This article is the first and introductory part of a new series of guidelines describing the main security areas of SAP S/4 HANA and SAP HANA systems.
It is well-known that ERP systems such as SAP ECC and SAP S/4 HANA in particular may dramatically enhance the quality and speed of the management of all the information and resources involved in a company’s operations.
No need to say that the ERP system forms the basis of any large company. It deals with all business-critical processes (e.g., purchases, payments, logistics, HR, product management, financial planning, etc.). All the data stored in the ERP systems is confidential, and any unauthorized access to it can result in significant losses and serious ramifications up to a business interruption. Therefore, we should not forget about the importance of securing enterprise applications and various ERP systems against cyberattacks.
SAP S/4 HANA is a new generation of ERP systems developed by SAP based on SAP HANA database that’s why it makes sense to cover both SAP S/4 HANA and an SAP HANA database. The DBMS is an integral part of the ERP system. So, if we only take care of the security of the system itself while the DBMS remains vulnerable, a successful attack on the DBMS might lead to the disruption of the key business processes and access to business-critical information so that the business process would be seriously damaged.
This series of articles contains a detailed analysis of the new business application platform – the SAP S/4 HANA and SAP HANA. We took the same approach as we had for SAP NetWeaver while developing EAS-SEC SAP NetWeaver ABAP Security guide. During this analysis, 40 key security settings were identified and distributed among 9 critical security areas. You will learn how to assess security of SAP S/4 HANA applications and then protect the applications from the most widespread vulnerabilities in this field, and you will see further steps on securing all 9 areas.
The top-9 critical areas for business applications
The list of the top-9 critical areas for the vulnerability assessment of business applications is provided in a table. They are ranked from 1 to 9 according to their severity and impact on the ERP system, business applications, and related security. 3 main parameters were considered:
- The initial access to exploit a vulnerability
- The severity of a vulnerability (a potential impact if exploited)
- The complexity of a vulnerability exploitation
|1. Patch management flaws||Anonymous|
|2. Default passwords for access to the application||Anonymous|
|3. Unnecessary functionality||Anonymous|
|4. Open remote management interfaces||Anonymous|
|5. Insecure settings||Anonymous|
|6. Unencrypted connections||Anonymous|
|7. Access control and SOD conflicts||User|
|8. Insecure trusted connections||User|
|9. Security events logging||Administrator|
The Guide description
Our approach contains 40 steps to securely configure SAP S/4 HANA and SAP HANA platforms, that were distributed among the 9 above-mentioned areas.
Checks directly related to SAP HANA can be used not only for SAP S/4 HANA, but also if it is used separately.
The authors of this Guide intended to cover the most critical threats for each area as well as to make this list as brief as possible. Despite best practices of SAP, ISACA, and DSAG, our objective was not to create just another list of issues with no explanation on why a particular issue was included in the final list, but to prepare a document, the use of which would be extended and not limited to SAP security experts. The report should also provide a comprehensive coverage of all SAP Security critical areas.
Meanwhile, the development of the most complete guide is an eternal question. As of now, there are thousands of checks of security configuration settings for the SAP platform, without taking those of specific role-based access and in-house applications into consideration.
Eventually, each of these 9 areas contains checks (applicable to any system without regard to its settings and custom parameters) that must be implemented first and foremost. Moreover, these checks are equally applied to both production systems and ones of testing and development.
In terms of quality, the present Guide differs from the previous SAP best practices, which also include few items but do not embrace the overall picture. The situation is the same with the best practices by ISACA and DSAG that have a lot of items, but the priorities are blurred and too complex for the initial step (though indeed these papers are necessary and highly valuable).
40 steps to SAP S/4 HANA security
Find our list of the most critical checks for SAP S/4 HANA and SAP HANA systems below:
- Patch management flaws
- Default passwords for access to the application
- Unnecessary functionality
- Open remote management interfaces
- Insecure settings
- Unencrypted connections  The SSL encryption to protect HTTP connections
- Access control and SOD conflicts
- Insecure trusted connections
- Logging of security events
 Component updates
 kernel updates
 SAP HANA Database updates
 Default password check for default users
 Access to the RFC function via the SOAP interface
 Access to the SAP HANA User Self-Service
 Access to the SAP HANA Sinopia
 Unauthorized access to the SAPControl (SAP MMC) service functions
 Unauthorized access to the SAPHostControl service functions
 Unauthorized access to the Message Server service functions
 Unauthorized access to the SAP HANA XS service functions
 Unauthorized access to the internal SAP HANA TREXNet services
 Minimal password length
 Number of invalid logon attempts before the user account lock out
 Minimal validity period of passwords
 Password compliance with the security policies in place
 Access control settings for RFC service (reginfo.dat)
 Access control settings for RFC service (secinfo.dat)
 Encryption of data volumes
 Default key for data encryption
 The SNC encryption to protect the SAP GUI client connections
 The SNC encryption to protect RFC connections between systems
 The SSL encryption to protect SQL connections
 Accounts with rights to assign the privileges
 Accounts with SAP_ALL profile
 Accounts with rights to start any programs
 Accounts with rights to modify critical tables
 Accounts with rights to execute OS commands
 Accounts critical SAP Fiori authorizations
 Accounts with role CONTENT_ADMIN
 RFC connections that store user authentication data
 Trusted systems with low security level
 SAP HANA connections to other systems
 Logging of security events
 Logging of HTTP requests
 Logging of tables changes
 Logging of SAP Gateway activities
 Logging of SAP HANA assign the privileges
 Logging of SAP HANA System user’s activities
The Guide is not so enormous as it could have been since we tried to maximize its clarifications for you.
*** This is a Security Bloggers Network syndicated blog from Blog – ERPScan authored by Research Team. Read the original post at: https://erpscan.com/press-center/blog/sap-s4-hana-security-guide-introduction/