Securing!SAP!in!5!steps! - SAP Cyber Security Solutions .• SAP!NetWeaver!ABAP!Security ... detailed#documents#

  • View

  • Download

Embed Size (px)

Text of Securing!SAP!in!5!steps! - SAP Cyber Security Solutions .• SAP!NetWeaver!ABAP!Security ......

  • Invest in security to secure investments

    Securing SAP in 5 steps

    Alexander Polyakov CTO ERPScan

  • About ERPScan

    The only 360-degree SAP Security solu?on - ERPScan Security Monitoring Suite for SAP

    Leader by the number of acknowledgements from SAP ( 150+ ) 60+ presenta@ons key security conferences worldwide 25 Awards and nomina@ons Research team - 20 experts with experience in different areas

    of security Headquarters in Palo Alto (US) and Amsterdam (EU)


  • Securing SAP

    Have budget Find people and tools (later)

    Dont have budget Try to show business how it is cri?cal


  • Ask 3rd par@es for

    Whitepapers Webinar from experts SAAS scanning of external-facing systems Pentest Full SAP Security assessment


  • SAP Security


    1. Pentes)ng and Audit

  • Pentest - Anonymous scanning for SAP vulnerabili?es

    Analysis of exposed services (more than 20 possible) BlackBox analysis of installed applica?ons and vulnerabili?es Exploita?on of founded vulnerabili?es Presenta?on report for management



  • Scan external company network fro SAP Scan internal SAP systems from user or guest network Scan internal SAP systems from admin

    We scan external systems and collect info from 2011


    Analysis of running services

  • 8









    SAP HostControl SAP Dispatcher SAP MMC SAP Message Server hUpd

    SAP Message Server SAP Router

    Exposed services 2011

    Exposed services 2013

    Remotely exposed services

  • Only those services should be open for local access Dispatcher Message Server HTTP (ICM)


    Internal access

  • Next step in Blackbox analysis Can be used as a star?ng point for SAP Security project Can also be used as a final test aZer implementa?on



  • Examples of vulnerabili@es

    Auth bypass in CTC Anonymous user crea?on Anonymous file read Informa?on disclosure Unauthorized access to KM documents


    Pentest JAVA

  • Examples of vulnerabili@es:

    Buffer overflows Informa?on disclosure about files in MMC Unauthorized access to log files Injec?on of OS commands in SAPHostControl Dangerous web servies Informa?on disclosure about parameters in Message Server



    Pentest ABAP

  • Full SAP Security assessment

    Configura?on analysis Access control checks Vulnerability scanning


  • Configura@on analysis

    Authen?ca?on (Password policies, SSO, users by different

    criteria's). Access control (Access to different web-services, tables,

    transac?ons, insecure test services, unnecessary transac?ons and web-applica?ons)

    Encryp?on (SSL and SNC encryp?on) Monitoring (Security audit log, system log and other) Insecure configura?on( All other security checks for

    par?cular services: Gateway, Message Server, ITS, SAPGUI, Web Dispatcher, MMC, Host Control, Portal)


  • Access control

    Users with cri?cal profiles Users with cri?cal roles Users with access to cri?cal tables Users with access to transport Users with access to development Users with access to user administra?on Users with access to system administra?on Users with access to HR func?ons Users with access to CRM func?ons ..


  • Vulnerability scan

    Check for latest component versions Check for missing Sapnotes Exploit vulnerabili?es to check if they really exist


  • SAP Security


    2. Compliance

  • First of all chose one that you want

    EAS-SEC SAP NetWeaver ABAP Security configura?on ISACA (ITAF) DSAG



  • Enterprise Applica)on Systems Applica)on Implementa)on NetWeaver ABAP

    Developed by ERPScan: First standard of series EAS-SEC Will be published in September Rapid assessment of SAP security in 9 areas Contains 33 most cri?cal checks Ideal as a first step Also contain informa?on for next steps Categorized by priority and cri?cality


    EAS-SEC for NetWeaver (EASAI-NA)

  • EASAI-NA-2013


    EASAI-NA Access Cri@cality Easy to

    exploit % of vulnerable systems

    1. Lack of patch management Anonymous High High 99%

    2. Default Passwords for applica?on access Anonymous High High 95%

    3. Unnecessary enabled func?onality Anonymous High High 90%

    4. Open remote management interfaces Anonymous High Medium 90%

    5. Insecure configura?on Anonymous Medium Medium 90%

    6. Unencrypted communica?on Anonymous Medium Medium 80%

    7. Access control and SOD User High Medium 99%

    8. Insecure trust rela?ons User High Medium 80%

    9. Logging and Monitoring Administrator High Medium 98%

  • [EASAI-NA-01] Component updates [EASAI-NA-02] Kernel updated

    What next: Other components should be be updated separately SAP Router, SAP Gui, SAP NetWEaver J2EE, SAP BusinessObjects. And also OS and Database.


    Lack of patch management

  • [EASAI-NA-03] Default password check for user SAP* [EASAI-NA-04] Default password check for user DDIC [EASAI-NA-05] Default password check for user SAPCPIC [EASAI-NA-06] Default password check for user MSADM [EASAI-NA-07] Default password check for user EARLYWATCH

    What next: Couple of addi)onal SAP components also use their

    own default passwords. For example services SAP SDM and SAP ITS in their old versions has default passwords. APer you check all default passwords you can start with bruteforcing for simple passwords.


    Default passwords

  • [EASAI-NA-08] Access to RFC-func?ons using SOAP interface [EASAI-NA-09] Access to RFC-func?ons using FORM interface [EASAI-NA-10] Access to XI service using SOAP interface What next: You should analyze about 1500 other services which

    are remotely enabled if they are really needed and also disable unused transac)ons, programs and reports.


    Unnecessary enabled func@onality

  • [EASAI-NA-11] Unauthorized access to SAPControl service [EASAI-NA-12] Unauthorized access to SAPHostControl service [EASAI-NA-13] Unauthorized access to Message Server service [EASAI-NA-14] Unauthorized access to Oracle database What next: Full list of SAP services you can get from document

    TCP/IP Ports Used by SAP Applica)ons .Also you should take care about 3rd party services which can be enabled on this server.


    Open remote management interfaces

  • [EASAI-NA-15] Minimum password length [EASAI-NA-16] User locking policy [EASAI-NA-17] Password compliance to current standards [EASAI-NA-18] Access control to RFC (reginfo.dat) [EASAI-NA-19] Access control to RFC (secinfo.dat) What next: First of all you can look at (Secure Configura)on of SAP

    NetWeaver Applica)on Server Using ABAP) document for detailed configura)on checks. APerwards you can pass throught detailed documents for each and every SAP service and module hUp://


    Insecure configura@on

  • [EASAI-NA-20] Users with SAP_ALL profile [EASAI-NA-21] Users which can run any program [EASAI-NA-22] Users which can modify cri?cal table USR02 [EASAI-NA-23] Users which can execute any OS command [EASAI-NA-24] Disabled authoriza?on checks

    What next: There are at leas about 100 cri)cal transac)ons only

    in BASIS and approximately the same number in each other module. Detailed informa)on can be found in ISACA guidelines . APer that you can start with Segrega)on of Du)es.


    Access control and SOD conflicts

  • [EASAI-NA-25] Use of SSL for securing HTTP connec?ons [EASAI-NA-26] Use of SNC for securing SAP Gui connec?ons [EASAI-NA-27] Use of SNC for securing RFC connec?ons What next: Even if you use encryp)on you should check how is it

    configured for every type of encryp)on and for every service because there are different complex configura)ons for each of encryp)on type. For example latest a^acks on SSL like BEAST and CRIME require companies to use more complex SSL configura)on.


    Unencrypted connec@ons

  • [EASAI-NA-28] RFC connec?ons with stored authen?ca?on data [EASAI-NA-29] Trusted systems with lower security

    What next: Check other ways to get access to trusted systems such

    as database links o use of the same OS user or just use of the same passwords for different systems.


    Insecure trusted connec@ons

  • [EASAI-NA-30] Logging of security events [EASAI-NA-31] Logging of HTTP requests [EASAI-NA-32] Logging of table changes [EASAI-NA-33] Logging of access to Gateway What next: There are about 30 different types of log files in SAP. The next

    step aPer properly enabling main of them you should properly configure complex op)ons such as what exact tables to monitor for changes, what kind of events to analyze in security events log, what types of Gateway a^acks should be collected and so on. Next step is to enable their centralized collec)on and storage and then add other log events.


    Logging and Monitoring

  • Guidelines made by SAP First official SAP guide for technical security od ABAP stack Secure Configura?on of SAP NetWeaver Applica?on Server

    Using ABAP First version - 2010 year, version 1.2