HUL SAP Security Base Line Document

SAP Security Management

Information Systems Department

SAP Security Management - Baseline For HUL Internal Use Only

Not to be photocopied or sent outside

Approval Record

DateVersionDocument OwnerRemarksPages

25 June 071.0Vinod P Thomas (CISO)Original Document16

16th Oct 121.4TISOUpdated Document21

Change History

DateTeam / OwnerVersionChange History

29 Aug 07Vinod P Thomas (CISO)1.1The recommended value for the parameter rdisp/gui_auto_logout changed from 600 to 1800

17 Dec 09Vinod P Thomas (CISO)1.21st Revision. Enhancements to Profile Parameters and inclusion of Java Stack and Security Base Line requirements for additional SAP Components as listed in Item 2 Summary.

6.1-Baseline Security Parameters for SAP R/3 & ABAP

Parameter value for Login/ticket_expiration_time reworded to 1:00 (One hours)

6.5-Use of SAP* and profiles SAP_ALL, SAP_NEW, recommendations added for maintenance of SAP*6.7 - Review of access to Maintenance of Profile Parameters RZ10, RZ117.1-Basic Security Settings for Java Stack

7.2-Security Audit Log for JAVA Stack

8.1 Profile Parameters for EP & CE - Number of minutes before an EP user ID is unlocked in UME after a series of failed logon attempts change to 3 minutes

New security parameter Superadmin.activated added to secure usage of SAP*.8.2 Security requirements for EP Super Administrators

9 - Security Requirements for TREX

10-Security Requirements SAP APO

23 June 20111.36.1 The default value 1 for profile parameter Login/min_password_diff has been changed to 3 to enforce stringent password policy.

6.1 The default value for profile parameter Login/update_logon_timestamp has been updated from M to m

13 October 2012TISO1.4Aligned with global baseline

Renamed the SAP applications

Table of Contents51Purpose of this Document

52Summary

53Responsibility

54Review of security parameters

65Changes Required from the Baseline

76Baseline Security Requirements for ABAP Stack

76.1 Baseline Security Parameters for ABAP Stack

116.2 Client settings:

126.3 Company Code Settings:

126.4 SAP System Accounts, Powerful Profiles and Program Access:

126.5 Table & Program Administration

136.6 Use of SAP* and profiles SAP_ALL, SAP_NEW

136.7 Role Administration

146.8 Info provider Maintenance

156.9 List of passwords not to be used

156.10 Review of access to Maintenance of Profile Parameters

166.11 Batch Processing & Spool Management

176.12 Transport Management System

187Security Requirements for Java Stack

187.1 Basic Security Settings for Java Stack

187.2 Security Audit Log for JAVA Stack

198Security Requirements for SAP NetWeaver Portal (EP & CE)

198.1 Profile Parameters for EP & CE

208.2 Security requirements for EP Super Administrators

219Security Requirements for TREX

219.1Data Storage Security

2110Security Requirements SAP APO

2110.1Trace reads / gateway user

1 Purpose of this Document

The purpose of this document is to ensure a minimum level of security is enabled on SAP system by means of defining the baseline security parameters, procedure to be followed for implementing changes to security parameters and usage of privileged accounts in SAP.

2 Summary

These procedures apply to Hindustan Unilever Limited (HUL) and all of its subsidiaries and affiliates. This document describes the security parameter settings to be configured on the following systems covers both ABAP and Java Stack. ECC

CUA

EP

PI

SRM

SNC

KPRO

APO LC

BW

BI Java

SM

CE

CRM

3 Responsibility

The responsibility for enforcing these baseline parameters and procedures lies with Technical Information Security Officer (TISO) in coordination with the Basis Track Lead and Business Representative.

4 Review of security parameters

The following reviews shall be conducted to ensure SAP application security: Review of security settings: The actual parameter values set in the systems shall be reviewed and signed off twice in a year by Technical Information Security Officer (TISO) in consultation with Basis Track Lead. Evidence of review in the form of comparison between the baseline parameters and actual parameters, identification of deviations if any, and appropriate remarks shall be maintained with the TISO to fulfill compliance requirements. If deviations are observed, appropriate action shall be taken by the TISO. 5 Changes Required from the Baseline

Changes required to actual settings resulting in deviations from the baseline shall be reviewed on a case-to-case basis and shall be for a defined period based on business need. The following process shall be followed:

The Basis Track Lead shall send a request to TISO for an exception to the policy providing reasons for deviations required from the standard baseline parameter; TISO shall evaluate the request and grant approval if deemed necessary; and The Basis Team shall implement the change based on the approved request.

6 Baseline Security Requirements for ABAP Stack6.1 Baseline Security Parameters for ABAP StackThe ABAP stack settings are applicable to

1. ECC2. Central User Administration (CUA)

3. SAP Netweaver Portal (EP)

4. PI5. SRM

6. SNC7. APO LC8. Business Information Warehouse (BIW)

9. Solution Manager

10. CRM

ParameterRecommended ValueExplanation

Login/min_password_lng8This parameter determines the minimum length of the logon password.

Login/min_password_digits2This parameter sets the minimum number of digits (0-9) that the password MUST contain.

Login/min_password_letters2This parameter sets the minimum number of letters (A-Z) that the password MUST contain.

Login/min_password_specials2This parameter sets the minimum number of special characters (!@ $%&/()=?`*+~#-_.,;:{[]}\ and space) the password MUST contain.

Login/password_charset0This parameter defines the characters of which a password can consist: Value 0: The password can only consist of digits, letters, and the following 32 (ASCII) special characters: !@ $%&/()=?`*+~#-_.,;:{[]}\

Login/min_password_diff3With this parameter, the administrator can specify in how many characters in the new password MUST be different from the old password if the uses changes his or her password.

Login/password_expiration_time90Value 0 means that users are not forced to change their password. Value > 0 specifies the number of days after which the user has to change the logon password. (Exception: users of type SERVICE)

login/password_change_for_SSO1With password-based logon, the system checks if the users password MUST be changed (possible reasons: initial password, or password has expired). With non-password-based logon variants (SSO: SNC, X.509, PAS, logon ticket), the system has, up to now, not checked whether the user has a password that he or she MUST change.

Login/disable_password_logon0There are several types of user authentication: - Using password (conventional logon) - Using an external security product (SNC) - Using an X.509 browser certificate (intranet / Internet) - Using a Workplace Single Sign-On (SSO) ticket The default logon method is password user authentication.

Login/password_logon_usergroupNULLControls the deactivation of password-based logon for user groups

Login/disable_multi_gui_login1If this parameter is set to value 1, multiple dialog logons to (in the same client and under the same user name) are blocked by the system: When the system recognizes a multiple logon, it displays a dialog box with the options Terminate the current sessions or Terminate this logon. This parameter works with SAPgui logons. System logons using the Remote Function Call (RFC) are controlled using the parameter %%login/disable_multi_rfc_login%%. Logons with SERVICE user master records are also not subject to the multiple logons check.

Login/multi_login_usersIBMBASIS, DDICThis list contains the R/3 user IDs allowed to log on to the system multiple times. This profile parameter only applies for dialog users.

Login/fails_to_session_end3Number of incorrect logons allowed for a user until the logon procedure is terminated.

Login/fails_to_user_lock3Every time a user enters an incorrect password, the counter is raised for that users master record. The logon attempts can be logged in the Security Audit Log. When the limit set by this parameter is surpassed, the user is locked. This is also logged in the SysLog. The lock becomes invalid at the end of the current day. (Exception: see login/failed_user_auto_unlock) The incorrect logon counter is reset when the user logs on with the correct password. Logons that do not require a password do not change this counter. Active user locks have effect for all logons.

Login/failed_user_auto_unlock0Controls the unlocking of users locked by logging on incorrectly. If the parameter is set to 1 (default), the system does not consider users locked due to incorrect logon in the previous days. The locks remain if the parameter value is 0.

Login/accept_sso2_ticket1To allow the use of Single Sign-On (SSO) in the mySAP.com Workplace, SSO tickets can be used. Alternatively, you can use X.509 client certificates for user authentication. Workplace component systems SHOULD permit logon through SSO ticket (login/accept_sso2_ticket = 1). If only the second method (X.509 client certificates) is used or you do not want to use Single Sign-On you can use the SSO ticket to deactivate the logon (login/accept_sso2_ticket=0).

Login/create_sso2_ticket2To allow the use of Single Sign-On (SSO) in the mySAP.com Workplace, SSO tickets can be used. Alternatively, you can use X.509 client certificates for user authentication. Note this requires additional configuration steps for the Workplace engine (ITS). The Workplace server SHOULD permit the generation of SSO tickets: login/create_sso2_ticket = 1 : SSO ticket incl.certificate login/create_sso2_ticket = 2 : SSO ticket without certificate Ticket generation SHOULD be deactivated for Workplace component systems (login/create_sso2_ticket = 0).

Login/ticket_expiration_time1:00 (One Hour)To allow the use of Single Sign-On (SSO) in the mySAP.com Workplace, SSO tickets can be used. When an SSO ticket is generated, validity period can be defined. After this period has passed, the SSO ticket can no longer be used for logging on to Workplace component system. The user MUST then re-log on to the Workplace server to get a new SSO ticket.

Login/ticket_only_by_https0Specifies how the logon ticket created when you log on using http(s) is set in the browser. 1: Ticket is only sent by the browser during HTTPS connections. 0: Ticket is always sent.

Login/ticket_only_to_host0Specifies how the logon ticket created when you log on using http(s) is set in the browser. 0: At requests, the ticket is set to all servers in the domain 1: At requests, the ticket is only sent to the server that created the ticket.

Login/disable_cpic1If this parameter is set to 1, then incoming connections of the type CPIC are rejected. (Message class 00, message number 161) Incoming connections of the type RFC are not affected.

Login/no_automatic_user_sapstar1If the user master record belonging to user SAP* is deleted, it is possible to re-log on with SAP* and initial password PASS.SAP* then has the following attributes: - The user has all authorisation, as authorisation checks cannot be executed. - You cannot change the standard password PASS. Using profile parameter login/no_automatic_user_sapstar, you can deactivate the special attributes of SAP*.

Login/system_client300The standard client is defaulted for each logon but can be overwritten by the user. The parameter value 300 for R3 and 100 for the remaining systems.

Login/update_logon_timestampmA time stamp (date and time) can be generated for every logon. This parameter is used to set the accuracy and therefore the update rate. Permitted values: D day accuracy; h - hour accuracy; m - minute accuracy (default); s - second accuracy (backwards compatible)

rdisp/gui_auto_logout1800This parameter defines inactive users are automatically logged off from the SAP system after a specific period of time has expired. This parameter specifies the time period in seconds. By default, the automatic logoff is deactivated in the SAP system (value 0), that is, the users are not logged off, even if they do not perform any actions over a long period of time.

Auth/rfc_authority_check1This parameter determines whether object S_RFC is checked during Remote Function Calls:

Value 0: No check against S_RFC

Value 1: Check active but no check for SRFC-FUGR

Value 2: Check active and check against SRFC-FUGR

(FUGR is a RFC Type)

6.2 Client settings: All SAP production clients SHOULD have the following settings which can be set and reviewed using TCode SCC4 and selecting the relevant client in the list of clients displayed: Client role SHOULD be set to Production An appropriate promote-to-production procedure MUST be in place to ensure that all modifications and new development are tested and authorized prior to their transport to the production environment. Changes to SAP standard programs SHOULD be avoided wherever possible. Access to change system settings (transaction SE06) MUST be restricted to SAP BASIS Administrators.

Changes and Transports for client-specific objects SHOULD be set to No Changes Allowed. Any deviation to this must be authorized by the BISO & TISO & approved by Head of IT Cross-Client Object Changes SHOULD be set to No Changes to Repository and cross-client Customizing Objs Protection: Client Copier and Comparison Tool SHOULD be set to Protection level 1: No Overwriting CATT and eCATT Restrictions SHOULD be set to eCATT and CATT Not Allowed

6.3 Company Code Settings:Company codes in production client SHOULD be set as Productive.

6.4 SAP System Accounts, Powerful Profiles and Program Access: Password change for default accounts: The default password for the SAP standard user accounts SHOULD be changed: The standard user accounts are:

SAP*

DDIC

SAPCPIC

EARLYWATCH

SAP* and DDIC SHOULD be assigned to user group SUPER only.6.5 Table & Program Administration

Access to table display and maintenance transactions (SE11, SE16, SE17, SM30, SM31 etc) SHOULD be restricted to appropriate support individuals.

Any support users allocated access to table display and maintenance transactions (SE11, SE16, SE17, SM30, SM31 etc) SHOULD NOT be allowed to perform direct table updates in the production system.

Super users and support users with access to table display transactions SHOULD be restricted to only displaying appropriate (system) tables using table authorization groups.

Access to change client independent tables SHOULD be restricted to a very limited group of support users using the S_TABU_CLI authorization object.

Access to execute programs directly via development transactions (SA38, SE38, SE84, etc) SHOULD NOT be allocated to users in the production system.

Authorizations for the S_DEVELOP object SHOULD NOT be present in end-user roles in the production system.

Access to sensitive programs SHOULD be restricted using the S_PROGRAM object.

Maintenance access to DEBUG MUST be restricted using the S_DEVELOP authorization to ensure that users cannot bypass logic and authorization restrictions.

Where DEBUG access has been allowed this MUST NOT be combined with access to replace values.

6.6 Use of SAP* and profiles SAP_ALL, SAP_NEW All authorizations to SAP* account SHOULD be removed and the account SHOULD be locked. A separate user ID should be created with the same authorizations as SAP* and the User ID should be invoked through Firefighter process

No user SHOULD be assigned the SAP_ALL or the SAP_NEW profile outside of the Firefighter process. The ALEREMOTE userID MUST be defined as a background user and hold a limited access profile. The BWREMOTE userID MUST be defined as a background user and hold a limited access profile. All data transfer userIDs MUST be defined as background users and hold a limited access profile. The analysis authorization 0BIALL SHOULD NOT be assigned to users in the system.6.7 Role Administration

Access to administration of Analysis Authorizations via transaction RSECADMIN MUST be restricted to authorized SAP Security Administrators only.

Individuals with access to Analysis Authorization administration activities SHOULD NOT have access to user administration activities.

A list of business approvers MUST be maintained by the System Owner and appropriate approvals MUST always be sought prior to any changes to Analysis Authorizations.

Analysis Authorization maintenance approvals MUST always be documented for audit purposes.

The infoprovidors accessible to each end user role SHOULD be restricted using the authorization object S_RSCOMP.

The infoprovidors accessible to support users SHOULD be restricted using the authorization object S_RSCOMP1.

The DSO objects available to support users SHOULD be restricted using the authorization object S_RS_ODS0.

The Infocube objects available to support users SHOULD be restricted using the authorization object S_RS_ICUBE.

Publisher roles MUST be appropriately restricted using the S_USER* authorizations.

The authorization object S_RS_AUTH SHOULD NOT be allocated with a * or 0BIALL value in roles.

Authorization relevant characteristics MUST be set to create access restrictions reflecting the level of control in the SAP ECC system.

Access to set the authorization relevance of characteristics MUST be restricted to authorized individuals only using the authorization object S_RSEC and MUST not be available in the production environment.

Access to maintain infoObjects MUST NOT be available in the production system and must be restricted using the authorization object S_RS_IOBJ

Access to write queries SHOULD be restricted to a limited number of authorized users only.

Queries and query results MUST only be published to users who are authorized and approved to view the data.

6.8 Info provider Maintenance Access to maintain Infocube objects MUST NOT be available in the production system and must be restricted using the authorization object S_RS_ICUBE.

Access to activate infocubes MUST NOT be available in the production system and must be restricted to authorised individuals only using the authorisation object S_RS_ICUBE.

Access to maintain DSO objects MUST NOT be available in the production system and must be restricted using the authorisation object S_RS_ODS.

Access to activate DSO objects MUST NOT be available in the production system and must be restricted to authorised individuals only using the authorisation object S_RS_ODS

Access to maintain Multiprovidors MUST NOT be available in the production system and must be restricted using the authorisation object S_RS_MPR0.

Access to activate Multiprovidors MUST NOT be available in the production system and MUST be restricted to authorised individuals only using the authorisation object S_RS_MPR0.

Direct access to display data held within infoprovidors MUST NOT be available to end users in the production system.

Direct access to display DSO objects MUST NOT be available to end users in the production system.

6.9 List of passwords not to be usedThe table USR40 stores the list of easily guessable passwords. Every time a new password is assigned to a user, SAP automatically checks this table and will not allow the user to use a password that is stored in USR40. This table MUST be kept updated with combinations of easily guessable passwords. The following values are an illustrative list.

*ABC*

*BCS*

*FUSION*

*HLL*

*HP*

*IBM*

*INFRA*

*INIT*

*JINI*

*PASS*

*SAP*

*UNILEV*

123*6.10 Review of access to Maintenance of Profile Parameters Transaction codes RZ10 and RZ11 are used to maintain profile parameters and MUST be given only to SAP BASIS Administrators and closely monitored and controlled. Confidential or Red Status data MUST have the same level of protection as the production environment and agreement from the information owner.Access to system administration transactions (e.g. SCC* & SE*) MUST be strictly controlled and segregated from other incompatible duties.

The authorization object S_ADMI_FCD MUST be restricted appropriately to ensure that users only have access to BASIS functions appropriate to their job.

The authorization object S_LOG_COM MUST be restricted appropriately to ensure that users only have access to execute logical system commands where absolutely necessary.

Access to the operating system command prompt or the ability to execute operating system commands MUST be appropriately by restricting access to transactions SM49 (Execute external OS commands) and SM69 (Maintain External OS Commands).

Access to the Computer Centre Management System (CCMS) MUST be restricted to the BASIS team using the authorization object S_RZL_ADM.

The SAP user buffer SHOULD be capable of holding the maximum number of authorizations (2000 or greater) unless performance is being adversely affected. The parameter setting "auth/auth_number_in_userbuffer = 2000" (or greater) SHOULD be made (where applicable) in order to achieve this.

Access to to the standard user maintenance transactions (SU01/SU10) and other methods of maintaining users (such as OY22, OY27, SAPMSUU0, BAPI_USER_CHANGE etc...) MUST be restricted to the user administration team.

The S_USER authorization objects (S_USER_AUT, S_USER_GRP, S_USER_AGR, S_USER_PRO) SHOULD be used to appropriately restrict and segregate user administration activities and ensure that individuals with access to user administration activities do not have access to role administration activities and vice versa.

Individuals with access to role administration activities SHOULD NOT have access to user administration activities.

Transaction SU24 SHOULD always be maintained where additional authorization checks are identified

Roles SHOULD always contain transaction code specification and a * value (or wide ranges) for the S_TCODE object SHOULD not be present in any end user roles.

All roles MUST be fully documented and this documentation MUST be updated when changes are made.

User roles SHOULD be defined to ensure that users have the minimum access required to perform their normal business duties.

Users MUST not be allocated access to all function groups and the FUGR value for authorization object S_RFC MUST not be set to equal '*'.

6.11 Batch Processing & Spool Management

Access to manage any batch job SHOULD be restricted to its owner and selected batch administrators.

Access to administer, schedule and delete the batch jobs of other users MUST be restricted to selected batch administrators and MUST be controlled using the authorization object S_BTCH_ADM.

Access to work on other users' scheduled batches MUST be restricted to batch administrators only and MUST be controlled using the authorization object S_BTCH_JOB.

Access to execute batches in another user's name MUST be restricted to limited circumstances and the allocation of S_BTCH_NAM authorizations MUST be limited.

Access to manage and view any spool output SHOULD be restricted to its owner.

Authorization groups SHOULD be configured on sensitive spool jobs.

Access to sensitive spool jobs SHOULD be restricted using the authorization object S_SPO_ACT.

6.12 Transport Management System Access to the transport management system transactions (STMS, SE10 etc) MUST be restricted in the production system to the BASIS administration team. Access to import data into the production system MUST be limited by ensuring that the S_TRANSPRT authorization object is allocated to the BASIS administration team.

Access to administer the change and transport system (CTS) MUST be restricted to the BASIS team using the authorization object S_CTS_ADMI.7 Security Requirements for Java Stack

The JAVA stack settings are applicable to1. SAP Netweaver Portal (EP)2. PI3. SRM

4. BI Java

5. Solution Manager

6. CE

7. CRM

7.1 Basic Security Settings for Java Stack The J2EE_GUEST user account SHOULD be locked. SDM administrator password SHOULD be provided to only J2EE administrator group and documented so that it is guarded against unauthorized usage. The \usr\sap\\SYS\global\security\data\SecStore.properties file SHOULD be secured and owned by SAPSID User access at the OS level 7.2 Security Audit Log for JAVA Stack

The security audit log file SHOULD be used for controlling and monitoring.

Location of the files in the file system is as below:

Security Log at

:\usr\sap\\\j2ee\cluster\server\log\system\security..log

Trace files at :\usr\sap\\\j2ee\cluster\server\log\defaultTrace..trc8 Security Requirements for SAP NetWeaver Portal (EP & CE) 8.1 Profile Parameters for EP & CEParameterRecommended ValueExplanation

Auto_unlock_time3Number of minutes before a user ID is unlocked after a series of failed logon attempts.

Cert_logon_requiredFALSEDefines whether certificate logon is required.

Lock_after_invalid_attempts3Number of failed logon attempts before user is locked.

log_client_hostaddressTRUEThe UME logs the user host IP address.

log_client_hostnameFALSEWhen enabled, the UME (Portal User management engine) logs the user hostname.

oldpass_in_newpass_allowedFALSEDefines whether old password can be part of new password.

Password_alpha_numeric_required2Minimum number of alphabetic and numeric characters in passwords.

password_change_allowedTRUEUsers can change their passwords. Administrators can reset users passwords.

password_change_requiredTRUENewly created user is required to change his or her initial password when he or she first logs on.

password_expire_days90Number of days before password expires.

password_history10Users cannot use the password used the last 10 times.

password_last_change_date_default12/31/9999If a user has never changed his or her password using the AS for Java, this date counts as the last date on which the user changed his or her password.

password_max_length14Maximum length of the password

password_min_length8Minimum password length.

password_mix_case_required1Minimum number of upper and lower case letters in passwords.

password_special_char_required2Minimum number of special characters in passwords.

userid_digits0Minimum number of digits in user logon ID

Value < 0: Digits are not allowed

Value = 0: Digits are allowed

Value > 0: Digits are required

userid_in_password_allowedFALSEDefines whether user ID can be part of password. User ID cannot be part of the password

userid_lowercase0Minimum number of lowercase characters in user logon ID

Value < 0: Lowercase characters are forbidden.

Value = 0: Lowercase characters are allowed.

Value > 0: Lowercase characters are required.

Userid_special_char_required-1Minimum number of special characters in user logon ID

Value < 0: Special characters are forbidden.

Value = 0: Special characters are allowed.

Value > 0: Special characters are required.

Useridmaxlength20Maximum length of user ID

Useridminlength6Minimum length of user ID

Superadmin.activatedFalseUsage of user SAP* is deactivated if the value is set to false

8.2 Security requirements for EP Super Administrators In case of emergency, activating the super administrator SAP* should be done through the approval of Basis track leads. The transaction logs for the duration of access should be review and signed off with CISO The Super Administration role SHOULD be assigned only to Administrator user accounts. Sensitive Administrative URLs SHOULD not be available over the internet

For NetWeaver User Administration

://:/nwa/identity

://:/useradmin

For Netweaver Administration

://:/nwa

://:/nwapi

For WSDL

http://:/NavigationWS/NavigationWSConfig?wsdlFor SLD

http://:/sld9 Security Requirements for TREX

9.1 Data Storage Security Data Storage Location

Access to following TREX data storage locations SHOULD be restricted and owned by SAP SID user at OS level On UNIX /usr/sap//TRX ; On Windows \usr\sap\\TRX 10 Security Requirements SAP APO10.1 Trace reads / gateway userThe SAP APO Optimizer writes log files to the gateway file system. The log files are located in the following directory. This folder MUST be protected on the server against unauthorised access and SHOULD be owned by SAP SID user. \usr\sap\\\log

= Gateway-ID on the SAP APO optimizer server

= Gateway number For HUL Internal use only

Page 5 of 21