Table of Contents

Open all
Close all
Preface
19
Target Audience
19
System Administration: A Vast Field of Options
20
What Is Basis?
21
Structure of This Book
23
1 Introduction
25
1.1 Potential Threats
26
1.1.1 Data Breach
27
1.1.2 Privacy Violations
27
1.1.3 Phishing
27
1.1.4 Theft
28
1.1.5 Fraud
28
1.1.6 Brute Force Attacks
29
1.1.7 Disruption
29
1.1.8 Who Represents a Threat?
30
1.1.9 Understanding Modern-Day Vulnerabilities
31
1.2 The Onion Concept
34
1.2.1 Perimeter
35
1.2.2 Operations
35
1.2.3 Patching
35
1.2.4 Human Factor
36
1.2.5 Physical Security
36
1.2.6 Security Awareness
36
1.3 Risk and True Cost of Security
37
1.4 The Administrator's Role in Security
40
1.4.1 Planning
40
1.4.2 Execution
41
1.4.3 Segregation of Duties
42
1.4.4 Audit Support
42
1.4.5 Basis versus Security
43
1.5 Summary
43
2 Configuring Profiles and Parameters
45
2.1 Understanding System Parameters
46
2.2 System Profiles
47
2.2.1 Instance Profile
47
2.2.2 Default Profile
48
2.2.3 Other Profiles
49
2.3 Profile and Parameter Structure
49
2.3.1 Profiles on the Operating System Level
51
2.3.2 Profiles on the Database Level
52
2.4 Static and Dynamic Parameters
53
2.5 Viewing and Setting Parameters
55
2.5.1 Viewing Parameters with ABAP Report RSPARAM
56
2.5.2 Viewing the Documentation with Transaction RZ11
58
2.5.3 Changing Parameters with Transaction RZ10
59
2.6 Key Security-Related Parameters
64
2.7 Controlling Access to Change Parameters
66
2.8 Summary
67
3 Restricting Transactional Access
69
3.1 Clients
71
3.2 Who Should Be Able to Lock and Unlock Transactions?
71
3.3 Which Transactions to Lock
71
3.4 Locking Transactions
73
3.5 Viewing Locked Transactions
76
3.6 Summary
78
4 Securing Clients
79
4.1 Client Settings
81
4.1.1 Client Setting Fields
83
4.1.2 Suggested Client Settings
85
4.1.3 Changing Client Settings
87
4.2 Client Logon Locking
89
4.3 Summary
92
5 Securing the Kernel
93
5.1 Understanding the Kernel
94
5.1.1 Kernel Patching
96
5.1.2 Kernel Versioning
97
5.1.3 Checking the Kernel Version
100
5.1.4 Checking the Kernel Version from the Operating System Level
101
5.2 Common Cryptographic Library
102
5.2.1 Checking the CommonCryptoLib in SAP GUI
102
5.2.2 Checking the CommonCryptoLib on the OS Level
103
5.3 Kernel Update
104
5.3.1 Overall Kernel Update Process
105
5.3.2 Downloading the Kernel
107
5.3.3 Installing the Kernel
110
5.4 Summary
114
6 Managing Users
115
6.1 What Is a User ID in SAP?
115
6.2 Different User Types
115
6.2.1 Dialog User: Type A
116
6.2.2 System User: Type B
116
6.2.3 Service User: Type S
117
6.2.4 Communication User: Type C
117
6.2.5 Reference User: Type L
117
6.3 The User Buffer
117
6.4 Creating and Maintaining a User
118
6.4.1 Documentation
119
6.4.2 Address
120
6.4.3 Logon Data
121
6.4.4 Secure Network Communication
122
6.4.5 Defaults
123
6.4.6 Parameters
124
6.4.7 Roles
125
6.4.8 Profiles
125
6.4.9 Groups
126
6.4.10 Personalization
126
6.4.11 License Data
127
6.4.12 DBMS
127
6.5 Copy a User
128
6.6 Change Documents for Users
129
6.7 Mass User Changes with Transaction SU10
131
6.8 User Naming Convention
139
6.9 Security Policies
140
6.10 Maintain User Groups
145
6.11 Central User Administration
147
6.11.1 Distribution Parameters for Fields (Transaction SCUM)
149
6.11.2 Background Jobs
150
6.11.3 CUA-Related Tables
151
6.12 User Lock Status
151
6.13 User Classification
152
6.14 User-Related Tables
153
6.15 Securing Default Accounts
154
6.16 User Access Reviews
156
6.17 Inactive Users
157
6.18 Password and Logon Security
158
6.18.1 Where Does SAP Store Passwords?
158
6.18.2 What Is the Code Version?
159
6.18.3 Why Do I Have to Protect These Tables?
159
6.18.4 Logon Procedure
160
6.18.5 Password Change Policy
161
6.19 Segregation of Duties
163
6.20 Summary
165
7 Configuring Authorizations
167
7.1 Authorization Fundamentals
168
7.1.1 What is a Role?
168
7.1.2 What is a Profile?
168
7.1.3 Authorization Objects
169
7.1.4 The Profile Generator
169
7.1.5 Authorization Checks
169
7.1.6 Display Authorization Data
171
7.1.7 The User Buffer
173
7.1.8 Maintain Check Indicators: Transaction SU24
173
7.1.9 System Trace
175
7.2 SAP Role Design Concepts
180
7.2.1 Single Roles
181
7.2.2 Derived Roles
181
7.2.3 Composite Roles
182
7.2.4 Enabler Roles
182
7.2.5 Comparison of the Role Design Concepts
183
7.2.6 Why Not Use Enabler Roles?
184
7.2.7 What Impact Does a System Upgrade Have on Roles and Authorizations?
188
7.2.8 Role-Naming Conventions
188
7.3 The Profile Generator
192
7.3.1 Create a Single Role
192
7.3.2 Create a Composite Role
204
7.3.3 Create a Master and Derived Role
207
7.3.4 Overview Status
213
7.3.5 Mass Generation of Profiles
214
7.3.6 Mass Comparison
215
7.3.7 Role Menu Comparison
216
7.3.8 Role Versioning
217
7.4 Assign and Remove Roles
219
7.5 Lock and Unlock Transactions
221
7.6 Transaction SUIM: User Information System
221
7.6.1 User
222
7.6.2 Roles
223
7.6.3 Profiles
223
7.6.4 Authorizations
223
7.6.5 Authorization Objects
224
7.6.6 Transasctions
224
7.6.7 Comparisons
224
7.6.8 Where-Used Lists
225
7.6.9 Change Documents
225
7.7 Role Transport
226
7.8 Common Standard Profiles
228
7.9 Types of Transactions
229
7.9.1 Dialog Transactions
230
7.9.2 Report Transactions
230
7.9.3 Object-Oriented Transactions
231
7.9.4 Variant Transactions
231
7.9.5 Parameter Transaction
234
7.9.6 Call Transaction in Transaction SE97
237
7.10 Table Authorizations
239
7.10.1 Table Group Authorizations via S_TABU_DIS
240
7.10.2 Table Authorizations via S_TABU_NAM
241
7.10.3 Cross-Client Table Authorizations via S_TABU_CLI
241
7.10.4 Line-Oriented Table Authorizations via S_TABU_LIN
241
7.10.5 Table Authorizations and Auditors
245
7.10.6 Table Views for Database Tables
245
7.11 Printer Authorizations
249
7.12 Other Important Authorization Objects
249
7.12.1 Upload and Download Authorizations
249
7.12.2 Report Authorizations
250
7.12.3 Background Jobs
251
7.12.4 ABAP Workbench
251
7.12.5 Batch Sessions
251
7.12.6 Query Authorizations
251
7.12.7 Remote Function Call Authorizations
252
7.13 Transaction SACF: Switchable Authorizations
253
7.14 Customizing Entries in Tables PRGN_CUST and SSM_CUST
255
7.15 Mass Maintenance of Values within Roles
257
7.16 Upgrading to a New Release
260
7.17 ABAP Debugger
267
7.18 Authorization Redesign and Cleanup
269
7.18.1 Business Impact of Security Redesign
270
7.18.2 Reducing the Business Impact of a Role Redesign Project
270
7.18.3 Gathering Authorization Data
271
7.18.4 Testing Role Changes in Production
272
7.18.5 Automate Role Creation and Testing
273
7.19 Introduction to SAP GRC Access Control
273
7.19.1 Access Risk Analysis
273
7.19.2 Access Request Management
274
7.19.3 Business Role Management
274
7.19.4 Emergency Access Management
275
7.19.5 Segregation of Duties Management Process
275
7.20 Summary
277
8 Authentication
279
8.1 What Is Single Sign-On?
279
8.1.1 Common Components of SSO
281
8.1.2 Establishing a Plan for SSO Adoption
283
8.2 Single Sign-On Technologies
284
8.2.1 X.509 Digital Certificates
284
8.2.2 Kerberos
285
8.2.3 SPNEGO
285
8.2.4 SAP Logon Tickets
285
8.2.5 SAML
286
8.3 SAP GUI Single Sign-On Setup
286
8.3.1 Setting up Secure Network Communications in Transaction SCNWIZARD
287
8.3.2 Setting Up Kerberos Single Sign-on with SAP GUI
296
8.4 SAML
309
8.4.1 Principals
310
8.4.2 Identity Providers
310
8.4.3 Service Providers
310
8.4.4 SAML Assertions
311
8.4.5 Overall SAML Process
311
8.4.6 SAP NetWeaver AS ABAP Service Provider Setup
312
8.4.7 ICF Service Authentication and SAP Fiori
338
8.5 Summary
339
9 Patching
341
9.1 Patching Concepts: SAP’s Approach to Patching
341
9.1.1 SAP Notes
342
9.1.2 SAP Note Severity
343
9.1.3 Other Patching
344
9.1.4 SAP Security Patch Day
344
9.2 Application of Security SAP Notes
347
9.3 Implications of Upgrades and Support Packages
354
9.4 Evaluating Security with SAP Solution Manager
354
9.4.1 SAP EarlyWatch Alert Reporting
355
9.4.2 System Recommendations
356
9.4.3 Other Functionality
357
9.5 Summary
358
10 Securing Transports
359
10.1 Transport System Concepts
360
10.1.1 Operating System-Level Components
361
10.1.2 Controlling System Changes: Setting System/Client Change Options
363
10.1.3 Transport Management System Users
367
10.1.4 TMS RFC connections
370
10.2 Transport Authorizations
373
10.3 Operating System–Level Considerations
376
10.4 Landscape Considerations
377
10.5 Summary
378
11 Auditing and Logging
379
11.1 External Audits
380
11.2 Internal Audits
381
11.3 Auditing Tools
382
11.3.1 Security Audit Log
382
11.3.2 System Log
396
11.3.3 Table Logging
398
11.3.4 Workload Monitor
403
11.3.5 Read Access Logging
404
11.3.6 User Information System
406
11.4 Summary
409
12 Securing Network Communications
411
12.1 Choosing a Network Security Strategy
411
12.2 Securing Using Access Controls
412
12.2.1 Firewalls
412
12.2.2 Application-Level Gateways
414
12.2.3 Business Secure Cell
415
12.2.4 Securing Common Ports
416
12.2.5 Securing Services
417
12.2.6 Access Control Lists
418
12.2.7 Tuning Network Access Control
422
12.3 Securing the Transport Layer
422
12.4 Connecting to the Internet and Other Networks
424
12.5 Summary
431
13 Configuring Encryption
433
13.1 Introduction to Cryptography
433
13.1.1 Encryption in Depth
434
13.1.2 Secure Communication in SAP NetWeaver
448
13.2 Enabling SSL/TLS
451
13.2.1 Setting System Parameters
451
13.2.2 Creating the TLS/SSL PSE
454
13.2.3 Testing TLS/SSL
460
13.2.4 Requesting and Installing Certificates
464
13.3 The Internet Connection Manager
468
13.3.1 ICM Concepts
468
13.3.2 Important ICM Security Parameters
469
13.3.3 Controlling Access Using Access Control List
469
13.3.4 Security Log
473
13.3.5 Controlling Access Using a Permission File
475
13.4 SAP Web Dispatcher
481
13.4.1 Initial Configuration of SAP Web Dispatcher
483
13.4.2 SSL with SAP Web Dispatcher
486
13.5 Summary
487
14 Database Security
489
14.1 Platform-Independent Database Considerations
490
14.1.1 Database Patching
490
14.1.2 Networking
491
14.1.3 User Accounts
492
14.1.4 Database Backups
493
14.1.5 Additional DB Functionality
494
14.2 Securing the Database Connection
495
14.2.1 Understanding the Database Connect Sequence
495
14.2.2 SAP HANA Database: HDB User Store
498
14.2.3 Oracle Database: Secure Storage in File System
500
14.2.4 Microsoft SQL Server: Authentication
504
14.3 Logging and Encrypting Your Database
507
14.3.1 SAP HANA Data Volume Encryption
508
14.3.2 Oracle Transparent Data Encryption
511
14.3.3 MSSQL Server
511
14.4 Summary
511
15 Infrastructure Security
513
15.1 Business Secure Cell Concept
514
15.2 Secure Landscape
515
15.3 Policy
519
15.3.1 Establishing Security Policy
521
15.3.2 Starting Points for Your Policy
523
15.3.3 Further Policies
525
15.3.4 Adopting Policy
525
15.3.5 Auditing and Reviewing Policy
526
15.4 Operating System Considerations
527
15.4.1 General Linux Recommendations
528
15.4.2 Microsoft Windows
530
15.4.3 Operating System Users
531
15.4.4 Viruses and Malware
531
15.4.5 Application Server File System
539
15.5 Monitoring
540
15.5.1 OS Logs
540
15.5.2 Application Logs
540
15.5.3 Certificate Revocation Lists
541
15.6 Virtualization Security Considerations
553
15.7 Network Security Considerations
555
15.7.1 Auditing Using Vulnerability Scanners
556
15.7.2 Network Intrusion Detection
558
15.7.3 Firewall
559
15.7.4 Load Balancing
559
15.8 Physical Security
560
15.9 Summary
561
1 The Authors
563
Index
565