SAP S/4 HANA Security Guide: Introduction

This article is the first and introductory part of a new series of guidelines describing the main security areas of SAP S/4 HANA and SAP HANA systems.

It is well-known that ERP systems such as SAP ECC and SAP S/4 HANA in particular may dramatically enhance the quality and speed of the management of all the information and resources involved in a company’s operations.

No need to say that the ERP system forms the basis of any large company. It deals with all business-critical processes (e.g., purchases, payments, logistics, HR, product management, financial planning, etc.). All the data stored in the ERP systems is confidential, and any unauthorized access to it can result in significant losses and serious ramifications up to a business interruption. Therefore, we should not forget about the importance of securing enterprise applications and various ERP systems against cyberattacks.

SAP S/4 HANA is a new generation of ERP systems developed by SAP based on SAP HANA database that’s why it makes sense to cover both SAP S/4 HANA and an SAP HANA database. The DBMS is an integral part of the ERP system. So, if we only take care of the security of the system itself while the DBMS remains vulnerable, a successful attack on the DBMS might lead to the disruption of the key business processes and access to business-critical information so that the business process would be seriously damaged.

This series of articles contains a detailed analysis of the new business application platform – the SAP S/4 HANA and SAP HANA. We took the same approach as we had for SAP NetWeaver while developing EAS-SEC SAP NetWeaver ABAP Security guide. During this analysis, 40 key security settings were identified and distributed among 9 critical security areas. You will learn how to assess security of SAP S/4 HANA applications and then protect the applications from the most widespread vulnerabilities in this field, and you will see further steps on securing all 9 areas.

The top-9 critical areas for business applications

The list of the top-9 critical areas for the vulnerability assessment of business applications is provided in a table. They are ranked from 1 to 9 according to their severity and impact on the ERP system, business applications, and related security. 3 main parameters were considered:

  1. The initial access to exploit a vulnerability
  2. The severity of a vulnerability (a potential impact if exploited)
  3. The complexity of a vulnerability exploitation
Critical area Access
1. Patch management flaws Anonymous
2. Default passwords for access to the application Anonymous
3. Unnecessary functionality Anonymous
4. Open remote management interfaces Anonymous
5. Insecure settings Anonymous
6. Unencrypted connections Anonymous
7. Access control and SOD conflicts User
8. Insecure trusted connections User
9. Security events logging Administrator

The Guide description

Our approach contains 40 steps to securely configure SAP S/4 HANA and SAP HANA platforms, that were distributed among the 9 above-mentioned areas.

Checks directly related to SAP HANA can be used not only for SAP S/4 HANA, but also if it is used separately.

The authors of this Guide intended to cover the most critical threats for each area as well as to make this list as brief as possible. Despite best practices of SAP, ISACA, and DSAG, our objective was not to create just another list of issues with no explanation on why a particular issue was included in the final list, but to prepare a document, the use of which would be extended and not limited to SAP security experts. The report should also provide a comprehensive coverage of all SAP Security critical areas.

Meanwhile, the development of the most complete guide is an eternal question. As of now, there are thousands of checks of security configuration settings for the SAP platform, without taking those of specific role-based access and in-house applications into consideration.

Eventually, each of these 9 areas contains checks (applicable to any system without regard to its settings and custom parameters) that must be implemented first and foremost. Moreover, these checks are equally applied to both production systems and ones of testing and development.

In terms of quality, the present Guide differs from the previous SAP best practices, which also include few items but do not embrace the overall picture. The situation is the same with the best practices by ISACA and DSAG that have a lot of items, but the priorities are blurred and too complex for the initial step (though indeed these papers are necessary and highly valuable).

40 steps to SAP S/4 HANA security

Find our list of the most critical checks for SAP S/4 HANA and SAP HANA systems below:

  1. Patch management flaws

  2. [1] Component updates
    [2] kernel updates
    [3] SAP HANA Database updates

  3. Default passwords for access to the application

  4. [4] Default password check for default users

  5. Unnecessary functionality

  6. [5] Access to the RFC function via the SOAP interface
    [6] Access to the SAP HANA User Self-Service
    [7] Access to the SAP HANA Sinopia

  7. Open remote management interfaces

  8. [8] Unauthorized access to the SAPControl (SAP MMC) service functions
    [9] Unauthorized access to the SAPHostControl service functions
    [10] Unauthorized access to the Message Server service functions
    [11] Unauthorized access to the SAP HANA XS service functions
    [12] Unauthorized access to the internal SAP HANA TREXNet services

  9. Insecure settings

  10. [13] Minimal password length
    [14] Number of invalid logon attempts before the user account lock out
    [15] Minimal validity period of passwords
    [16] Password compliance with the security policies in place

    [17] Access control settings for RFC service (reginfo.dat)
    [18] Access control settings for RFC service (secinfo.dat)
    [19] Encryption of data volumes

    [20] Default key for data encryption

  11. Unencrypted connections
  12. [21] The SSL encryption to protect HTTP connections
    [22] The SNC encryption to protect the SAP GUI client connections
    [23] The SNC encryption to protect RFC connections between systems
    [24] The SSL encryption to protect SQL connections

  13. Access control and SOD conflicts

  14. [25] Accounts with SAP_ALL profile
    [26] Accounts with rights to start any programs

    [27] Accounts with rights to modify critical tables
    [28] Accounts with rights to execute OS commands
    [29] Accounts critical SAP Fiori authorizations

    [30] Accounts with rights to assign the privileges
    [31] Accounts with role CONTENT_ADMIN

  15. Insecure trusted connections

  16. [32] RFC connections that store user authentication data
    [33] Trusted systems with low security level
    [34] SAP HANA connections to other systems

  17. Logging of security events

  18. [35] Logging of security events
    [36] Logging of HTTP requests
    [37] Logging of tables changes
    [38] Logging of SAP Gateway activities
    [39] Logging of SAP HANA assign the privileges
    [40] Logging of SAP HANA System user’s activities

The Guide is not so enormous as it could have been since we tried to maximize its clarifications for you.

The post SAP S/4 HANA Security Guide: Introduction appeared first on ERPScan.

*** This is a Security Bloggers Network syndicated blog from Blog – ERPScan authored by Research Team. Read the original post at: