SAP Audit Guide for Basis
|
|
- Gabriel Skinner
- 6 years ago
- Views:
Transcription
1 SAP Audit Guide for Basis
2 This audit guide is designed to assist the review of middleware components that support the administration and integration of SAP applications, commonly referred to as SAP Basis. These components are implemented in the NetWeaver Application Server (AS) and enable SAP applications to be interoperable between supported operating system and database platforms. The specific areas examined in this guide are relevant parameters, settings, transactions, authorizations and reports the following areas of the NetWeaver AS: Network Security Remote Function Calls (RFC) Web Services Password Security Central User Management (CUA) Change and Transport Management Table Maintenance and System Administration Patch Management Security Audit Log Monitoring The guide is delivered using clear, non-technical terms to enable financial and operational auditors to successfully navigate the complexities of SAP security. Other volumes of this guide deal with SAP controls in areas such as Financial Accounting, Revenue, Expenditure, Inventory, and Human Resources. Network Security Basis SAP Audit Guide Network-level security for SAP installations should include surface area reduction. This is applied through network filtering which limits entry points and therefore potential avenues of attack against SAP hosts. TCP/IP ports and protocols should be restricted to the standard assignments and ranges required by SAP, configured for each instance on a host. Therefore, the available services configured for each instance should be reviewed to ensure unused components are disabled. Information related to TCP/IP ports used by SAP applications is available at the SAP Developer Network (SDN).
3 2 Standard network ports required for ABAP services include 32NN (Dispatcher), 33NN (Gateway), 36NN (Message Server) and 443NN (HTTPS). NN is a placeholder for the instance number. Common database ports include 1433 (SQL Server),1527 (Oracle) and 4402 (DB2). Java services typically use the and above port range. 5NN08 is used for the Telnet protocol. Telnet can be used for administration of the J2EE using shell commands and is accessible by users with the telnet_login security role. This role should only be assigned to Administrators. The service is accessible through host (localhost) but should be disabled in favor of the more secure SSH protocol. FTP should also be disabled. SSH can be used to support SFTP. Access to administrative services such as SSH should only be permitted from designated subnets or workstations. This can be applied through properly configured Access Control Lists (ACLs). ACLs are also required to limit connections to Gateway Servers, Message Servers and Management Consoles. This will restrict logons to approved IP addresses and therefore protect RFC and server-to-server communications and functions for system administration. ACL rules should be reviewed for potential errors and omissions. Network communications should be encrypted within and below the application layer to protect the disclosure or modification of SAP data during transmission. Secure Network Communication (SNC) should be applied to encrypt DIAG, RFC, CPIC and other communication paths. The snc/enable parameter must be set to 1 to apply encryption. However, SAP application servers can accept insecure connections even if SNC is enabled. Therefore, it is important to review SNC parameters for all connection types to ensure only secure connections are accepted by servers. The protection level should be set to 3. This will apply both authentication and encryption. Level 1 is for authentication only and therefore does not apply encryption. Application servers should also be configured to reject insecure RFC connections and attempts to start programs without SNC protection. SNC requires the installation of the SAP Cryptographic Library. Access to the directory storing the Library should be restricted and access to the cryptographic key tables should only be granted to users in an appropriately configured authorization group. Web-based connections should be secured using HTTPS (HTTP over SSL/TLS). This includes SAP GUI via HTML, Enterprise Portal, Management Console and the Internet Communication Manager (ICM). Unencrypted connections should be disabled through the appropriate configuration of the relevant parameters. Single Sign-On tickets should only sent through HTTPS. Authentication schemes should be assessed. This includes the default scheme. The use of the Basic scheme should be avoided since it does not encrypt authentication data. VPN over IPSec or SSL should be used to encrypt data in the network layer when connecting two or more local networks through untrusted networks. This should be supported by two factor authentication. Encryption mechanisms below the application layer must be transparent to SAP. Transparent Data Encryption for data at rest can be enabled natively within enterprise-level databases provided by IBM, Microsoft and Oracle. Encryption can be applied to specific database columns to minimize any performance impact. Transport layer encryption should be applied through SSL v3 to protect data in transit. Also, SAP recommends locating database servers in secure network zones protected by packet filters and application gateways such as SAProuter and the Web Dispatcher. For SAProuter, IP addresses with access to SAP systems should be reviewed in the Route Permission Table. SAP Web Dispatchers should be configured at the entry point of HTTP(S) requests. This will filter URL requests to control program execution. URL rules should be reviewed in the table stored in <ptabfile>. Since URLs are reviewed on a first match basis, the table should include a deny-all rule at the end once all the permitted URLs are defined above. Web Dispatchers should be configured to support end-to-end SSL. This will ensure that HTTPS requests are forwarded to application servers without being decrypted. Requests should be re-encrypted if SSL termination is enabled. Remote Function Calls (RFC) RFCs are used to integrate SAP and non-sap systems. They should be closely reviewed since improperly configured RFCs can lead to the compromise of entire SAP landscapes. RFC server registration at SAP Gateways should be restricted to approved IPs. This is performed through the sec_info and reg_info files and will protect application servers against callback, hijacking, man-in-themiddle and other attacks. The files should also be configured to restrict access to the SAPXPG server.
4 RFC connections in each system should be examined in the RFCDES table, accessible through transaction SM59. Connections, also known as destinations, should be configured with non-dialog user IDs. Trusted connections or connections with stored logon credentials should not be used from systems with lower security classifications to systems with higher security classifications. Examples would be development to production. Trust relationships should only exist between systems sharing the same security classification. Transport Management System (TMS) destinations are exempted from this rule. Authorization object S_RFCACL should be used to secure trusted RFC calls. RFC users should be configured in accordance with the principle of least privilege and should be assigned the minimum privileges required for each connection. Therefore, the SAP_ALL authorization profile should not be assigned to such users. Furthermore, authority checks should be enabled through the proper configuration of the auth/rfc_authority_check parameter. Anonymous RFC calls should be blocked. Web Services Web services provide an alternative integration technology to RFC. The NetWeaver AS incorporates a Web Service Framework that includes ABAP and Java runtime environments for SOAP requests, tools that support UDDI registration and an Internet Communication Manager (ICM) to manage Web service calls. Default error messages in the ICM may disclose sensitive system information including hostname, SSID and instance number. Therefore, custom error pages should be configured for the ICM. Web services are created through the ABAP Object Navigator a n d J a v a D e v e l o p e r S t u d i o. A c c e s s t o t h e SAP_BC_WEBSERVICE_ADMIN role, transaction WSADMIN, and S_ICF_ADMIN authorization object should be restricted to approved users. Access to transaction SICF should also be controlled. This is used to manage services in the Internet Communication Framework (ICF). Similar to RFC, some services do not require authentication and others often contain stored logon data. These services should be identified and reviewed. SAP recommends disabling the services specified in Table 1.1 if they do not serve business requirements. These have known security issues. Password Security SAP passwords are stored as one-way hashes in tables USR02, USH02 and USRPWDHISTORY. There are multiple hashing algorithms used by SAP, each identified by a unique code version. Algorithms are vulnerable to brute force and dictionary attacks, particularly code versions such as B and F. The risk of such attacks should be mitigated by implementing the latest Trusted RFC connections should not be used between systems with differing security classifications 3
5 Upgrade to the latest hashing mechanism, disable downwards compatibility and delete redundant hashes 4 /sap/bc/soap/rfc /sap/bc/echo /sap/bc/formtorfc /sap/bc/report /sap/bc/xrfc /sap/bc/xrfc_test /sap/bc/error /sap/bc/webrfc Table 1.1 SICF Services /sap/bc/gui/sap/its/certreq /sap/bc/bsp/sap/certreq /sap/bc/bsp/sap/certmap /sap/bc/gui/sap/its/certmap /sap/bc/bsp/sap/bsp_veri /sap/bc/bsp/sap/icf /sap/bc/idoc_xml /sap/bc/srt/idoc can be reviewed in ume.logon.security_policy contained in sapum.properties files. Forbidden passwords should be defined in table USR40. This should include common and trivial passwords. PASSWORD PARAMETER RECOMMENDED SETTING login/min_password_lng 8 login/min_password_letters 6 login/min_password_digits 2 login/min_password_lowercase 1 login/min_password_uppercase 1 password hashing mechanism and disabling downwards compatibility. Logons against downwards compatible hashes should be recorded in the system log if disabling is not possible. Redundant hashes should be removed from the tables. Also, access to transaction SE16 should be restricted to a designated authorization group since this can be used to extract user tables. Strong password policies should also be configured to manage the risk. Parameters can be checked through the RSPARAM report. Recommended settings for specific parameters are provided in Table 1.2. The login/ password_compliance_to_current_policy parameter should be set to 1 to enforce policies. UME password policies should be configured to the same standards even when ABAP or LDAP systems are used as data sources. They login/min_password_specials 2 login/password_max_idle_productive 30 login/password_max_idle_initial 5 login/password_history_size 12 login/password_expiration_time 30 Table 1.2 Password Settings The default password for standard users should be changed in all clients. This includes users such as SAP*, DDIC, EARLYWATCH, SAPCPIC, and TMSADM. Report RSUSR003 will detect if default passwords have not been changed. Logons using the SAP* user should disabled.
6 5 Central User Management (CUA) CUA is the central instance for profile, user and authorization maintenance in SAP landscapes. It is used to distribute and manage user access across all connected systems, known as child or dependent clients, through RFC connections. Transactions SCUA and SCUM are used to define CUA models and fields and therefore, should only be assigned to security administrators. The CUA model should be assessed to ensure that all required systems are administered through the central instance. Access to the transactions specified in table 1.3 used for user management in ABAP systems should be restricted. Relevant authorization objects include S_USER_GRP, S_USER_PRO, S_USER_AUT, S_USER_SYS and S_USER_AGR. For Java systems, access to User Management Engine (UME) actions such as Manage_All, Read_All, Manage_Users, Manage_Groups, and Manage_All_User_Passwords should be controlled. The permission AclSUperUser and Visual Administrator roles used to manage the UME should only be granted to select, a u t h o r i z e d a d m i n i s t r a t o r s. T h i s i n c l u d e s S A P _ J A V A _ N W A D M I N _ C E N T R A L a n d SAP_JAVA_NWADMIN_LOCAL. UME permissions and roles should be reviewed in the UMErole.xml file. TRANSACTION PFCG SU01 SU02 SU03 SU10 SU20 SU21 SU22 SU12 PO13 Profile Generator Maintain User DESCRIPTION Profile Maintenance Authorization Maintenance User Mass Maintenance Maintain Authorization Fields Maintain Authorization Objects Authorization Object usage in transactions Mass Changes to User Master Records Role Assignment to Positions Table 1.3 User Management Transactions The assignment of roles should be separated from the modification of roles in ECC 5.0 and above through PRG_CUST settings. This will ensure that an administrator cannot perform both functions. Furthermore, the parameter for authorization object disabling should be monitored to ensure that authorization checks for program execution are enabled. The SAP Menu should be disabled. This menu providers visibility to all transactions available in a client and therefore increases the risk of unauthorized access. The SAP User Menu is preferred since it provides users with information for only those areas to which they have been assigned access. Menu options are configured in the SSM_CUST table. Transaction SUIM should be used to identify users assigned the SAP_NEW profile. The results should be investigated and reviewed with security personnel. The assignment of authorizations for newly created objects to users that do not require such access may indicate underlying issues related to role upgrade procedures. Change and Transport Management The movement of changes between environments is performed through transports managed by the Transport Management System (TMS). Transports in SAP landscapes should follow a defined path from development, test and production environments. This should be verified through review of transport domains, routes, strategies and workflows in SAP systems within each landscape that act as transport domain controllers. Transport requests and header information are logged in table E070. A sample of changes should be selected from the table and examined to verify compliance with established release management procedures. Samples can also be selected from transport logs available through transaction SE03. Transports for changes to IMG settings and parameters may only be logged in development and test systems. Configuration changes should be locked in production systems. This is achieved through restrictions on the use of transaction SPRO in production and the selection of the parameter 'no changes allowed' for client-specific objects, accessible through transaction SCC4. Certain changes are not transportable and are therefore implemented directly in production clients. Such changes should be documented, pre-approved and performed through special-purpose temporary IDs. Repository and client independent changes should also be disabled in table T000. This will prevent changes to ABAP code in production.
7 Critical change control transactions should be locked in productive environments. This includes SCC0 (Client Copy) and SCC5 (Client Delete). Locked transactions are maintained through transaction SM31. Access to this transaction with the authorization object S_ADMI_FCD and field TLCK (lock/ unlock) should be restricted. Sensitive change control authorizations include S_RZL_ADM, S_TABU_CLI, S_CLNT_IMP, S_IMG_ACTV, S_QUERY, S_PROGRAM and S_TRANSPORT. The development authorization S_DEVELOP should only be granted to developers for sandbox or development environments, not test and production. This includes the DEBUG object type which can enable users to bypass authority-checks (see below). Developers should not have access to transport functions and the following database utilities: TABT, TABL, INDX, MACO, MCID, VIEW and SQLT. These objects should be assigned only to Database Administrators. Development procedures should include secure ABAP and Java program development guidelines for the prevention and detection of common vulnerabilities such as SQL injection, missing authorizations, directory traversal and backdoors including hardcoded users. Procedures should be benchmarked against recognized frameworks such as the OWASP Development Guide. Standard SAP functions such Code Inspector (CDI) should not be exclusively relied upon for code reviews. Such tools are not tuned to detect the wide number of security flaws that could potentially impact custom SAP programs. Note that non-standard objects should be referenced with the customer namespace, usually ranging between Y and Z. Authority-check statements should be inserted into the source code of ABAP programs to define the required authorizations, fields and values required to execute programs. This is performed to provide a more granular level of security than transaction-level checks and to protect transactions or function modules that are called indirectly by other programs. The RSABAPSC program should be used to trace the authority-check commands in custom programs and sub programs. Alternatively, transaction SE93 can be used to identify programs directly and check for authority-check statements. Users with access to transactions SE38, SA38, SE80 and SE37 should be identified and reviewed. These users may have the authority to run programs not secured by authorization groups. Table Maintenance and System Administration Access to the table maintenance transactions SM30 and SM31, and table browsing functions through SE16, should be restricted to authorized users based on role requirements. This includes the authorization objects S_TABU_CLI and S_TABU_DIS. Authorization groups should be used to control access to critical tables. Custom programs should be subject to security reviews to detect code-level vulnerabilities 6
8 7 System administrators should be granted exclusive use of transactions SM49 and SM69 to maintain and perform operating system commands, SM59 to manage RFC destinations, and the following transactions used for batch processing: SM35, SM36, SM37 and SM64. This includes authorization objects S_ADMI_FCD, S_BTCH_ADM, S_BTCH_JOB and S_BDC_MONI. Patch Management SAP periodically releases patches for software flaws through Security Notes, available at the Service Market Place. Relevant Notes that have not been applied should be identifed through the EarlyWatch report RSECNOTE. Notes with a severity rating of 1 require immediate attention. Notes with a rating of 2, 3 or 4 should be targeted for implementation within 30 days of release. Security Notes may impact interdependencies in SAP environments. Therefore, patches should be applied and tested in non-production environments before they are implemented in production systems. Security Audit Log The Security Audit Log should be activated and configured to record specific security events such as changes to user records and successful and unsuccessful logons, including those for the user SAP*. These events are recorded in local files stored on application servers. The default size of log files is 1,000,000 bytes (<1MB). Therefore, file sizes should be adjusted in accordance with the volume of events in each environment. Also, files should be regularly archived since logging is automatically blocked once the maximum file size is reached. Static and dynamic filters should be reviewed for specific clients, users and classes to ensure that critical events are configured and logged. Access to transactions SM19 and SM20 for configuring and maintaining the Security Audit Log should be restricted. Monitoring Alerts generated by the Security Audit Log for active filters are sent to the Alert Monitor in the Computing Center Management System (CCMS) and should be reviewed by security administrators. CCMS is used to control and monitor system performance. User access to CCMS functions should be closely managed, particularly S_RZL_ADM. This authorization object is used to support an array of system administration programs and tasks including SAPSTART and SAPSTOP. In accordance with SAP recommendations, the security configuration of NetWeaver Application Servers and other components should be regularly monitored to ensure systems remain in a secure state. Layer Seven Security assist customers worldwide to monitor and evaluate SAP platforms. We perform vulnerability assessments for SAP systems using software certified by SAP for integration with NetWeaver Application Servers. The assessments examine over 400 known security vulnerabilities in SAP platforms including many of the areas covered by this guide. According to Gartner Research, vulnerability assessments should be an integral component of integrated security frameworks. They enable organisations to lower the risk of system intrusion, maintain the confidentiality of business information and ensure the authenticity of users. To learn more, please visit or speak to a representative at
9 Layer Seven Security empowers organisations to realize the potential of SAP systems. We serve customers worldwide to secure systems from cyber threats. We take an integrated approach to build layered controls for defense in depth Address Westbury Corporate Centre Suite Upper Middle Road Oakville, Ontario L6H 0C3, Canada Web Telephone
10 Copyright Layer Seven Security All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/3, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.
Layer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes October 2015 SAP released a batch of emergency fixes for the Download Manager (SDM) application through Notes 2235412 and 2233617 in October. The Notes
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes April 2015 The most critical patch released by SAP in April corrected a missing authentication check in Sybase Adaptive Server Enterprise (ASE). ASE is
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes January 01 There were several Security Notes released by SAP in January for directory traversal vulnerabilities affecting a number of application areas.
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes August 2014 SAP released a Hot News fix in August for a critical vulnerability effecting the SAP Afaria Mobile Device Management (MDM) server. Note 2044175
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes July 2015 The most significant Security Note released by SAP in July deals with a critical missing authentication and authorization check in the XP Server
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes June 2014 SAP released an important notification in June to highlight a critical vulnerability in SAP Afaria, the Sybase platform that enables centralized
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes February 01 SAP Security Notes are rarely front page news. The exception was Note 1785761 which was singled out by SAP for a call to action in the Spotlight
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes January 01 There were several Security Notes released by SAP in January for directory traversal vulnerabilities affecting a number of application areas.
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes November 01 SAP issued a critical bulletin in November to raise awareness of three Security Notes related to SAProuter and a new malware variant that is
More informationInception of the SAP Platform's Brain Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain Attacks on SAP Solution Manager Juan Perez-Etchegoyen Etchegoyen jppereze@onapsis.com September 20 th, 2012 Ekoparty, Buenos Aires Disclaimer This publication is copyright
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes March 2015 SAP released an important announcement on Patch Tuesday in March to spotlight Security Notes 2134905, 2132584, 2125513 and 2108161. The Notes
More informationProcessed on SAP Solution Manager SSM Service Center Release EHP 1 for Solution Manager 7.0 Telephone Service Tool 701_2010_1 SP8 Fax
SERVICE REPORT SAP Security Optimization Self-Service SAP System ID SAP Product PRD SAP ERP Release 6.0 DB System ORACLE 1x.x.x.x Customer AAA Sample Co., Ltd Processed on SAP Solution Manager SSM Service
More informationSAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts
SAP Cybersecurity Solution Brief Objectives Solution Benefits Quick Facts Secure your SAP landscapes from cyber attack Identify and remove cyber risks in SAP landscapes Perform gap analysis against compliance
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes June 01 SAP released several patches for multiple vulnerabilities effecting Sybase EAServer in June. EAServer is used to create, deploy and configure Java
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes May 2015 SAP released several significant patches in May for memory corruption vulnerabilities effecting multiple applications and components. Such weaknesses
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes September 2014 September s corrections included a number of patches for missing authorization checks in critical applications and components, most notably
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes July 01 In July, SAP released a crucial update for a vulnerability in the Archiving Workbench originally patched in February 011. Note 1561545 contains
More informationAbout the Tutorial. Audience. Prerequisites. Copyright & Disclaimer. SAP Security
i About the Tutorial SAP Security is required to protect SAP Systems and Critical Information from Unauthorized Access in a Distributed Environment while accessing the system locally or remotely. It covers
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationMIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD)
MIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD) Edward Beaver Edward.Beaver@temple.edu ff Video: Record the Class Discussion v Something
More informationSAP Security In-Depth
SAP Security In-Depth by Mariano Nunez Vol. 5 / May 2012 Abstract "SAP platforms are only accessible internally". While that was true in many organizations more than a decade ago, today, driven by modern
More informationLayer Seven Security ADVISORY. SAP Security Notes
Layer Seven Security ADVISORY SAP Security Notes August 2017 Note 2381071 patches a critical cross-site Ajax vulnerability in the Prototype JS library of BusinessObjects. Ajax is a method often used by
More informationAttacks based on security configurations
SAP Security 2014 Protecting Your SAP Systems Against Attacks based on security configurations Juan Perez-Etchegoyen jppereze@onapsis.com March 18 th, 2014 BIZEC Workshop Disclaimer This publication is
More informationADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day
ADM960 SAP NetWeaver Application Server Security. COURSE OUTLINE Course Version: 15 Course Duration: 5 Day SAP Copyrights and Trademarks 2015 SAP SE. All rights reserved. No part of this publication may
More informationITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!
ITCertMaster Safe, simple and fast. 100% Pass guarantee! http://www.itcertmaster.com Exam : C_AUDSEC_731 Title : SAP Certified Technology Associate - SAP Authorization and Auditing for SAP NetWeaver 7.31
More informationADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)
ADM960 SAP NetWeaver Application Server Security. COURSE OUTLINE Course Version: 10 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2013 SAP AG. All rights reserved. No part of this publication
More informationSAP Policy Management, group insurance add-on 1.1
Security Guide Document Version: 1.1 2017-05-03 1.1 Typographic Conventions Type Style Example Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons
More informationAttacks to SAP. Web Applications Your crown jewels online. Mariano Nuñez Di Croce. DeepSec, Austria. November 18th,
Attacks to SAP Web Applications Your crown jewels online Mariano Nuñez Di Croce mnunez@onapsis.com November 18th, 2011 DeepSec, Austria Disclaimer This publication is copyright 2011 Onapsis SRL All rights
More informationSAP NetWeaver 04 Security Guide. Network and Communication Security
SAP NetWeaver 04 Security Guide Network and Communication Security Document Version 1.00 May 11, 2004 SAP AG Neurottstraße 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
More informationQuality Inspection Engine (QIE) Security Guide
D O N. Q I E _ S E C G U I D E Quality Inspection Engine (QIE) Security Guide S AP E n h a n c e m e n t P a c k age 5 f o r S AP E R P 6. 0 Copyright Copyright 2010 SAP AG. All rights reserved. No part
More informationExploiting new default accounts in SAP systems
Exploiting new default accounts in SAP systems Introduction Who is ERP-SEC Company specialized in securing SAP systems and infrastructures SAP Security Research: Reported and credited for > 60 vulnerabilities
More informationUsers and Roles (BC-SEC-USR)
Users and Roles (BC-SEC-USR) HELP.BCCCMUSR Release 6.20 Copyright Copyright 2002 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose
More informationERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES
ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES ROADMAP How to implement GDPR in SAP? 1. GDPR security requirements 2. How to discover personal data? 3. How
More informationADM920 SAP Identity Management
ADM920 SAP Identity Management. COURSE OUTLINE Course Version: 10 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2014 SAP AG. All rights reserved. No part of this publication may be reproduced
More informationMIS 5121:Business Processes, ERP Systems & Controls Week 13: Special System Access. Edward Beaver ff
MIS 5121:Business Processes, ERP Systems & Controls Week 13: Special System Access Edward Beaver Edward.Beaver@temple.edu ff Key Information Technology Risks System Security Data Migration Data Interface
More informationALE Introduction and Administration
ALE Introduction and Administration HELP.BCMIDALEIO Release 4.6C SAP AG Copyright Copyright 2001 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or
More informationRootkits and Trojans on Your SAP Landscape
Rootkits and Trojans on Your SAP Landscape SAP Security and the Enterprise Ertunga Arsal SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes December 2013 SAP announced an important change to the release strategy for security patches in December. In order to respond more rapidly to externally
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationSAP Single Sign-On 2.0 Overview Presentation
SAP Single Sign-On 2.0 Overview Presentation June 2014 Public Legal disclaimer This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue
More informationGoogle Cloud Platform: Customer Responsibility Matrix. April 2017
Google Cloud Platform: Customer Responsibility Matrix April 2017 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect Cardholder
More informationExploiting new default accounts in SAP systems
Exploiting new default accounts in SAP systems Agenda Introduction Something about SAP security Unknown default accounts Impact Exploitation: combination with other vulnerabilities Research Solutions Concluding
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More informationTrigger-Based Data Replication Using SAP Landscape Transformation Replication Server
Installation Guide SAP Landscape Transformation Replication Server Document Version: 1.6 2017-06-14 CUSTOMER Trigger-Based Data Replication Using SAP Landscape Transformation Replication Server - For SAP
More informationEnterprise Password Assessment Solution. The Future of Password Security is Here
Enterprise Password Assessment Solution The Future of Password Security is Here EPAS Audit The number one risk of any IT security architecture, no matter how thorough and extensive, remains the human factor
More informationR/3 Security Guide : VOLUME III
SAP AG Neurottstr. 16 D-69190 Walldorf R/3 Security R/3 Security Guide : VOLUME III Checklists Version 2.0a : English November 24, 1998 Checklists Copyright Copyright Copyright 1998 SAP AG. All rights
More informationEnterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape
Enterprise SOA Experience Workshop Module 8: Operating an enterprise SOA Landscape Agenda 1. Authentication and Authorization 2. Web Services and Security 3. Web Services and Change Management 4. Summary
More informationSAP EXAM - C_TADM51_731. SAP Certified Technology Associate - System Administration (Oracle DB) with SAP NetWeaver 7.31.
SAP EXAM - C_TADM51_731 SAP Certified Technology Associate - System Administration (Oracle DB) with SAP NetWeaver 7.31 Buy Full Product http://www.examskey.com/c_tadm51_731.html Examskey SAP C_TADM51_731
More informationSecurity Enhancements in Informatica 9.6.x
Security Enhancements in Informatica 9.6.x 1993-2016 Informatica Corporation. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording or
More informationRoadmap. How to implement GDPR in SAP?
Roadmap 2 How to implement GDPR in SAP? 1. Introduction to GDPR 2. GDPR security-related requirements 3. SAP security controls for GDPR 4. GDPR security implementation plan 5. Follow-up actions Introduction
More informationSecurity Principles for Stratos. Part no. 667/UE/31701/004
Mobility and Logistics, Traffic Solutions Security Principles for Stratos Part no. THIS DOCUMENT IS ELECTRONICALLY APPROVED AND HELD IN THE SIEMENS DOCUMENT CONTROL TOOL. All PAPER COPIES ARE DEEMED UNCONTROLLED
More informationCREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM
CREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM Applies to: SAP Summary The purpose of this document is to provide creation and configuration of web service from function
More informationSDR Guide to Complete the SDR
I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock
More informationEP200. SAP NetWeaver Portal: System Administration COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)
EP200 SAP NetWeaver Portal: System Administration. COURSE OUTLINE Course Version: 10 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2013 SAP AG. All rights reserved. No part of this publication
More informationOracle Hospitality Inventory Management Security Guide Release 9.1 E
Oracle Hospitality Inventory Management Security Guide Release 9.1 E97550-01 June 2018 Copyright 2001, 2018, Oracle and/or its affiliates. All rights reserved. This software and related documentation are
More informationCN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005
85 Grove Street - Peterboro ugh, N H 0345 8 voice 603-924-6 079 fax 60 3-924- 8668 CN!Express CX-6000 Single User Version 3.38.4.4 PCI Compliance Status Version 1.0 28 June 2005 Overview Auric Systems
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationApplication Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )
Application Note Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) This document describes how to configure McAfee Firewall Enterprise to provide
More informationUsing the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest
More informationCreating Application Definitions in Hana Cloud Platform Mobile Services
SAP Hana Cloud Platform Mobile Services How-To Guide Provided by SAP s Technology RIG Creating Application Definitions in Hana Cloud Platform Mobile Services Applicable Releases: Platform Mobile Services
More informationMessage Alerting for SAP NetWeaver PI Advanced Adapter Engine Extended
Message Alerting for SAP NetWeaver PI Advanced Adapter Engine Extended Applies to SAP NetWeaver PI Advanced Adapter Engine Extended 7.30. Summary This article explains how to set up Message Alerting for
More informationAbout the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).
About the company 2 What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle). Agenda 3 Building a business case for SAP Vulnerability Management How to start
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationOracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016
Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E69079-01 June 2016 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
More informationSAP Security anno Tim Lynen, Manager axl & trax 2017
SAP Security anno 2017 Tim Lynen, Manager axl & trax 2017 Agenda Introduction axl & trax Importance of landscape security Where to start Top items to focus on Security in the organization Q&A Introduction
More informationQuestion: 1 Which of the programming languages listed below are implemented plat for min dependently? Choose the correct answer(s).
Volume: 200 Questions Question: 1 Which of the programming languages listed below are implemented plat for min dependently? A. Fortran B. ABAP C. Java D. C/C++ Answer: B,C Question: 2 Which of the following
More informationOData Service in the SAP Backend System for CRUDQ Operations in Purchase Order Scenario
OData Service in the SAP Backend System for CRUDQ Operations in Purchase Order Scenario Applies to: Duet Enterprise 2.0 SP01 Summary This guide describes in detail how to create and test OData service
More informationADM800 AS Java 7.3 Administration
AS Java 7.3 Administration SAP NetWeaver Course Version: 99 Course Duration: 5 Day(s) Publication Date: 07-05-2013 Publication Time: 1141 Copyright Copyright SAP AG. All rights reserved. No part of this
More informationVeritas NetBackup Appliance Security Guide
Veritas NetBackup Appliance Security Guide Release 2.7.2 NetBackup 52xx and 5330 Veritas NetBackup Appliance Security Guide Documentation version: 2.7.2 Legal Notice Copyright 2016 Veritas Technologies
More informationEAS- SEC: Framework for Securing Enterprise Business Applica;ons
Invest in security to secure investments EAS- SEC: Framework for Securing Enterprise Business Applica;ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes June 01 After the turbulence in May, normal business seems to have been resumed at Waldorf. SAP released just 6 Security Notes in June. Furthermore, there
More informationSAP NetWeaver Identity Management Identity Center. Implementation Guide. Version 7.1 Rev 2. - Self-service password reset
SAP NetWeaver Identity Management Identity Center Implementation Guide - Self-service password reset Version 7.1 Rev 2 No part of this publication may be reproduced or transmitted in any form or for any
More informationCertified Secure Web Application Secure Development Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill
More informationHow to Setup Notifications in Fiori 2.0 Step-by-Step
How to Setup Notifications in Fiori 2.0 Step-by-Step SAP S/4HANA 1610 Wilson Wei 2017 SAP AG. All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork,
More informationMessage Networking 5.2 Administration print guide
Page 1 of 421 Administration print guide This print guide is a collection of system topics provided in an easy-to-print format for your convenience. Please note that the links shown in this document do
More informationBusiness Intelligence Platform User Guide SAP BusinessObjects Business Intelligence platform 4.0 Support Package 2
Business Intelligence Platform User Guide SAP BusinessObjects Business Intelligence platform 4.0 Support Package 2 Copyright 2011 SAP AG. All rights reserved.sap, R/3, SAP NetWeaver, Duet, PartnerEdge,
More informationSAP BusinessObjects Enterprise Upgrade Guide
SAP BusinessObjects Enterprise Upgrade Guide SAP BusinessObjects Enterprise XI 3.1 Service Pack 3 Copyright 2010 SAP AG. All rights reserved.sap, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business
More informationSecurity Fundamentals for your Privileged Account Security Deployment
Security Fundamentals for your Privileged Account Security Deployment February 2016 Copyright 1999-2016 CyberArk Software Ltd. All rights reserved. CAVSEC-PASSF-0216 Compromising privileged accounts is
More informationClient Copy and Transport
HELP.BCCTSCCO Release 4.6C SAP AG Copyright Copyright 2001 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationVeritas NetBackup Appliance Security Guide
Veritas NetBackup Appliance Security Guide Release 2.7.3 NetBackup 52xx and 5330 Veritas NetBackup Appliance Security Guide Document version: 2.7.3 Legal Notice Copyright 2016 Veritas Technologies LLC.
More informationCreating and Maintaining User Master Records
Introduction Chapter 42: Overviewing User Administration Contents Introduction...42 1 System Users...42 2 External and Internal Users... 42 2 External... 42 2 R/3 or Internal... 42 2 1. Dialog... 42 3
More informationNIST Revision 2: Guide to Industrial Control Systems (ICS) Security
NIST 800-82 Revision 2: Guide to Industrial Control Systems (ICS) Security How CyberArk can help meet the unique security requirements of Industrial Control Systems Table of Contents Executive Summary
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationSafeguarding Cardholder Account Data
Safeguarding Cardholder Account Data Attachmate Safeguarding Cardholder Account Data CONTENTS The Twelve PCI Requirements... 1 How Reflection Handles Your Host-Centric Security Issues... 2 The Reflection
More informationUnified Security Platform. Security Center 5.4 Hardening Guide Version: 1.0. Innovative Solutions
Unified Security Platform Security Center 5.4 Hardening Guide Version: 1.0 Innovative Solutions 2016 Genetec Inc. All rights reserved. Genetec Inc. distributes this document with software that includes
More informationSecurity context. Technology. Solution highlights
Code42 CrashPlan Security Code42 CrashPlan provides continuous, automatic desktop and laptop backup. Our layered approach to security exceeds industry best practices and fulfills the enterprise need for
More informationDumpsTests. Freely download the valid and latest test dumps for 100% sure pass
DumpsTests http://www.dumpstests.com Freely download the valid and latest test dumps for 100% sure pass Exam : C_TADM54_75 Title : SAP Certified Technology Associate - System Administration (SAP ASE) with
More informationADM100 AS ABAP - Administration
ADM100 AS ABAP - Administration. COURSE OUTLINE Course Version: 15 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2014 SAP AG. All rights reserved. No part of this publication may be reproduced
More informationBanking services from SAP 8.0 (FSAPPL400, FSAPPL450)
CUSTOMER Security Guide Banking services from SAP 8.0 (FSAPPL400, FSAPPL450) Target Audience System administrators Technology consultants Document version: 8, published on December 19, 2014 History of
More informationControl-M and Payment Card Industry Data Security Standard (PCI DSS)
Control-M and Payment Card Industry Data Security Standard (PCI DSS) White paper PAGE 1 OF 16 Copyright BMC Software, Inc. 2016 Contents Introduction...3 The Need...3 PCI DSS Related to Control-M...4 Control-M
More informationCode42 Security. Tech Specs Data Protection & Recovery
Tech Specs Data Protection & Recovery Code42 Security Code42 provides continuous, automatic desktop and laptop backup. Our layered approach to security exceeds industry best practices and fulfills the
More informationOracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017
Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E87635-01 November 2017 Copyright 2017, Oracle and/or its affiliates. All rights reserved. This software and related documentation
More informationIT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao
IT Service Delivery and Support Week Three IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 Infrastructure Essentials Computer Hardware Operating Systems (OS) & System Software Applications
More informationPreventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE
Preventing vulnerabilities in HANAbased deployments MARCH 2016 - TROOPERS SECURITY CONFERENCE Disclaimer This presentation contains references to the products of SAP SE. SAP, R/3, xapps, xapp, SAP NetWeaver,
More informationOracle Communications Services Gatekeeper
Oracle Communications Services Gatekeeper Security Guide Release 5.1 E36134-01 June 2013 Oracle Communications Services Gatekeeper Security Guide, Release 5.1 E36134-01 Copyright 2011, 2013, Oracle and/or
More informationThe World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
More informationSECURITY PRACTICES OVERVIEW
SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim
More informationConfiguring SAP Targets and Runtime Users
CHAPTER 4 Before you can create or run processes in your SAP environment, you must create the targets on which the processes will run. Targets are used to define specific environments where activities,
More information