Processed on SAP Solution Manager SSM Service Center Release EHP 1 for Solution Manager 7.0 Telephone Service Tool 701_2010_1 SP8 Fax

Transcription

1 SERVICE REPORT SAP Security Optimization Self-Service SAP System ID SAP Product PRD SAP ERP Release 6.0 DB System ORACLE 1x.x.x.x Customer AAA Sample Co., Ltd Processed on SAP Solution Manager SSM Service Center Release EHP 1 for Solution Manager 7.0 Telephone Service Tool 701_2010_1 SP8 Fax Date of Session Session No. 450xxxxxxxxxx Date of Report Installation No. 0010xxxxxx Author LEONY Customer No xxxx

2 Preface 1 PREFACE GENERAL INFORMATION ABOUT THE SAP SECURITY OPTIMIZATION SERVICE DETECTED ISSUES SPECIAL FOCUS CHECKS COMPARE CLIENTS FROM DOWNLOAD TO QUESTIONNAIRE DATA ADDITIONAL SUPER USER ACCOUNTS FOUND (0022) AUTHENTICATION PASSWORDS Users - Other Than User Administrators - Are Authorized to Change Passwords (0121) Interval for Logon with Initial Password Is Too Long (0123) Interval for Logon with Productive Password Is Too Long Users with Initial Passwords Who Have Never Logged On (0009) Users with Reset Password Who Have Not Logged On (0140) Number of Characters in Which Passwords Have to Differ is Too Low (0128) Required Number of Letters in Passwords Is Too Low (0130) GENERAL AUTHENTICATION Security Critical Events for End Users Are Not Logged in the Security Audit Log (0136) Interval After Which Inactive Users Are Logged Off Is Too Long (0137) Users - Other Than the User Administrators - Are Authorized to Lock/Unlock Users (0135) PASSWORD BASED AUTHENTICATION ADMITS PASSWORD ATTACKS (0591) BASIS AUTHORIZATION COUNT OF USERS IN PRD BASIS ADMINISTRATION Users - Other Than the System Administrators - Are Authorized to Maintain System Profiles (0152) Users - Other Than the System Administrators - Are Authorized to Start/Stop Application Servers (0154) Users - Other Than the System Administrators - Are Authorized to Start/Stop Workprocesses (0156) Users - Other Than the System Administrators - Are Authorized to Lock/Unlock Transactions (0157) Users - Other Than the System Administrators - Are Authorized to Maintain Other User's Lock Entries (0159) Users - Other Than the System Administrators - Are Authorized to Maintain Own Lock Entries (0166) Users - Other Than the System Administrators - Are Authorized to Delete or Reprocess Broken Updates (0161) Users - Other Than the System Administrators - Are Authorized to Activate a Trace (0163) No Timely Accurate Resolution of Erroneous Locks (0160) No Timely Accurate Resolution of Broken Updates (0162) SAP Security Notes: ABAP and Kernel Software Corrections BATCH INPUT No Timely Accurate Resolution of Failed Batch Input Sessions (0223) Users - Other Than the Batch Input Administrators - Are Authorized to Run Batch Input Sessions in Dialog (0221) Users - Other Than the Batch Input Administrators - Are Authorized to Administer Batch Input Sessions (0222) Users - Other Than the Spool Admins - Are Authorized to Display Other Users Spool Requests (0192) Users - Other Than the Spool Admins - Are Authorized to Display Protected Spool Requests of Other Users (0198) Users - Other Than the Spool Administrators - Are Authorized to Change the Owner of Spool Requests (0194) Users - Other Than the Spool Admins - Are Authorized to Redirect a Print Request to Another Printer (0195) Users - Other Than the Spool Administrators - Are Authorized to Export a Print Request (0196) Users - Other Than the Spool Administrators - Are Authorized to Print on all Devices (0197) BACKGROUND SAP Security Optimization Self-Service, 18 Jan

3 Preface Periodic Background Jobs Scheduled with User of Type Other Than 'SYSTEM' (0211) Background Users That Are Not Used in Any Periodic Batch Job (0215) Users - Other Than the Background Administrators - Are Authorized to Schedule Jobs in SM36 (0212) Users - Other Than the Background Administrators - Are Authorized to Schedule Jobs in External Commands (0213) Users - Other Than the Background Admins - Are Authorized to Schedule Jobs Under Another User Id (0214) OS ACCESS Users - Other Than the System Administrators - Are Authorized to Define External OS Commands (0171) OUTGOING RFC Unexpected RFC Connections with Complete Logon Data Found (0254) Users - Other Than the System Administrators - Are Authorized to Administer RFC Connections (0255) Users - Other Than the System Administrators - Are Authorized to Access RFC Logon Information (0256) INCOMING RFC Users - Other Than the Communication Users - Are Authorized to Run any RFC Function (0241) Users - Other Than the Key Users - Are Authorized to Visualize all Tables via RFC (0245) Incoming RFC with Expired Password Is Allowed (0234) Users Authorized for Trusted RFC (Object S_RFCACL) (0239) Users - Other Than the System Administrators - Are Authorized to Maintain Trusted Systems (0240) RFC Security in the Service Marketplace (0247) APPLICATION LINK ENABLING (ALE) Users - Other Than the System Administrators - Allowed to Maintain the ALE Distribution Model (0723) Users - Other Than the System Administrators - Allowed to Maintain the Partner Profile (0724) CHANGE MANAGEMENT DATA & PROGRAM ACCESS Users - Other Than Key Users - Are Authorized to Start All Reports (0512) Users - Other Than Key Users - Are Authorized to Display All Tables (0513) Users Are Authorized to Maintain All Tables (0514) Users - Other Than the System Admins - Are Authorized to Change the Authorization Group of Tables (0515) Users - Other Than the Query Administrators - Are Authorized to Administer Queries (0517) Users Are Authorized to Execute All Function Modules (0520) CHANGE CONTROL Users - Other Than the System Administrators - Are Authorized to Change the System Change Option (0303) Users - Other Than the System Administrators - Are Authorized to Change the Client Change Option (0304) Users - Other Than the System Administrators - Are Authorized to Create New Clients (0305) Users - Other Than the System Administrators - Are Authorized to Delete Clients (0306) Users Are Authorized to Development in the Production System (0307) Users Are Authorized to Debug and Replace Field Values in the Production System (0308) Users Are Authorized to Perform Customizing in the Production System (0309) Users Are Authorized to Develop Queries in the Production System (0310) Execution of Catts and ecatts is Not Prevented by Client Settings (0311) Users Are Authorized to Execute Catts in the Production System (0312) Users Are Authorized to Execute ecatts in the Production System (0313) SAPgui User Scripting Is Enabled (0314) Users Are Authorized to Use the Legacy Migration Workbench (0315) Table Logging Is Not Enabled for Import (0317) Users Are Authorized to Modify the Table Logging Flag for Tables (0318) DEVELOPMENT Development Sources Are Not Scanned for Critical Statements (0335) TRANSPORT CONTROL SAP Security Optimization Self-Service, 18 Jan

4 Preface Users - Other Than the System and Transport Admins - Are Authorized to Change the TMS Configuration (0341) Users - Other Than the System and Transport Admins - Are Authorized to Start Imports to Production (0342) Users - Other Than the System and Transport Admins - are Authorized to Create and Release Transports (0343) Users are Authorized to Approve Transports (0346) Transports Are Not Scanned for Viruses (0348) Program Versioning During Import is Not Enabled (0349) USER AUTHORIZATION USER MANAGEMENT Users - Other Than the User Administrators - Are Authorized to Maintain Users (0002) User Administrators Are Authorized to Change Their Own User Master Record (0003) User Administrators Are Allowed to Maintain Users of Any Group (0004) User Master Data Is Not Regularly Synchronized with a Corporate LDAP Directory (0007) Users with Authorizations for User and Role/Profile/Authorization Maintenance (0008) Users - Other Than the User Administrators - Are Authorized to Access Tables with User Data (0013) Users - Other Than the User Administrators - Are Authorized to Call Function Modules for User Admin (0019) SUPER USERS Unexpected Users Are Authorized to Change a Super User Accounts (0026) Users with the most Full Access Authorizations (* Field Values) (0027) Users with the most Roles (0028) % or max 30 of All Users That Have for the most Profiles (0029) Users with Profile SAP_NEW (0031) STANDARD USERS User SAP*'s activities are not logged in the Security Audit Log (0047) User DDIC's activities are not logged in the Security Audit Log (0050) User SAPCPIC's activities are not logged in the Security Audit Log (0055) User EARLYWATCH's activities are not logged in the Security Audit Log (0060) ROLE & AUTHORIZATION MANAGEMENT Users Are Authorized to Maintain Roles Directly in the Production System (0072) Users Are Authorized to Maintain Profiles Directly in the Production System (0073) Users Are Authorized to Maintain Authorizations Directly in the Production System (0074) Users Are Authorized to Call Function Modules for Authorization, Role and Profile Management (0087) SAP Standard Roles Are Assigned to Users (0082) SAP Standard Profiles Are Assigned to Users (0083) Profiles on Long Time Locked Users (0089) AUTHORIZATIONS Users Are Authorized to Disable Authorization Checks Within Transactions (0102) Users Are Authorized to Call Any Transaction (0110) Users Are Authorized to Delete an Authorization Check Before Transaction Start (0111) Users Comparison After Role Change Is Not Run in a Timely Accurate Manner (0112) WEB APPLICATION SERVER INTERNET COMMUNICATION FRAMEWORK (ICF) Users - Other Than the Sysadmin - Authorized to Activate ICF Services (0655) Users - Other Than the Sysadmins - Are Authorized to Access Tables of ICF Services (0663) HTTP CLIENT Additional http Client Connections Found (0682) No Proxy Used to Connect to http Servers (0683) No Authorization for S_ICF Required for http Client Access (0684) Client Proxy Does Not Require Client Authentication (0685) No Encryption of Outgoing http Communication (0688) INTERNET COMMUNICATION MANAGER (ICM) SAP Security Optimization Self-Service, 18 Jan

5 Preface Users - Other Than the System Administrators - Are Authorized to Administrate the ICM (0701) Users - Other Than the Sysadmins - Are Authorized to Display the http Server Cache (0705) Users - Other Than the Sysadmins - Are Authorized to Configure the ICM Monitor (0706) ICM (Internet Communication Manager) Is Active Although Not Used (0704) PSE MANAGEMENT Users - Other Than the System Administrators - Are Authorized to Maintain the System PSE's (0711)49 10 HUMAN RESOURCES HUMAN RESOURCES GENERAL CHECKS Users - Other Than the HR Admins - Are Authorized to Maintain Table T77S0 (0922) Users - Other Than the HR Admins - Are Authorized to Maintain Tables for Organizational Data (0923) Users - Other Than the HR Admins - Are Authorized to Read the Infotype Change Log (0924) Users - Other Than the HR Admins - Are Authorized to Read HR Tables with Person Related Data (0925) Users - Other Than the HR Admins - Are Authorized to Change HR Tables with Person Related Data (0926) Users - Other Than the HR Admins - Are Authorized to Maintain Client Dependant HR Customizing (0927) Users - Other Than the HR Admins - Have Broad Authorization on HR Reports (0929) PERSONAL ADMINISTRATION Users - Other Than the HR Admins - Are Authorized to Read HR Master Data (0936) Users - Other Than the HR Admins - Are Authorized to Change Master Data without Double Verification (0937) Users - Other Than the HR Admins - Are Authorized to Change their Own Master Data (0939) PAYROLL Users - Other Than the HR Admins - Are Authorized to Read Payroll Results (0946) Users - Other Than the HR Admins - Are Authorized to Maintain Personell Calculation Schemas (0947) Users - Other Than the HR Admins - Are Authorized to Release a Payroll Run (0950) Users - Other Than the HR Admins - Are Authorized to Delete Payroll Results (0951) USERS AUTHORIZED TO THE CRITICAL AUTHORIZATION APPENDIX CUSTOMIZING OF REPORT OUTPUT TABLES EVALUATED ST14 ANALYSIS Preface The SAP Security Optimization service is a comprehensive support service that identifies security risks for your SAP system and helps you to determine the appropriate measures to protect it from these risks. This report documents the results of the SAP Security Optimization service in the following sections: - General information about the SAP Security Optimization service - Action list in which the results are summarized and prioritized - Detailed explanation of the findings 2 General information about the SAP Security Optimization Service The following contains general information about SAP Security Optimization that will help you to understand and apply the report. Objective of the SAP Security Optimization Service The objectives of SAP Security Optimization are: - To analyze the technical configuration of your SAP system for security risks - To provide recommendations for implementing measures to mitigate security risks SAP Security Optimization Self-Service, 18 Jan

6 General information about the SAP Security Optimization Service - To provide a compressed overview of the implemented security level - To enable you to protect your business systems from typical security risks The security checks of SAP Security Optimization are performed for the following security aspects: - Availability: ensuring that a system is operational and functional at any given moment - Integrity: ensuring that data is valid and cannot be compromised - Authenticity: ensuring that users are the persons they claim to be - Confidentiality: ensuring that information is not accessed by unauthorized persons - Compliance: ensuring that the system security set-up is in accordance with established guidelines Scope of SAP Security Optimization SAP Security Optimization includes a collection of several hundred checks. These checks identify security vulnerabilities in the current set-up and configuration of mysap Technology. The checks are performed on the SAP software layer. For a security analysis of the underlying operating system and database, consult your vendor; for a security analysis of the network, contact your preferred network security provider. The Security Optimization Service is a highly automated, remote support service. For this reason, the service cannot cover customer-specific aspects that require a detailed on-site analysis, such as the following checks: - Segregation of duties for business-critical processes - Security organization (organizational security) - Security administration processes (operational security) For a complete overview of existing security risks to your business system, the topics listed above have to be taken into consideration. SAP's Security Consulting Team can assist you with individual on-site consulting services to obtain guidance on the security aspects. How to read this report The objective of this report is to document the vulnerabilities that have been detected by the SAP Security Optimization service. Since we perform several hundred checks in this support service, only the actual weaknesses are listed in the report so that it is concise; checks whose results were positive are not mentioned. In some checks, unexpected users with critical authorizations are determined. If you have indicated in the questionnaire that you want the user ID and the names of the users to be printed, they are listed in the findings of these checks. Note that no more than 30 users are listed - even if more users have been found - to keep the report concise. If you want to determine all users who have this authorization, you can do so in transaction ST14. For more information about using this transaction, see SAP Note For each productive client analyzed, the maximum number of users printed is 20. For other clients (for example 000 or 066), the maximum number of users printed for each client is 20 divided by the number of checked clients. This ensures that examples of all clients are printed. The number of counted users that we print is reduced by the number of superusers that we found in the system (check 0022). Since superusers (users with the SAP_ALL profile) have all authorizations, they are printed only once at the beginning of the report. The user types in the report are having the following meaning: A = Dialog C = Communication B = System S = Service L = Reference To enable you to identify major security weaknesses and to prioritize the measures to be implemented, an evaluated risk is determined for each check. The evaluated risk is calculated by the severity and the probability of a security violation. The meaning of the evaluated risk is as follows: - HIGH: The severity is high and the probability is high or the severity is high and the probability is medium or the severity is medium and the probability is high - Medium: The severity is high and the probability is low or the severity is medium and the probability is medium or the severity is low and the probability is high - Low: The severity is medium and the probability is low or the severity is low and the probability is medium or the severity is low and the probability is low How to implement the recommended security measures SAP Security Optimization Self-Service, 18 Jan

7 Detected Issues To protect your SAP system from security violations, we recommend that you implement the measures proposed in this report. To do so, proceed as follows: 1. Read this report carefully. 2. Double-check that the identified risks actually apply to your system. (Note that incomplete data in the questionnaire can result in the report indicating more vulnerabilities than are actually in your system.) 3. Prioritize the risks and determine those that are acceptable for you. 4. Determine the effort to implement appropriate measures. 5. If required, perform a cost-benefit analysis before applying the measures. 6. Plan and implement the measures. Do not implement the recommended measures without considering them first. Double-check the impact of the recommended measures before applying them to your system. For example, implementing a new password policy might be confusing to end users if they have not been notified about the new policy. How to obtain support for the implementation In some cases, you may not have the required resources to implement the recommended security measures. If you need support when analyzing the results of the Security Optimization, as well as when determining and implementing the appropriate measures, contact SAP's Security Consulting Team for on-site consulting via SecurityCheck@sap.com. How to review the effectiveness of the implemented measures To prove the effectiveness of the implemented measures, you can request an additional complete SAP Security Optimization check. If you are supported by SAP Consulting during the implementation, our security consultants can perform individual checks to prove the effectiveness on-site. How to obtain additional security-related information Recommendations and guidelines concerning the security of SAP systems are included in the SAP Security Guide. This guide consists of three separate volumes, each with different levels of detail. Volume I provides an overview of SAP's security services. Volume II describes the services in detail. Volume III contains security checklists. For more information about these guides, see the SAP Service Marketplace at For additional security-related information, see the SAP Service Marketplace at Concluding remark SAP Security Optimization provides only a snapshot of the effectiveness of the implemented security measures. Over time, however, every system faces changes that might impact your overall system security. We therefore recommend that you run SAP Security Optimization at regular intervals. 3 Detected Issues The following list gives you an overview of all checks in the SAP Security Optimization service that are rated with a high risk: Action Items *** Special Focus Checks *** x users - Other Than the System Administrators - Are Allowed to Call ST14? (0168) x Additional Super User Accounts Found (0022) *** Authentication *** *** Passwords *** x users - Other Than User Administrators - Are Authorized to Change Passwords (0121) Users with Initial Passwords Who Have Never Logged On (0009) Users with Reset Password Who Have Not Logged On (0140) *** General Authentication *** x users - Other Than the User Administrators - Are Authorized to Lock/Unlock Users (0135) x Unspecified Acception of SSO Tickets (0603) SAP Security Optimization Self-Service, 18 Jan

8 Detected Issues Action Items x users - Other Than the System Adminis - Are Authorized to Maintain Trusted SSO Ticket Issuing Systems (0605) *** User Authorization *** *** User Management *** x users - Other Than the User Administrators - Are Authorized to Maintain Users (0002) x user Administrators Are Authorized to Change Their Own User Master Record (0003) x user Administrators Are Allowed to Maintain Users of Any Group (0004) x users with Authorizations for User and Role/Profile/Authorization Maintenance (0008) x users - Other Than the User Administrators - Are Authorized to Access Tables with User Data (0013) x users - Other Than the User Administrators - Are Authorized to Call Function Modules for User Admin (0019) *** Super Users *** Unexpected Users Are Authorized to Change a Super User Accounts (0026) *** Role & Authorization Management *** x users Are Authorized to Maintain Roles Directly in the Production System (0072) x users Are Authorized to Maintain Profiles Directly in the Production System (0073) x users Are Authorized to Maintain Authorizations Directly in the Production System (0074) x users Are Authorized to Call Function Modules for Authorization, Role and Profile Management (0087) SAP Standard Roles Are Assigned to Users (0082) *** Authorizations *** Users Are Authorized to Disable Authorization Checks Within Transactions (0102) Users Are Authorized to Call Any Transaction (0110) x users Are Authorized to Delete an Authorization Check Before Transaction Start (0111) *** Basis Authorization *** *** Basis Administration *** x users - Other Than the System Administrators - Are Authorized to Maintain System Profiles (0152) x users - Other Than the System Administrators - Are Authorized to Start/Stop Application Servers (0154) x users - Other Than the System Administrators - Are Authorized to Start/Stop Workprocesses (0156) x users - Other Than the System Administrators - Are Authorized to Lock/Unlock Transactions (0157) x users - Other Than the System Administrators - Are Authorized to Maintain Other User's Lock Entries (0159) x users - Other Than the System Administrators - Are Authorized to Delete or Reprocess Broken Updates (0161) x users - Other Than the System Administrators - Are Authorized to Activate a Trace (0163) *** Spool & Printer *** x users - Other Than the Spool Admins - Are Authorized to Display Other Users Spool Requests (0192) x users - Other Than the Spool Admins - Are Authorized to Display Protected Spool Requests of Other Users (0198) x users - Other Than the Spool Administrators - Are Authorized to Change the Owner of Spool Requests (0194) x users - Other Than the Spool Admins - Are Authorized to Redirect a Print Request to Another Printer (0195) x users - Other Than the Spool Administrators - Are Authorized to Export a Print Request (0196) *** Background *** Periodic Background Jobs Scheduled with User of Type Other Than 'SYSTEM' (0211) x users - Other Than the Background Administrators - Are Authorized to Schedule Jobs in SM36 (0212) x users - Other Than the Background Administrators - Are Authorized to Schedule Jobs in External Commands (0213) x users - Other Than the Background Admins - Are Authorized to Schedule Jobs Under Another User Id (0214) SAP Security Optimization Self-Service, 18 Jan

9 Detected Issues Action Items *** OS Access *** x users - Other Than the System Administrators - Are Authorized to Define External OS Commands (0171) x users - Other Than the System Administrators - Are Authorized to View Content of OS Files with AL11 (0173) *** Outgoing RFC *** Unexpected RFC Connections with Complete Logon Data Found (0254) x users - Other Than the System Administrators - Are Authorized to Administer RFC Connections (0255) x users - Other Than the System Administrators - Are Authorized to Access RFC Logon Information (0256) *** Incoming RFC *** x users - Other Than the Communication Users - Are Authorized to Run any RFC Function (0241) x users - Other Than the Key Users - Are Authorized to Visualize all Tables via RFC (0245) x users - Other Than the System Administrators - Are Authorized to Maintain Trusted Systems (0240) *** Application Link Enabling (ALE) *** x users - Other Than the System Administrators - Allowed to Maintain the ALE Distribution Model (0723) x users - Other Than the System Administrators - Allowed to Maintain the Partner Profile (0724) *** Change Management *** *** Data & Program Access *** x users - Other Than Key Users - Are Authorized to Start All Reports (0512) Users - Other Than Key Users - Are Authorized to Display All Tables (0513) x users Are Authorized to Maintain All Tables (0514) x users - Other Than the System Admins - Are Authorized to Change the Authorization Group of Tables (0515) x users - Other Than the Query Administrators - Are Authorized to Administer Queries (0517) x users Are Authorized to Execute All Function Modules (0520) *** Change Control *** x users - Other Than the System Administrators - Are Authorized to Change the System Change Option (0303) x users - Other Than the System Administrators - Are Authorized to Change the Client Change Option (0304) x users - Other Than the System Administrators - Are Authorized to Create New Clients (0305) x users - Other Than the System Administrators - Are Authorized to Delete Clients (0306) x users Are Authorized to Development in the Production System (0307) x users Are Authorized to Debug and Replace Field Values in the Production System (0308) x users Are Authorized to Perform Customizing in the Production System (0309) Users Are Authorized to Develop Queries in the Production System (0310) *** Transport Control *** Users - Other Than the System and Transport Admins - Are Authorized to Change the TMS Configuration (0341) x users - Other Than the System and Transport Admins - Are Authorized to Start Imports to Production (0342) x users - Other Than the System and Transport Admins - are Authorized to Create and Release Transports (0343) *** Web Application Server *** *** Internet Communication Framework (ICF) *** x users - Other Than the Sysadmin - Authorized to Activate ICF Services (0655) x users - Other Than the Sysadmins - Are Authorized to Access Tables of ICF Services (0663) *** http Client *** Additional http Client Connections Found (0682) No Encryption of Outgoing http Communication (0688) SAP Security Optimization Self-Service, 18 Jan

10 Special Focus Checks Action Items *** Internet Communication Manager (ICM) *** x users - Other Than the System Administrators - Are Authorized to Administrate the ICM (0701) x users - Other Than the Sysadmins - Are Authorized to Display the http Server Cache (0705) x users - Other Than the Sysadmins - Are Authorized to Configure the ICM Monitor (0706) *** PSE Management *** x users - Other Than the System Administrators - Are Authorized to Maintain the System PSE's (0711) *** Human Resources *** *** Human Resources General Checks *** x users - Other Than the HR Admins - Are Authorized to Maintain Table T77S0 (0922) x users - Other Than the HR Admins - Are Authorized to Maintain Tables for Organizational Data (0923) x users - Other Than the HR Admins - Are Authorized to Read the Infotype Change Log (0924) x users - Other Than the HR Admins - Are Authorized to Read HR Tables with Person Related Data (0925) x users - Other Than the HR Admins - Are Authorized to Change HR Tables with Person Related Data (0926) x users - Other Than the HR Admins - Are Authorized to Maintain Client Dependant HR Customizing (0927) x users - Other Than the HR Admins - Have Broad Authorization on HR Reports (0929) *** Personal Administration *** x users - Other Than the HR Admins - Are Authorized to Read HR Master Data (0936) x users - Other Than the HR Admins - Are Authorized to Change Master Data without Double Verification (0937) x users - Other Than the HR Admins - Are Authorized to Change their Own Master Data (0939) *** Payroll *** x users - Other Than the HR Admins - Are Authorized to Read Payroll Results (0946) x users - Other Than the HR Admins - Are Authorized to Maintain Personell Calculation Schemas (0947) x users - Other Than the HR Admins - Are Authorized to Release a Payroll Run (0950) x users - Other Than the HR Admins - Are Authorized to Delete Payroll Results (0951) Look at the list of the action items above very carefully and decide if anything on this list needs to be adjusted in your environment. First, read the complete report, and then decide for each check whether it is advisable for you to change the current situation. Sometimes you will find out that your current situation is sufficient, even if checks are rated with a medium or even high risk. Since every SAP implementation is different, you have to adjust this general report to your particular situation. 4 Special Focus Checks 4.1 Compare Clients From Download to Questionnaire Data The following clients in your system have not been checked. 4.2 Additional Super User Accounts Found (0022) In this system, the following superuser accounts were found that were not mentioned in the questionnaire. (These are the users having the profile SAP_ALL). All superuser accounts that were found in your system are REMOVED from all the following checks. This means that checks that report 5 authorized users, for example, actually have x users and ALL superuser accounts authorized for your system. Keep this in mind when you look at all other checks below. Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 SAP Security Optimization Self-Service, 18 Jan

11 Special Focus Checks (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. SAP Security Optimization Self-Service, 18 Jan

12 Authentication 5 Authentication 5.1 Passwords Users - Other Than User Administrators - Are Authorized to Change Passwords (0121) The following users are allowed to change and reset passwords. This is very risky because all these users could change the password and log on themselves with any user. The only consequence is that the "real user" would no longer be able to log on, because the password has been changed. This results in the password being reset because there is a chance that the "real user" might think they have forgotten the correct password. 401 ALLxxx A CONSULTANTS 401 Count : 0017 Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: S_TCODE with TCD=SU01 or TCD=OIBB or TCD=OOUS or TCD=OPF0 or TCD=OPJ0 or TCD=OVZ5 [as well as all relevant parameter transactions] Object 2: S_USER_GRP with ACTVT= Interval for Logon with Initial Password Is Too Long (0123) PARAMETER: LOGIN/PASSWORD_MAX_IDLE_INITIAL Rating Instance Current Value Recommended Value All instances 0 7 As of SAP NetWeaver 6.40, SAP supports this parameter to encourage your users to create more secure passwords. Activate profile parameter "login/password_max_idle_initial" and set it to a value between 1 and 7. This parameter specifies the maximum period for which an initial password (chosen by the administrator) remains valid if it is not used. After this period has expired, the password can no longer be used for authentication Interval for Logon with Productive Password Is Too Long PARAMETER: LOGIN/PASSWORD_MAX_IDLE_PRODUCTIVE Rating Instance Current Value Recommended Value All instances 0 > 0 As of SAP NetWeaver 6.40, SAP supports this parameter to encourage your users to create more secure passwords. Activate profile parameter "login/password_max_idle_productive". This parameter specifies the maximum period for which a productive password (chosen by the user) remains valid if it is not used. After this period has expired, the password can no longer be used for authentication. SAP Security Optimization Self-Service, 18 Jan

13 Authentication Users with Initial Passwords Who Have Never Logged On (0009) Client Initial Passwords [%] Check why so many users have initial passwords. Ask these users to change their passwords with, for example, the profile parameter login/password_change_for_sso, or delete these users if they do not need access to the SAP system. You can detect the users with initial passwords in report RSUSR Users with Reset Password Who Have Not Logged On (0140) Client Resetted Passwords [%] Check why so many users have passwords that have been reset. Ask them to change their passwords with, for example, profile parameter login/password_change_for_sso, or delete these users if they do not need access to the SAP system. You can detect those users in report RSUSR Number of Characters in Which Passwords Have to Differ is Too Low (0128) PARAMETER: LOGIN/MIN_PASSWORD_DIFF Rating Instance Current Value Recommended Value All instances 1 3 As of SAP Web AS 6.10, SAP supports this new parameter to encourage your users to create more secure passwords. Activate the new profile parameter login/min_password_diff, and set its value to Required Number of Letters in Passwords Is Too Low (0130) PARAMETER: LOGIN/MIN_PASSWORD_LETTERS Rating Instance Current Value Recommended Value All instances 0 1 As of SAP Web AS 6.10, SAP supports this new parameter to encourage your users to create more secure passwords. Activate the new profile parameter login/min_password_letters, and set its value to 1 or higher. 5.2 General Authentication Security Critical Events for End Users Are Not Logged in the Security Audit Log (0136) Client Logging 401 Deactivated Use transaction SM19 to activate logging of failed logon attempts for all your users in all clients. It is then possible to find out who performed which action, and how to detect an unauthorized logon attempt. SAP Security Optimization Self-Service, 18 Jan

14 Authentication Interval After Which Inactive Users Are Logged Off Is Too Long (0137) PARAMETER: RDISP/GUI_AUTO_LOGOUT Rating Instance Current Value Recommended Value NINJ_PRD_ NINJapp0_PRD_ If you deactivate this parameter by setting it to '0' or if you use a value higher than 1 hour, it is likely that users who are no longer in the office remain logged on. If you do not use screen savers at all workstations, this could result in other users accessing these workstations to get to unauthorized information. Set this value to 1800 or 3600, for example, to reduce this risk as far as possible. Also, do not automatically log off users who have been idle for only a few minutes Users - Other Than the User Administrators - Are Authorized to Lock/Unlock Users (0135) Unauthorized system access because it is possible to unlock any user. In addition, interfaces may malfunction which results in the connected user being locked. 401 ALLEND A CONSULTANTS 401 Count : 0017 Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: S_TCODE with TCD=SU01 or TCD=OIBB or TCD=OOUS or TCD=OPF0 or TCD=OPJ0 or TCD=OVZ5 [as well as all relevant parameter transactions] Object 2: S_USER_GRP with ACTVT= Password Based Authentication Admits Password Attacks (0591) You have deactivated SNC (snc/enable=0) or at least do not use it for the authentication of SAP GUI users since there are no SNC entries in the table USRACL. SNC enables external authentication and therefore allows a higher security level for your system (by using smart cards with user credentials, for example). Since your system allows password authentication, a password attack is still possible (although you can minimize this risk by enforcing a password policy). SAP Security Optimization Self-Service, 18 Jan

15 Basis Authorization 6 Basis Authorization 6.1 Count of users in PRD USERS Client Users Valid users Locked users Outdated users The table shows the count of active and inactive users. 6.2 Basis Administration Users - Other Than the System Administrators - Are Authorized to Maintain System Profiles (0152) This authorization allows security-critical system profile parameters to be disabled, or the system might not able to restart due to incorrect configuration. 401 Count : 0002 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=RZ10 [as well as all relevant parameter transactions] Object2: S_RZL_ADM with ACTVT= Users - Other Than the System Administrators - Are Authorized to Start/Stop Application Servers (0154) The system might be unavailable due to unauthorized starting and stopping of servers. 401 Count : 0015 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=RZ03 [as well as all relevant parameter transactions] Object2: S_RZL_ADM with ACTVT=01 SAP Security Optimization Self-Service, 18 Jan

16 Basis Authorization Users - Other Than the System Administrators - Are Authorized to Start/Stop Workprocesses (0156) Unauthorized process administration can result in inconsistencies in processing. 401 Count : 0021 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=SM04 or TCD=SM50 or TCD=SM51 [as well as all relevant parameter transactions] Object2: S_ADMI_FCD with S_ADMI_FCD = PADM Users - Other Than the System Administrators - Are Authorized to Lock/Unlock Transactions (0157) Risk of unavailability of transactions due to incorrect configuration, or access to locked transactions might be possible. 401 Count : 0019 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=SM01 [as well as all relevant parameter transactions] Object2: S_ADMI_FCD with S_ADMI_FCD = TLCK Users - Other Than the System Administrators - Are Authorized to Maintain Other User's Lock Entries (0159) Inconsistencies due to incorrect deletion of locks are possible. 401 Count : 0021 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=SM12 [as well as all relevant parameter transactions] SAP Security Optimization Self-Service, 18 Jan

17 Basis Authorization Object2: S_ENQUE with S_ENQ_ACT = * or S_ENQ_ACT=ALL or S_ENQ_ACT = DLFU Users - Other Than the System Administrators - Are Authorized to Maintain Own Lock Entries (0166) Inconsistencies due to incorrect deletion of locks are possible. 401 Count : 0021 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=SM12 [as well as all relevant parameter transactions] Object2: S_ENQUE with S_ENQ_ACT = * or S_ENQ_ACT=ALL or S_ENQ_ACT = DLOU Users - Other Than the System Administrators - Are Authorized to Delete or Reprocess Broken Updates (0161) Inconsistencies due to incorrect deletion or reprocessing of updates are possible. 401 Count : 0057 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=SM13 [as well as all relevant parameter transactions] Object2: S_ADMI_FCD with S_ADMI_FCD = UADM Users - Other Than the System Administrators - Are Authorized to Activate a Trace (0163) Low system performance due to activated SQL trace (ST01). 401 Count : 0023 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=ST01 [as well as all relevant parameter transactions] SAP Security Optimization Self-Service, 18 Jan

18 Basis Authorization Object2: S_ADMI_FCD with S_ADMI_FCD = ST0M No Timely Accurate Resolution of Erroneous Locks (0160) Client Unremoved Locks Older Than 2 Days Locks may stay in the database after users terminate their sessions incorrectly. This may result in inconsistencies and other lock issues if nobody maintains old locks and perhaps removes them if an error occurs. Always look for old locks in your system. You can do this by using transaction SM12. If you find locks that are older than 1 day or from yesterday, ask the users what might have caused these locks so that you can prevent them in future. Finally, if you discover that the locks no longer need to be in the system, delete them No Timely Accurate Resolution of Broken Updates (0162) Client Broken Updates Older Than 2 Days Always look for old terminated updates in your system. You can do this by using transaction SM13. If you find terminated updates, ask the users what might have caused them so that you can prevent them in the future. As these updates have not been written to the database by now, but the application would normally expect this, you have to discuss how to proceed with the person responsible for this application. If you delete the updates, this may make the SAP database inconsistent SAP Security Notes: ABAP and Kernel Software Corrections Software corrections from SAP Security HotNews are missing on this system. Your system is probably exposed to security threats. Apply SAP Security Notes which are relevant to your system. A complete list of SAP Security Notes, including Security HotNews, is available on the SAP Service Marketplace at The tool RSECNOTE in transaction ST13 lists the SAP Security Notes missing in this EWA check. RSECNOTE covers SAP Security HotNews with software-related corrections for ABAP or Kernel, and an additional selection of SAP Security Notes. For more information, refer to SAP Note In the Security Notes list on the SAP Service Marketplace referenced above, the flag Automatic check in EWA (last column) identifies those SAP Security Notes for which the implementation is completely checked in the EWA. 6.3 Batch Input No Timely Accurate Resolution of Failed Batch Input Sessions (0223) Client Failed BI Sessions Older Than 2 Days Batch input is a frequently used technique for importing data into the SAP system. This is done on a regular basis. As productive data is imported into the SAP system, it is necessary to check all failed batch input sessions so that no data is lost. Always check whether failed batch input sessions exist by using transaction SM35 on a regular basis and correct them. SAP Security Optimization Self-Service, 18 Jan

19 Basis Authorization Users - Other Than the Batch Input Administrators - Are Authorized to Run Batch Input Sessions in Dialog (0221) This authorization allows batch input data to be manipulated during online processing. 401 Count : 0233 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object 1: S_TCODE with TCD=SM35 [as well as all relevant parameter transactions] Object 2: S_BDC_MONI with BDCAKTI=AONL Users - Other Than the Batch Input Administrators - Are Authorized to Administer Batch Input Sessions (0222) This authorization allows batch input maps to be deleted or locked with the risk of system inconsistency. Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object 1: S_TCODE with TCD=SM35 [as well as all relevant parameter transactions] Object 2: S_BDC_MONI with BDCAKTI=DELE or BDCAKTI=LOCK Users - Other Than the Spool Admins - Are Authorized to Display Other Users Spool Requests (0192) This authorization allows unauthorized access to sensitive data contained in spool requests. 401 Count : 0917 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object 1: S_TCODE with TCD = SP01 or SP01O [as well as all relevant parameter transactions] SAP Security Optimization Self-Service, 18 Jan