O
PTIONS

................................
................................
................................
................................
.................

47

6.5

B
IT
L
OCKER TO
P
ROTECT
B
OOT
D
ISKS

................................
................................
................................
........................

48

6.6

W
INDOWS
S
INGLE
S
IGN
O
N

................................
................................
................................
................................
......

48

6.7

IP
SEC

................................
................................
................................
................................
................................
..........

48

6.8

W
INDOWS
A
UDITING
................................
................................
................................
................................
..................

48

6.9

W
INDOWS
A
TTACK
S
URFACE
A
REA
A
NALYSER
................................
................................
................................
.........

48

7

Security Checklist

................................
................................
................................
................
49

8

Appendix I

................................
................................
................................
............................
51

9

Appendix II
................................
................................
................................
...........................
53

9.1

W
INDOWS
2008

R2

V
ULNERABILITIES
3

MONTHS TO
17
TH

A
PRIL
2012

................................
...............................

53

9.2

AIX

V
ULNERABILITIES
3

MONTHS TO
A
PRIL
17
TH

2012

................................
................................
...........................

54

9.3

HP
-
UX

V
ULNERABILITIES
3

MONTHS TO
A
PRIL
17
TH
................................
................................
................................

55

10

Security Links and Online Resources

................................
................................
.................
57

10.1

M
ICROSOFT
L
INKS
................................
................................
................................
................................
.......................

57

10.2

SAP

L
INKS

................................
................................
................................
................................
................................
...

57

10.3

G
ENERAL
S
ECURITY
L
INKS
................................
................................
................................
................................
...........

57


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
5

of
57

Created:
28.05.2012



1

Executive Summary


ERP business executives & IT professionals
are convinced that
a
Windows SQL Server offers
scalab
le
,
high
performance and
low

T
otal
C
ost of
O
wnership

solution for SAP systems
. One
question t
hat remains unanswered for
some

is “
H
ow secure is
SAP on Windows and SQL Server
”?


This whitepaper demonstrate
s

that the Microsoft Trustworthy Computing
Initiative
has created a
platform

that is
equal to or more secure

than almost all
UNIX

based
alternatives
.
S
ecurity tools and
utilities for the Microsoft platform are
integrated in the Microsoft platform

as opposed to the
expensive tools
available for

UNIX

platforms

that lack the ease of use available in Windows tools
.

This whitepaper
is for

Mic
rosoft
customers &
partners who wish to secure their
business critical
SAP applications
. The document is designed to empower the reader with the knowledge to secure
an SAP

on Windows SQL

system
. The procedures in this document can be adapted to e
ach
custo
mer
’s

unique
landscap
e, requirements and environment.



Securing SAP on Windows & SQL Server has become much more important
since

the UNIX market
has decreased significantly and more large multi
-
national companies run their core business on
Windows and SQL Server on commodity Intel platforms
. In
2011

less than 2%
1

of worldwide server
sales were on UNIX platforms as customers termin
ate investments into proprietary platforms.


Leading Industry Analyst
Gartner reports that proprietary
UNIX

is losing share dramatically and
predicts a mass movement
to commodity hardware
.
2

IDC shows a sharp decline in worldwide
shipments of proprietary

UNIX

servers across the last decade (Figure 1).
3


Figure
1
: Worldwide server shipments: Solaris, AIX, HPUX
server
units shipped per year





1

http://www.theregister.co.uk/2011/11/29/gartner_q3_2011_server_numbers/


IDC Server Shipment data

2

http://www.intel.com/content/dam
/doc/white
-
paper/performance
-
xeon
-
7500
-
next
-
gen
-
x86
-
paper.pdf

3

IDC,
IDC Server Tracker
, March 2011 & Gartner sources

0
100,000
200,000
300,000
400,000
500,000
600,000
2004
2005
2006
2007
2008
2009
2010
2011
Sun/Oracle
IBM
Hewlett-Packard

Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
6

of
57

Created:
28.05.2012



Commodity hardware improvements: SAPS is a sizing unit for SAP deployments. Figure 2 shows
the
growth in SAPS numbers achieved for four
-
socket servers over the last 12 years.


The SAPS per
server is based on a SAP SD standard benchmark. For detailed benchmark results and benchmark
history please see:
http://www.sap.com/benchmark



Figure
2
:
Exponential improvement in

performance of SAP on commodity hardware



Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
7

of
57

Created:
28.05.2012



2

Microsoft and SAP Partnership

Microsoft and SAP have been partners since 1993. The partnership was formed around
impleme
nting SAP R/3 on Windows, and it expanded to include SQL Server and various integration
areas across the software portfolios on both sides. The partnership has grown to include Duet
Enterprise as a joint product offering.


For operating systems and DBMS pl
atforms, a collaborative Microsoft
-
SAP team helps to ensure
that the adaptation of SAP software to new platform releases happens early in the development
cycle. As a result, new releases of Windows Server and SQL Server are supported very early and
without

long delays. Further, the team rigorously tests new releases in development to verify that
Windows Server and SQL Server are ready at release to run the most challenging SAP systems. As a
final step of testing for upcoming releases of Windows Server and S
QL Server, the team relies on
the help of Microsoft IT
, as

Microsoft

itself

runs a large SAP landscape of various SAP products. The
centre

of the Microsoft SAP landscape is the SAP ERP system that runs business
-
critical processes.
Before new versions of Windows Server or SQL Server are released to the public, they must run
Microsoft’s SAP ERP system successfully.


In the case of SQL Server
2012, Microsoft moved a pre
-
release version into the
production

SAP ERP
system in November 2011; since that time, the system is running successfully
.



Key highlights of the Microsoft and SAP partnership include:




Reduced TCO: SQL Server and SAP offer redu
ced total cost of ownership (TCO) for database
platforms through lower pricing, dramatically decreased administrative overhead, built
-
in high
availability, and superior quality and scalability.




Virtualization: Microsoft and SAP are aligned to support new industry developments, including
virtualization. The virtualization environments of different vendors support virtualization for
SQL Server 2012, 2008 R2, and 2008.

For more information on Window
s virtualization, see
SAP
note 1409608
.




Continuous improvement: Microsoft and SAP steadily work to implement and extend
functionalities that can increase the efficiency, scalability, and quality of Windows Server and
SQL Server. The partnership also focus
es on more seamlessly adapting software to these
platforms.




Security and scalability: Ongoing investments in the Windows platform running SAP workloads
can help to reduce security risks and increase scalability. With such investments, Windows is
well posi
tioned to lead security and scalability on industry
-
standard servers, placing it ahead of
LINUX options in this space.

The Microsoft and SAP partnership continues to yield productive work and actionable results. For
example, Table 1 illustrates some major
features and functionalities implemented in SQL Server for
SAP customers in recent years.


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
8

of
57

Created:
28.05.2012



Table 1: Highlights of the Microsoft
-
SAP partnership across SQL Server releases

SQL Server 2005

SQL Server 2008

SQL Server 2008 R2

SQL Server 2012



Online index
maintenance



Database mirroring



Supportability features
for SAP x64 release



Table partitioning for
SAP BW



Missing index
recommendations



Single page restore



Data and index
compression



Backup compression



Minimal logging



In
-
place upgrade for
high availability
and
disaster recovery
scenarios



Transparent data
encryption



Automatic repair



UCS2 compression,
reducing space
requirements for

SAP Unicode
implementations



Improved hashkey
algorithm for SAP
migrations



No data movement
during partition merge
operation



256

CPU support



AlwaysOn: multiple
secondaries and backup
from secondary



Auditing for non
-
SAP
database access



Column

store for SAP
BW



Extended online table
maintenance



15,000 partitions per
table



Support for OS
Maximum number of
CPU (Windows 2012 =
640 CPU)


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
9

of
57

Created:
28.05.2012



3

SAP Solution Security Implementation


A well
secured SAP system has multiple
filters, protection
s

and validations at all
layers

of the

SAP

application and infrastructure. A modern
SAP NetWeaver


solution is composed of
many

interconnected application and
infrastructure layers

such as a database
, operating system and

presentation

layer
.
A
security solution is in many cases as strong as its weakest
layer
. It is
therefore essential that all layers i
n the solution are identified and each layer secured.

The scope of this document is limited to the layers that are specific to
Microsoft Windows
®

and
Microsoft SQL Server
®

based SAP systems. Topics such as securing RFC communication between
SAP systems are not covered as
there is nothing specific to one

oper
ating system
and/or

database.
SAP application level security is critical to the overall security implementation.

An SAP application
security specialist shou
ld be engaged to secure the non
-
operating system and database specific
aspects of SAP security suc
h as preventing access to some basis transactions.


Direct
Internet facing SAP systems

such as e
-
Recruiting

require specialist design
and security
solutions and are not covered in this document.

3.1

Security Layers

SAP is a portable application that can run o
n Windows, various
UNIX

platforms, Linux and even
mainframes. Today SAP supports
five different database systems


Microsoft

SQL Server,

Sybase,

Oracle, DB2
and

MaxDB. Previously SAP has also supported Informix.
In order to reduce the
resources required

to port SAP to different operating systems and databases SAP limit the use of
features specific to one database
.

An exception to this is SQL Server compression, partitioning and
several other features. Some functionalities of a RDBMS are handled inside the SAP application.

An example of this is the database locking mechanism

which is largely unused as SAP
impleme
nted
their own lock management system.

The vast majority of the features of Microsoft Windows are not used or required by SAP. SAP
users

never access Windows or SQL Server
resources directly. The approach in this security guide is to
reduce the surface a
rea of Windows and SQL Server to a minimum while permitting the SAP
administrators to access the backend systems as required.

It is emphasized

that changing

security configuration should be handled in the same way as any
other change to a SAP system. Ch
ange management and strict change control are essential
for a
successful security implementation and operation. Always deploy changes to a Sandbox or
Development system and test thoroughly before implementing in production. It is also important
to ensure

that the test systems resemble the production systems


for example if the production
systems use MSCS

(Microsoft Cluster Services)

then at least one test system must use MSCS.

3.2


Minimum Windows Release Prerequisites

Windows 2003 and earlier Windows releases now in excess of 10 years old do not meet the
minimum level security
req
uirements
. The content of this security guide does not apply to these
out dated Windows releases. This guide assumes that SAP is installed o
n Windows 2008 R2 SP1 or
higher

and SQL 2008 R2 SP1 or higher
. In addition the Active Directory Domain Controllers
should

be Windows 2008 R2 SP1 or higher.


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
10

of
57

Created:
28.05.2012



The document assumes that the downwards compatible kernel 7.20
4

is used.

3.3

Security Implementation

The following procedure shows the steps and screenshots for a SAP System Administrator securing
an SAP system at a fictional company. The company is called
TRC Limited

and has 16 SAP
NetWeaver

systems in
one data
centre

and operates a Windows single domai
n single forest Active
Directory. The company uses a private IP network 10.x.x.x internally and has
four

subnets.

TRC’s
network is shown below
5
:


3.3.1

Step 1


Create
Dedicated SAP Management Station(s)

A dedicated SAP Management Station is required to administer the secured SAP system. The
Management Station
is a server outside the SAP VLANs with special permission to Terminal Service
to the SAP systems. The Management Station acts as a “gateway” or pr
oxy to allow access to the
SAP systems. The Management Station must therefore have some special security policy setting
s

to secure this system.

Read and review the “
Windows Server® 2008 R2 SP1 Security Guide
” which is delivered with the

Windows Security
Compliance Manager

(
Security Compliance Management Toolkit Series
)
.









4

http://blogs.msdn.com/b/saponsqlserver/archive/2011/11/13/sap
-
7
-
20
-
downwards
-
compatible
-
kernel
-
is
-
finally
-
released.aspx


5

Many of the

screenshots, configuration files and utilities used are can be downloaded via the
links pag
e at the back of this documen
t


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
11

of
57

Created:
28.05.2012



It is recommended that the SAP Administrator familiarize t
hemselves with the use of these tools on the Management Server
prior to securing the SAP server. The process to secure the Management Station is similar to the process to secure the SAP
servers.

Action:

a.

Request Windows Server administra
tors to install
Windows

domain member
server with a static IP
address

located in the server backbone VLAN

b.

Run Windows Update and install all patches required

c.

Run

the Windows Security Configuration Wizard and build a Policy

To create the
Management Station

policy

1.

Logon to

the Management Station with an administrative account.

2.

Install and configure
antivirus
and

antispyware utilities

on the Management Station

3.

Launch the
Security Configuration Wizard
GUI, select
Create new policy
, and point it to the Management Station

4.

Remove all

server roles

5.

R
emove
all client
features
other than
DNS Registration Client, Domain Member & Microsoft Networking Client

to
reduce the server’s attack surface.

6.

For maximum protection, remove all administrative options except for
Windows Firewall
, Remote Desktop
Administration and IPSec

(if IPSec services are used)
.

7.

Ensure that any additional services that are required by your baseline, such as backup agents or antivirus software, are
detected.


8.

Decide how to handle unspecified services in your
environment. For extra security, you may wish to configure this policy
setting to
Disable
.

9.

Ensure the
Skip this section

checkbox is de
selected in the "Network Security" section, and then click
Next
. The appropriate
ports and applications identified earlier are configured as exceptions for Windows Firewall. Uncheck all ports except
the
default Terminal Services port.

10.

In the "Registry Settings" section

configure as per
Appendix I

11.

In the "Audit Policy" section

configure required level of auditing

12.

Select
Save

security policy

as zSAP
-
MgmtStat.xml
.


d.

Upload Policy to AD using
the SCW
transform
command

The SCW XML file can be converted to an Active Directory Policy. This allows the configuration to be applied
to individual servers or groups of servers.

Action: Ask the AD administrator to run the following command from a command prompt


domain admin
pe
rmissions are required as this command will upload a policy to the AD.

scwcmd transform /p:"C:
\
WINDOWS
\
security
\
msscw
\
Policies
\
zSAP
-
MgmtStat.xml"
/g:zSAP
-
MgmtStat
6

e.

Install the Group Policy Editor Tool

The Group Policy
Management

Tool is a utility for cust
omizing a policy
.

Action:
Install the

Group Policy
Management tool

on

the

Management Station

by adding the feature through
Server Manager




6

AD Domain controllers should be the same Windows release as the SAP servers for the policy
to work correctly


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
12

of
57

Created:
28.05.2012




f.

Edit Group Policy Object

It is recommended to add the following AD policy settings to the Management Station


Action: Right click on the SAP Management Station Policy and select Edit

as needed
. By default Domain
Admin security is required to edit policies.

3.3.2

Step 2



Isolate SAP backend systems in a dedicated VLAN

The SAP b
ackend servers must be isolated from the g
eneral server networ
k and the user LAN. This
step g
reatly increases the strength of
the
security solution by bl
ocking almost all access the

SAP
servers.
This technique reduces the surface area of the SAP infrastructure exposed to external
threats.

Most modern network switches support adding Access Control Lists (ACLs) onto a VLAN. It is
recommend that almost all ports are blocked using this feature.


Action: Confirm with the data center network team that their network infrastructure supports ACLs
.
Create at least two VLANs


one for Sandbox, Development and Test systems and another VLAN
for Productive systems.


Note :
If the SAP servers are not in a separate VLAN it may be necessary to change the IP address of these systems to place
them in a ne
w VLAN. This can be done but requires careful testing. RFC destinations, hosts file and SAP hostname buffer
need to be updated.

3.3.3

Step 3



Close all
inbound
non
-
SAP ports

Almost all non
-
SAP ports can be closed thereby blocking access to Windows and SQL Server
services.
The only ports that should be opened are the SAP specific ports such as 32xx, 33xx and
36xx for ABAP based systems and 5xx00 for Java based systems.

SAP
publish
ed

a document
TCPIP Ports used by SAP Applications

that specifies all of the ports
required for SAP

applications
.

This doc
ument and the SAP system number can be used to calculate
all of the SAP ports required for each SAP component.


Note : The document provided by SAP also includes information regarding database ports. The VLAN should block all DB
and operating system ports



only SAP specific ports should be permitted.


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
13

of
57

Created:
28.05.2012



There are some ports that must remain open between the SAP servers and the domain controllers
for Active Directory to function correctly.

The domain controllers
7

must be able to communicate
with the LSASS s
ervice to process domain logon requests and other tasks. Domain controllers
communicate using random ports in the range 1024 to 65536
8
.

Care must be taken to ensure that backup servers also have the required access to the SAP servers
.
Most backup softw
are uses agents running on SAP servers that connect on their own dedicated
ports. The backup server will not
normally
need to have direct access to the file system or
database.


Ports used by Backup software or 3
rd

party software can be identified with the
commands:


netstat

ano



tasklist /svc

Monitoring applications such as
System Center 2012 (SCCM)

will also need to have specific ports
opened to MOM servers. It is recommended not to use SNMP based monitoring a
gents on SAP
servers
9
.

Some other utility systems such as archiving, printing, fax and interfaces
10

may require additional
ports. It is recommended to restrict these ports to specific target IP addresses.

Windows Print
servers may be able to be located outside the
SAP
VLAN

in the general server VLAN

reducing the
complexity of the
SAP
VLAN ACL.

The Management Station(s) require the Terminal Services Port to be opened. Before creating the
ACL please selec
t a new port number as described in section
3.3.5

Example:





7

Only the domain controllers need access to the SAP VLAN on ports 1024 to 653356. No other
servers require this ACL

8

http://support.microsoft.com/kb/154596

describes how to specify a port range for RPC call
back

9

It is strongly recommended not to enable SNMP. The following link provides information on
how to secure SNMP
http://support.microsoft.com/kb/324261

10

SAP syst ems suc h as XI wi l l f requent l y i nt erf ac e SAP syst ems t o l egac y Uni x appl i c at i ons.
Uni x syst em admi ni st rat ors may somet i mes request t hat FT P be enabl ed on an SAP server.
It
i s st rongl y rec ommended never t o use any

f irst generat ion


prot oc ols (Telnet, FTP, SNMP et c )
on SAP syst ems. This prot oc ols are not sec ure. It is rec ommended t o use ht t ps c onnec t ions
or t o use a

gat eway


f ile server running only FTP and virus sc anni
ng sof t ware.


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
14

of
57

Created:
28.05.2012



Action: Build an ACL spreadsheet in Excel and discuss with the data center network
team.
Implement on the Test VLAN first, then test for several days. When the ACL is verified implement
the ACL on the Production VLAN

3.3.4

Step
4



Close
Web

outbound ports

It is recommend
ed

to permit all outbound traffic from the SAP servers to the general server
network and user LAN.

There are three recommended ports to block


http, https and smtp
11
.

Example:




Action: Build an ACL spreadsheet in Excel and discuss with the data center
network team.
Implement on the Test VLAN first, then test for several days. When the ACL is verified implement
the ACL on the Production VLAN
12


It is also r
ecommend
ed

to block

outbound Netbios (137, 139, 445) except for specified servers
(management serv
er)
. All printing and file serving should be done via servers outside the SAP
VLAN






















11

If smt p mail is used it is rec ommend t o permit out bound c onnec t ions t o spec if ic
Exc hange/smt p host s only

12

For advanc ed c ust omers we bl oc k out bound Net bi os port s t o al l syst ems exc ept t he
Management St at i on(s)


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
15

of
57

Created:
28.05.2012



3.3.5

Step 5

Change Windows Terminal Services Port

The default Windows Terminal Services

(RDP)

port is 3389.
By changing the RDP port

on each
server

to a secret port
t
he SAP administrator can make

unauthorized access to an SAP server
much
more difficult or impossible,

even if someone knows a valid username and password.


Action: Change the terminal services port to a secret port as described in this

KB article

http://support.microsoft.com/kb/187623/


In the example below the terminal services port has been changed to 65000


3.3.6

Step 6

Use Terminal Services Client 6.0

The latest version of Terminal

Services Client contains improved encryption and should always be
used.

Action: Download and install the

latest

Terminal Services Client update on the SAP administrators
PC
and

the Management Station(s).

http://support.microsoft.com/?kbid=925876

3.3.7

Step 7

Create dedicated SAP Active Directory Container

Placing the SAP systems into a dedicated Active Directory container allows the SAP administrator
to implement specific SAP security settings
on the

SAP

servers in a controlled

manner.

3.3.7.1

Create
Development
, management station,
QAS

and production sub
-
containers

Action:
Request the Active Directory Administrator to create an SAP Organizational Unit with the
following structure.



It is no longer needed or desirable to create a separate Active Directory Domain specifically for SAP. Many thousands of
customers run SAP with Mirror or Cluster configurations with all SAP servers members of the main corporate directory. Our
general rec
ommendation to all SAP on SQL customers is to join all SAP servers to the main corporate directory in a separate
container with Policy Block enabled.

SAP Servers should always be joined to an Active Directory and be member servers. Standalone (non
-
domai
n) servers are
not recommended.

Configuration of Security Policies and SSO is considerably easier on Domain Members.




Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
16

of
57

Created:
28.05.2012





If the SAP administrator is familiar with Active Directory the Active Directory team may delegate
13

authority to reset
password or create new accounts to the SAP administrator. Note: The SAP administrator will only have permissions to
change accounts inside the SAP Organizational Unit.

3.3.7.2

Enable Policy block on SAP container

To prevent other polices from “undoing” the SAP
specific
policies it is recommended to activate the
policy block setting on the SAP container.


Action:
Start Group Policy
Management tool

and right click on the SAP container. Select Block
Inheritance. Thi
s is required to prevent domain level policies overriding the settings for the SAP
servers.





13

Ac t ive Direc t ory
Administ rat or c an delegat e limit ed c ont rol of t he SAP OU. This also allows
t he SAP Administ rat or t o c reat e t he <SID>adm and SAPServic e<SID> ac c ount s prior t o
running t he SAP inst allat ion program. This avoids t he need t o inst all SAP using a domain
adminis
t rat or ac c ount or t o inst all SAP using loc al servic e ac c ount
s

(not rec ommended).
ht t p://t ec hnet.mic rosof t.c om/en
-
us/library/c c 732524.aspx





Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
17

of
57

Created:
28.05.2012





The SAP container should now look like the following:




It is recommended to use one single policy for Sandbox, Test and Production containers. This ensures

consistent behavior on
all SAP systems. When changing policy settings it is recommended to copy the Policy to a new name, block Inheritance on
the Sandbox container and apply the policy to Sandbox to perform testing. This process can be repeated on the
Test
container.

3.3.8

Step 8
-

Create
a p
olic
y

for the SAP servers
using SCW

In this step a policy is built on an SAP reference system



usually a Sandbox or Development
system
. This system should
a super set of the SAP usage types.
If the SAP landscape has
only
ABAP systems the

policy can be safely created on an ABAP only system. If some ABAP+Java
systems are present in the landscape, it is recommended to run SCW on an ABAP+Java system.



Solution Manager

is a ABAP+Java system and can be used to develop the SAP server policy.






Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
18

of
57

Created:
28.05.2012



Action:

Read and review the “
Windows Server® 2008 R2 SP1 Security Guide
” which is delivered with the

Windows Security
Compliance Manager

(
Security Compliance Management Toolkit Series
).

Use

the Windows Security Configuration Wizard
to

build a Policy

To create the
SAP se
rver

policy

1.

Logon to the SAP reference system with an administrative account.

2.

Ensure the SAP system services and instance is started. Ensure SAPOSCOL

(or monitoring agent)

and any other SAP services
are started (such as SAPCCMSR or CCMSPING).

3.

Launch the S
CW GUI, select
Create new policy
, and point it to the Management Station

4.

Remove all

server roles

except
File Server

and
Cluster Server

(for MSCS systems)


5.

R
emove
all client
features
other than
DNS Registration Client, Domain Member & Microsoft Networking
Client

to
reduce the server’s attack surface.

6.

For maximum protection, remove all administrative options except for
Windows Firewall
, Remote Desktop
Administration
, Local Application Installation Service, Application Installation from Group Policy, Time
Synchronization

and IPSec

(if IPSec services are used)
.

7.

Ensure that
the SAP services have been identified. Check any

additional services that are required such as backup agents or
a
ntivirus software

are detected.

8.

Decide how to handle unspecified services in your environment.
It is recommended
to set
do not change startup mode

9.

Ensure the
Skip this section

checkbox is de
selected in the "Network Security" section, and then click
Next
. The appropriate
ports and applica
tions identified earlier are configured as exceptions for Windows Firewall..

Add all ports defined in the
Excel spreadsheet created in section
3.3.3
. It is also important to enable the file sharing ports
on the host that holds the
SAP
Transport System
.
Cluster Service ports

are needed

for MSCS systems.

10.

In the "Registry Settings" click
Next
.
Configure as per
Appendix I

11.

In the "Audit Policy" section, click the
Skip this section
checkbox and then click
Next
.

Configure appropriate values

12.

Select
Save

security policy

as zSAP
-
System
-
1.0.xml
.


Upload Policy to AD

using the SCW transform command

The SCW XML file can be converted to an Active Directory Policy. This allows the configuration to
be applied to individual servers or groups of servers.

Action: Ask the AD administrator to run the following command from a

command prompt


domain admin permissions are required as this command will upload a policy to the AD.

scwcmd transform /p:"C:
\
WINDOWS
\
security
\
msscw
\
Policies
\
zSAP
-
System
-
1.0.xml
" /g:
zSAP
-
System
-
1.0


It is recommended to retain the last three versions of
the SAP Policy. When updating a policy copy the original policy to a
new name such as zSAP
-
System
-
1.1


Edit Group Policy Object

It is recommended to add the following AD policy settings to the
SAP Server Policy

Action: Open Group Policy
Management

Tool on the Management Station
14

and right click on the
SAP Server Policy and select Edit




14

There is no need t o inst all t he Group
Polic y Edit or on t he SAP servers. The SAP Server
Polic y c an be edit ed on t he Management St at ion.


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
19

of
57

Created:
28.05.2012





Use the group policy Editor to set the following attributes


Set the
“Network Security:
LAN

Manager Authentication

level”

as below



Do not display last user name






Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
20

of
57

Created:
28.05.2012



Specify users allowed to Logon Locally and via Terminal Services


Create a group that contains all the SQL Server Service Accounts. Grant “Lock Pages in Memory”
permission to this group



Grant “Perform Volume Maintena
nce Tasks” to the SQL Server Service Account group
15






15

ht t p://blogs.msdn.c om/b/sql _p
f e_blog/arc hive/2009/12/23/how
-
and
-
why
-
to
-
enable
-
instant
-
file
-
initialization.aspx



Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
21

of
57

Created:
28.05.2012



3.3.8.1

Windows firewall and network
settings

Action: Use the Group Policy Editor to add all of the ports from the VLAN ACL to the Windows
Firewall. MSCS and File and Printer Sharing ports should be opened as SAP servers
within

the
VLAN need to communicate with each other and access the SAPMNT share.

Right click on Inbound Rule and say “New Rule”



Specify “Port”


Enter these ports

and/or port ranges
16
:
3200
-
3299, 3300
-
3399, 3600
-
3699, 3900
-
3999, 4800
-
4899,
5443, 8000
-
8099, 8100
-
8199, 50013
-
59913
, 50014
-
59914
, 50016
-
59916, 50000
-
59900, 50001
-
59901, 4
4400
-
44499
17






16

Sec urit y Conf igurat ion Wizard does
not

allow Port Ranges. GPO Edit or
does

allow port
ranges

17

Revi ew
T CPIP Port s used by SAP Appl i c at i ons

-

Add Li veCac he port s i f SAP SCM Li vec ac he


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
22

of
57

Created:
28.05.2012





Document the Ports




On SQL Server database servers

with a default SQL Server instance

specify

Port

.





Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
23

of
57

Created:
28.05.2012





Review the rules




To increase the security of this firewall rule further a “scope” can be set for the rule. The scope

restricts the IP Addresses or subnet
(s)

that can use a rule. Most commonly customers will set the
scope to the SAP VLAN subnet. This prevents any IP address that is not on the SAP VLAN from
connecting to SQL Server
.

For additional security the scope for the SQL Server Firewall policy can be set to the IP addresses of
the SAP application servers. No other host will be able to connect to SQL Server.


On named instances specify
Port

= 1434 UDP for SQL Browser. On SQL Server named instances
the Port that SQL Server Engine uses is randomly assigned, therefore it may be easier to specify

Program
” and the specify the SQL Server Executable.




Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
24

of
57

Created:
28.05.2012




3.3.8.2

Uninstall

Internet Explorer

Internet
Explorer

must be

uninstalled

from Windows 2008 R2

in all cases
.

There is no valid reason
to have IE on any production SAP server.

Critical and Important security patches
18

are sometimes
issued for Internet Explorer and this software is sometimes the delivery mechanism for security
vulnerabilities
19
.

In the past, security vulnerabilities have been found in Internet Explorer, which made it necessary to
install Critical and I
mportant security patches addressing the issues. Such patches can be safely
ignored if there is no Internet Explorer present on the server.

Many security vulnerabilities require Internet Explorer (or another browser) to be installed on a
server in order to

run malicious code/scripts hosted on a web server.

Internet Explorer can be removed completely from Windows 2008 R2. Windows Server
2012

does
not install with Internet Explorer by default.

To remove Internet Explorer follow this steps in this KB article

http://support.microsoft.com/kb/957700#stepsforwin2008r2





3.3.8.3

Check

system auditing

configuration

Action: Using

Group Policy Editor Tool check the system audit policy and adjust as required






18

Mic rosof t issue a sec urit y bullet in eac h mont h


see
ht t p://www.mic rosof t.c om/t ec hnet/sec urit y/c urrent.aspx


19

A sec uri t y vul nerabi l i t y wi l l of t en requi re t he user t o browse t o an i nf ec t ed websi t e or an
emai l message wi l l aut omat i c al l y redi rec t t o an i nf ec t ed websi t e.


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
25

of
57

Created:
28.05.2012



3.3.9

Step
9



Move Management Station & SAP Servers to AD Containers

Action: The Active Directory administrator should now move the Management Station(s) and SAP
Servers to the ap
propriate container that was created in step
3.3.7


To move a server to a new container right click on the server and select move.

3.3.10

Step 10



Apply Policies to Management Station & SAP Containers

Action: Using the Group Policy Editor Tool
right click on the SAP Active Directory container and
select Link an Existing GPO.



Apply the SAP Policy to the Sandbox container and perform testing. After the configuration has
been
tested and adjusted

apply the SAP policy to the top level SAP contain
er.

This will apply the
policy on all SAP systems including Production.

Apply the Management Station Policy to the
Management Station container. If necessary a policy inheritance block can be used on the
Manage
ment Station container.


To immediately
apply a group policy on a server run the command line utility gpupdate.exe

/force



otherwise the policy
will be applied within 10 to 20 minutes.

3.3.11

Step 11



Rename local administrator account using a function

The local Windows server administrator account

name is well known


“administrator”. It is
recommended to
disable this account and create a new administrator account
20
.
It is also
recommended to use a generated administrator user account name that is different on each server.

Changing the user accou
nt name prevents

(or makes very difficult)

someone who has discovered
the password
21

from logging on.


A
simple
algorithm

should

be used generate a prefix or a suffix on a username.
An example is
given below with a function that
multiplies the last digit
in the hostname by the last IP digit
:


Hostname

IP address

U
ser name prefix

+


Function

=

Generated username

trcsap
1

10.40.1
.
1
5

local
-
sap
-
adm

1 X 15 = 15

local
-
sap
-
adm
-
15

trcsap
2

10.40.1
.
16

local
-
sap
-
adm

2 X 16 = 32

local
-
sap
-
adm
-
32

trcsap
3

10.40.1
.
17

local
-
sap
-
adm

3 X 17 = 51

local
-
sap
-
adm
-
51

trcsap
4

10.40.1
.
18

local
-
sap
-
adm

4 X 18 = 72

local
-
sap
-
adm
-
72




20

The Windows Administ rat or SID i
s well known
ht t p://support.mic rosof t.c om/kb/243330

21

Choose a password c aref ul af t er readi ng
ht t p://t ec hnet.mi c rosof t.c om/en
-
us/l i brary/c c 875839.aspx



Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
26

of
57

Created:
28.05.2012



Hint : The function should be not be too complex for the SAP administrator to calculate!

It is also
very important to clear the last logged on user name via the policy as well.


Action: Create a simple function, calculate the usernames for each server and right click
create new
user with local administrator privileges
.

Right click and disable the default “administrator” account


In order for an unauthorized user to logon to a Windows server they need at least the following pieces of information (1)
hostname and/or IP address (2) username (3) password (4) RDP port (5) T
CPIP connectivity. Already this security procedure
has blocked
direct
TCPIP access via a VLAN and a Windows Firewall ACL, set a strong password, changed the RDP port to a
secret number

and in this step we have made the user
name

almost impossible to guess

unless someone discovers the
username function.

3.3.12

Step 1
2



Remove Domain Admins and all other user accounts

Action: It is recommended to prevent Backup Administrators, Domain Administrators and other
operations staff from logging on interactively to SAP Servers.


Routine operations activities such as monitoring free disk space can be accomplished using
SCCM

or

the built in CCMS monitoring system. There is seldom any legitimate requirement for a
Windows administrator to logon interactively to SAP systems.


An untrained or inexperienced Windows administrator who has not received basic training on the operation
s of an SAP
system represent one of the greatest threats to the stability of the system. Windows and SQL Server are designed to run
without
regular administrator intervention.

3.3.13

Step 13



MS
SQL
Server Security

3.3.13.1

SQL
Server Security Configuration

Older SAP

implementation required DOMAIN
\
SAPService<SID> to have sysadmin role in SQL
Server. This was required in order to do a “set user” command. Newer SAP releases (specifically
the 7.20 kernel) does a
n

EXECUTE AS.
It is possible to remove sysadmin role from


DOMAIN
\
SAPService<SID>

if this is required for audit and compliance purposes
22
.


Use integrated security for ABAP
based
systems
.


Currently Java or

abap+java
based
require mixed mode security.


Remove local administrators access to SAP

database.
Remove “Users” group access to SAPDATAx
and Transaction log files.


To further enhance security and minimize patching and update requirements it is recommended to
install only the SQL Server Engine. Do not install Books Online and Management Studio. Th
e MS
DTC
is not and has never been

required to run SAP. SAP ABAP and Java components only require
SQL Server Engine





22

Some f eat ures of DBA Coc kpit may not f ully f unc t ion wit hout sysadmin, but t his will not
impac t t he operat ion of t he SAP applic at ion.


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
27

of
57

Created:
28.05.2012




Only SQL Server Engine is required for SAP.
On clustered systems replication and full text must be
installed.

SQL Server Management St
udio is not required and can be run from a central location and
configured to manage all SQL Server instances in a SAP Landscape.

3.3.13.2

Use of scripts & direct access to the database

It is strongly recommended
not

to use any
external
script or batch file
that

connect
s

to the SAP
database.
Direct access to the SAP database is a significant security risk.

It may appear “easy and convenient” to write a script to access some data inside SAP or to monitor
the SAP system. Often those customers who use scripts in

this way find that they have very large,
unsupportable, hard to maintain scripts

with different versions and releases on different systems. It
is recommended to use ABAP developments to read SAP application data and to use

MOM or

CCMS to monitor SAP syst
ems.
SAP provides

templates to allow customers to write custom
monitors that plug into CCMS.

3.3.13.3

Security Requirements for SQL Server Service Accounts

SQL 2012 Service Account permissions are detailed in this Books Online article

http://msdn.microsoft.com/en
-
us/library/ms143504.aspx



In general do not use Administrative accounts for starting Windows services
unless there is a
specific requirement to do so.


The Service Account that starts
SQLBrowser

(required for Named Instances
23
) is documented in
Books Online
24
.


Do not specify Administrative accounts for Services

of

SQL Server

or other
applications
.

SQL Browser service should be configured as below:



Deny access to this computer from the
network



Deny logon locally



Deny Log on as a batch job



Deny Log On Through Terminal Services



Log on as a service



Read and write the SQL Server registry keys related to network communication (ports and
pipes)







23

St at ic port s c an be c onf igured f or SQL Server and Browser st o
pped if required

24

ht t p://msdn.mi c rosof t.c om/en
-
us/l i b ra ry/ms181087.asp x



Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
28

of
57

Created:
28.05.2012





SQL Server Service

Permissions granted by
SQL Server
Setup

SQL Server Database Engine:

(All rights are granted to the per
-
service SID. Default instance:
NT
SERVICE
\
MSSQLSERVER
. Named instance:
NT
SERVICE
\
MSSQL$
InstanceName.)

Log on as a service

(SeServiceLogonRight)

Replace a process
-
level token

(SeAssignPrimaryTokenPrivilege)

Bypass traverse checking

(SeChangeNotifyPrivilege)

Adjust memory quotas for a
process

(SeIncreaseQuotaPrivilege)

Permission to start SQL Writer

Permission to read the Event Log
service

Permission to read the Remote
Procedur
e Call service

SQL Server Agent:
1

(All rights are granted to the per
-
service SID. Default instance:
NT
Service
\
SQLSERVERAGENT
. Named instance:
NT
Service
\
SQLAGENT$
InstanceName
.)

Log on as a service

(SeServiceLogonRight)

Replace a process
-
level token

(SeAssignPrimaryTokenPrivilege)

Bypass traverse checking

(SeChangeNotifyPrivilege)

Adjust memory quotas for a
process

(SeIncreaseQuotaPrivilege)

SQL Server Browser:

(All rights are granted to a local Windows group. Default or named instance:
SQLServer200
5SQLBrowserUser
$ComputerName
. SQL Server Browser does
not have a separate process for a named instance.)

Log on as a service

(SeServiceLogonRight)

3.3.13.4

Admin Connection

SQL Server Admin connection should be configured.

http://msdn2.microsoft.com/en
-
us/library/ms178068.aspx

http://msdn2.microsoft.com/en
-
us/library/ms189595.aspx

3.3.14

Step 1
4



Secure SAP Service Accounts

It is highly recommended to follow
procedure at the back of the SAP Installation Guide to “pre
-
create” all the users and groups prior to starting the SAP Installation. This removes any
requirement for the SAP installation
to be performed with a Domain Admin account. Please
implement the procedure in the Installation Guide “
Performing a Domain Installation Without
Being a Domain Administrator



Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
29

of
57

Created:
28.05.2012



3.3.14.1

Validate & Adjust DOMAIN
\
<sid>adm & DOMAIN
\
SAPService<SID> security

Action:
Check
that the SAP user accounts are secured appropriately
25
. Set the following security attributes on
the Global SAP Groups via GPO




These are the default settings
DOMAIN
\
<SID>adm:
Act as part of the operating system; Adjust
memory quotas for a process; Replac
e a process
-
level token




DOMAIN
\
SAPService<SID>:
Deny log on locally; Deny log on through remote desktop services:
Restore files and directories



DOMAIN
\
SAPService<SID> should
not

have any of the rights;
Act as part of the OS; Logon as a
batch job; Debug programs



Starting with SAP release 7
.0

the
DOMAIN
\
SAPservice<SID> user no longer needs to be a local
administrator
.
Therefore the right "
Act as part of the operating system
" is not necessary
.



The permiss
ions "
Adjust memory quotas for a process
" and "
Replace a process
-
level token
" are
needed by
DOMAIN
\
<SID>adm to start the SAP system. Also "
Restore files and directories
"
permission is needed for
DOMAIN
\
S
AP
Service<SID> to load the registry hive.

3.3.15

Web Dispatcher &
SAP MMC


SAP Webdispatcher is an application level proxy that further isolates the SAP backend servers from
the core user LAN. An application level proxy greatly reduces the impact of denial of service
attacks. Typically a DoS attack wil
l a
t

worst
cause the Webdispatcher to stop functioning. The SAP
backend systems will normally not be impacted and the Webdispatcher can simply be restarted.

The SAP Webdispatcher also reduces the complexity of the VLAN and firewall configuration as all
t
raffic will be coming via the Webdispatcher. SAPRouter provides some similar functionality for
SAPGUI ABAP only based environments.

The Active Directory Schema can be extended to allow
SAP systems to register into the AD and client applications such as S
APGUI and SAPMMC to read
this data
.

SAPMMC can then be run on the Management Station(s) and used to start and stop SAP
systems without the need to logon to the operating system.

3.3.16

Step


Physical Data Centre Security

Almost all security protections can be

defeated if an intruder has physical access to a system,
whether it be a server, a network switch or backup tapes

Action: Request the data centre team
to
ensure that the following precautions are taken:



Secure remote management cards and console devices



The sever room is monitored with v
ideo cameras



The SAP servers are in a locked cage



Access to the
server room
is controlled



Ensure backup media is securely stored

3.3.17

Windows Server Core Deployments

SQL Server 2012 is supported on Windows 2008 R2 Core Edition and will be supported on Window
Server 8 Core.

http://technet.microsoft.com/en
-
us/library/hh231669.aspx


The table below
shows the time between reboots for Windows 2008 R2 Core. Customers who have
hardened the Windows OS

c
ould achieve results in excess of these numbers

by mitigating
vulnerabilities
.




25

SAP
1675282
-

Security policies for SIDadm and SapServiceSID on Windows


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
30

of
57

Created:
28.05.2012




*
Necessary patches are:

Where binary is in Server Core, but vulnerability
is not

exploitable

**Critical patches are those with a Critical rating on
http://www.microsoft.com/technet/security/current.aspx


WS08 Server Core

WS08 R2 Server Core

%
Reduction

in
patches

Critical
**

Only %
Reduction

in patches

%
Reduction

in patches

Critical Only %
Reduction

in patches

All applicable patches










All roles

42%

56%

37%

49%


Months without reboots

13

19

10

13


Without AD, DNS, Print, Media
Services, Telnet, .Net,


Clustering, Hyper
-
V, IIS, or WINS

53%

63%

51%

62%


Months without reboots

15

21

10

13

Necessary patches only
*










All roles

48%

67%

40%

55%


Months without reboots

16

26

10

13


Without AD, DNS, Print, Media
Services, Telnet, .Net,


Clustering, Hyper
-
V, or IIS

60%

71%

54%

65%


Months without reboots

19

28

10

13


Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
31

of
57

Created:
28.05.2012



4

A Scientific Comparison of AIX, HPUX, Solaris, Linux &
Windows Server Security Vulnerabilities


The information and content in the following section applies to the Windows releases in this
document, specifically Windows 2008 R2 SP1 or higher.
The comments in this section do
not

apply
to older Windows releases such as Windows 2003

or earlier
. Window
s 2003 does not meet the
security and patching requirements for
large highly critical
Line of Business application
s
.


Windows
2003 is

not recommended for modern SAP releases. SQL Server 2012 is not supported on
Windows 2003.

4.1

Windows Platform in Comparis
on to UNIX Security
-

Reality

This whitepaper is focused on hardening the Windows operating system to improve the operations
and maintenance cycles of SAP on SQL Server systems. Due to repeated requests from customers
the author is including a detailed co
mparison between UNIX, Linux & Windows patching
requirements.

This chapter has been included due to the requests from customers for greater transparency
around the Windows Security topic. The chapter is also included due to significant misinformation
in

circulation about the Security & Patching requirements for
SAP on Windows

and SQL Server

systems

relative to UNIX based systems
.

This chapter also briefly discusses the broad
er topic of security threats,

their origin and
their
risk
profile.

In summary the number of security patches for Windows Server is equal to or less than the number
of security patches for UNIX and
considerably less than
Linux. When appropriate hardening and
security policies are implemented the patching requirement for W
indows Server running SAP on
SQL Server should be

the same or

less than UNIX platforms
26
.

When appropriate hardening is
done on Windows, UNIX
or

Linux it is possible to create
a
very secure
SAP Platform
.
Microsoft’s
Active Directory is the IT industry’s l
eading identity management security layer. It is considerably
easier to secure Windows servers because Active Directory can be used to centrally control and
enforce policies and configuration for both SAP and all access management requirements
throughout a

company’s IT assets.




4.1.1

Security Threats


Internal versus External

CIOs, IT Managers and Security Administrators are
sometimes unaware of the relative risk profiles
from
external
threats versus internal sources
27
. There are three main sec
urity
threats to most
companies
28
29
. Customers are highly recommended to ensure appropriate resources are deployed
in addressing security threats from Internal vs. External threats.




26

Windows Server 2008 R2 Core already
delivers 13 mont hs wit hout sec urit y pat c hes requiring
reboot. SQL 2012 is support ed on t his OS deployment. Wit h addit ional hardening t he reboot
requirement c an reac h 18 mont hs or more.

27

ht t p://newsroom.c i sc o.c om/dl l s/2008/t s_102808.ht ml


28

ht t p://www.net workworl d.c om/news/2008/111208
-
c i sc o
-
st udy
-
i nt ernal
-
sec uri t y.ht ml



Security Guide for SAP on SQL Server



Security Guide for SAP on SQL Server 2012

Page
32

of
57

Created:
28.05.2012



4.1.1.1

External
Threats

An external threat originates

outside an organization, its employees or its agents.
T
ypical example
s

are

Worms, Botnets
,

social
engineering

attacks,

rootkits
30

and other Malware. The intent behind
the vast majority of external threats is to cause malicious disruption.



Sometimes

th
e motivation is to steal data

from
a specific organization
. Customers report that it is
more common for

external threats
to be in the form of

“mass” attacks. Attacking a well
-
defended
organization is a relatively poor risk vs. reward ratio for

the

hacker
. If an organization was to detect
an attempt, alert law enforcement
31

and
thereby
collect enough evidence to
trace and
prosecute an
individual the legal consequences usually far outweigh the possible gain.




Very occasionally external thre
ats are pol
itically motivated and directed at specific organizations.


External threats tend to be much more prominent in the media. Phishing, identity theft and fraud
from external sources are topics that are not relevant to Line of Business applications such as SAP.
It is important that client computers used by administra
tors are protected from external threats,
however this security whitepaper mandates the use of Management Stations and no actual system
administration tools or tasks should be performed from client computers.

4.1.1.2


Internal Threats

An internal threat originat
es within an organization, its employees and/or contractors. These
threats are dangerous in terms of data theft
, fraud and other risks
. Employees have the most
important element in unauthorized

data access available to them:

Time. Due to corporate polic
ies
and the negative publicity legal action brings in such cases, unauthorized data access by
employees is

thought to be

un
der
-
reported. Unauthorized data access by internal employees is
sometimes financially motivated, such as selling IP or sales data to

competitors.

What little information is available about Internal Threats can be summarized as:

1.

The motivation generally falls into three categories: Disgruntled employees