Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Overview

  1. Security
  2. JAVA Stack of <SID>
  3. System Recommendations
  4. Default Passwords of Standard Users
  5. Control of the Automatic Login User SAP*
  6. Protection of Passwords in Database Connections
  7. ABAP Password Policy
  8. Users with Critical Authorizations
  9. Gateway and Message Server Security
  10. FAQ

Security  

To check selected security aspects of the system such as whether relevant security-related SAP HotNews and Notes have been applied in the system. In addition, testing of the extend of which critical authorizations have been assigned in the system and usage of default passwords of standard users.

For a complete explanation of the ratings, review SAP Note 863362 - Security checks in SAP EarlyWatch Alert, EarlyWatch and GoingLive sessions.

JAVA Stack of <SID>

The source data for the Java stack entries is from CCDB and therefore any recommendation that is shown as incorrect here can be attributed to an outdated store in CCDB. It is therefore recommended to ensure all the lights are GREEN in Managed System Configuration for the JAVA stack for the specified system. A YELLOW or GREY light in one of the step will cause issues for the EWA to have access to up-to-date information if CCDB is not with recent data.

Example:  

Invoker Servlet Parameter EnableInvokerServletGlobally is shown as true even though it was already set to false in Netweaver Admin Console.

In EWA: Showing parameter as true

In Netweaver Admin Console: Showing parameter set correctly to false.

In CCDB: Source for the EWA report is showing with outdated information and the parameter showing as true - same information as the EWA report.

Resolution:

Ensure that the managed system configuration is done completely for the Java stack of the system. Ensure all the lights are GREEN and not YELLOW or GREY. Steps such as 'Create User's or 'Maintain Users' of the managed system for the Java stack can cause an issue.

If there is issue with regards to CTS+ (Yellow rating in the EWA), follow the steps outlined in wiki https://wiki.scn.sap.com/wiki/x/XDO7Gg

System Recommendations

Purpose

This section was introduced with Support Package 25 (software component ST-STER) and checks the usage of the application "System Recommendations". This application should be used to enable a successful security patch process. This tool provides recommendations for your system concerning SAP Security Notes or HotNews (for ABAP, JAVA and other technical systems) that should be implemented. For this, the current status of the software in your system is taken into account.

For more information, please go to https://support.sap.com/sysrec on the SAP Service Marketplace. The SAP component for questions relating to System Recommendation is SV-SMG-SR.

Rating 

GREEN: The System Recommendations tool is used and shows results that are up to 31 days old.

YELLOW :

  • The System Recommendations tool is used but the results are older than 31 days.
  • The System Recommendations tool is not used for this system.
  • The System Recommendations tool is not used at all.

Additional Information:

2041071 - How to download latest Java patches using System Recommendation

Default Passwords of Standard Users

Purpose

Determines whether the provided passwords of the standard users SAP*, DDIC, SAPCPIC, EARLYWATCH. and TMSADM have been changed in all clients and whether the user SAP* has not been created in one of the clients.

You can use the report RSUSR003 to display the results of this check in detail.

You can find more information in the unit "Protecting Standard Users" (http://help.sap.com/saphelp_nw70/helpdata/EN/3e/cdaccbedc411d3a6510000e835363f/frameset.htm).

Rating 

GREEN : Passwords of all standard users have been changed or password authentication is disabled for these users. 

YELLOW

  • User SAP* does not exist in at least one client and the profile parameter login/no_automatic_user_sapstar is set to 1 on at least one application server (refer also to the "Control of the Automatic Login User SAP*" check).
  • At least one of the users SAPCPIC, EARLYWATCH, or TMSADM still has the initial password provided in at least one client.
  • User TMSADM exists in at least one client, except client 000.

RED:

  • User SAP* does not exist in at least one client and the profile parameter login/no_automatic_user_sapstar is set to 0 on at least one application server (refer also to the "Control of the Automatic Login User SAP*" check).
  • At least one of the users SAP* or DDIC still has the initial password provided in at least one client.

For a complete explanation of the ratings, review SAP Note 863362 - Security checks in SAP EarlyWatch Alert, EarlyWatch and GoingLive sessions.

Additional Details
For further clarification, refer to
1610103 - EWA : Default Password of Standard Users - Detailed overview for T/S

Control of the Automatic Login User SAP*

Purpose

To validate if the profile parameter login/no_automatic_user_sapstar is set to 1

If the user master record belonging to user SAP* is deleted, it is possible to log on again with SAP* and the initial password. SAP* then has the following attributes:

  • The user has all authorization, as authorization checks cannot be executed.
  • You cannot change the standard password.

You can deactivate the special attributes of SAP* using profile parameter login/no_automatic_user_sapstar.

Rating

YELLOW :

  • Current value of the parameter is set to 0 on one or more instances.
  • For a complete explanation of the ratings, review SAP Note 863362 - Security checks in SAP EarlyWatch Alert, EarlyWatch and GoingLive sessions.

Additional Details
For further information, see SAP Note
68048

Protection of Passwords in Database Connections

Purpose

The system checks whether the table DBCON contains passwords for the database connections. The passwords are encrypted, but they can be decrypted easily.

If this recommendation is displayed, there are DB connections with passwords on the analyzed system. Although transaction DBCO (which you use to maintain such DB connections) does not show the passwords, you can find the obfuscated passwords using transaction SE16 for table DBCON with the field value PASSWORD <> space.

Recommendation

Apply SAP Security Note 1823566 and make sure that you execute the valid manual postprocessing step if you apply the Note correction or the corresponding support package. 

This Note is valid for all ABAP installations that use database connections, including when the text focuses on SAP Solution Manager. The Note refers to SAP Solution Manager because typically, many DB connections are maintained.

See SAP Note 863362 and search for 'Protection of passwords in database connections'.

Additional Details
For further information, see SAP Note 68048 - Deactivating the automatic SAP* user .

ABAP Password Policy

Purpose

To check if the current system settings allow a password length of fewer than 8 characters; is enforcing complex password policy and validity of initial passwords. The sub-checks of Password Complexity and Validity of Initial Passwords are shown in the EWA report.

Recommendation  
  • Assign a minimum value of 8 to the profile parameter login/min_password_lng
  • Enforce a minimum of 3 independent character categories using the corresponding profile parameters. For more information, see SAP Note 862989 and the section Profile Parameters for Logon and Password (Login Parameters)
  • Follow the recommendation to restrict password validity. Refer to SAP Note 862989 and the section Profile Parameters for Logon and Password (Login Parameters)

Additional Details
Refer to SAP Note
863362 - Security checks in SAP EarlyWatch Alert, EarlyWatch and GoingLive sessions

Users with Critical Authorizations

Purpose

The checks in this section analyze how extensive critical authorizations are assigned in the system. Here, examples of critical authorizations from the areas "System administration", "User management" and "Access to sensitive data" are checked.

However, a complete security analysis of the system is not carried out. If you want to carry out an extensive and configurable analysis, carry out the security optimization self-service. You can find more information at https://support.sap.com/support-programs-services/services/security-optimization-services.html

The check is broken down into a number of sub-checks. For a complete explanation of the ratings, refer to 863362 - Security checks in SAP EarlyWatch Alert, EarlyWatch and GoingLive sessions.

Subchecks include:

  • Super User Accounts
  • Users Authorized to Change or Display all Tables
  • Users Authorized to Start all Reports
  • Users Authorized to Debug / Replace
  • Users Authorized to Display Other Users Spool Request
  • Users Authorized to Administer RFC Connections
  • Users Authorized to Reset/Change User Password
Rating

The check is considered critical if several users in one client have the respective checked authorization.

Criticalapplies if:

  • More than 75 users of a client have the same authorization
  • More than 10% of the users (but at least 11) of a client have the checked authorization

Refer to SAP Note 863362 for a complete explanation of the ratings.

Additional Details
1859691 - EWA check "Users with critical authorizations"-how to match the numbers.
1966744 - EWA report: Firefighter accounts have been identified on your system.

Gateway and Message Server Security

Purpose

To check selected security aspects with respect to the kernel patch level, SAP gateway, and SAP message server.

Sub-checks include:

  • Kernel Patch Level
    This check specifies the minimum version and recommends the usage of the most current kernel. In this case, the maximum possible rating is " YELLOW". Source - 863362.

  • Gateway Security
    The profile parameter gw/reg_no_conn is checked according to SAP Notes
    1298433 and 1444282. The highest possible rating of this section is YELLOW.

    This check processes the profile parameter gw/acl_mode as described in SAP Note 1480644. The highest possible rating of this section is YELLOW.

    Gateway access control lists Here, the profile parameters gw/sec_info and gw/reg_info are checked according to SAP Note 1425765. If at least one of these parameters is not set, the rating is yellow. The contents of the access control lists (ACLs) sec_info and reg_info are also checked. If these files do not exist, they are empty, or they contain trivial expressions (in this case, the gateway accepts all connections), the rating is yellow. The rating is RED if the access control list sec_info is deemed insufficient and can be exploited.

    ♦ sec_info does not exist, is empty or contains trivial expressions and, at the same time, the parameter gw/acl_mode is not set.
    ♦ sec_info contains trivial expressions and, at the same time, the parameter gw/acl_mode is set (see check "Enabling an Initial Security Environment")

    You can find more information in the unit " Configuring Connections between SAP Gateway and External Programs Securely " in the SAP Help Portal. Source -  863362 .

    Example: Gateway Access Control List (reg_info/sec_info) contains trivial entries:


    Recommendation: Follow the steps outlined in SAP Note 1425765 . This note is mentioned in the wiki link that is provided in the EWA report.

    Additional Details
    1887929 - EWA alert: "Gateway and Message Server Security" - GW/REG_NO_CONN_INFO

  • Message Server Security
    In this section, the profile parameters rdisp/msserv, rdisp/msserv_internal, ms/monitor, and ms/admin_port are checked. The highest possible rating of this section is yellow. For more information, refer to
    863362  and search for 'Message Server Security'.

FAQ

Symptom: EWA is not showing all Security sub-sections in the report. For example, in the EWA report, Super User Accounts is shown however other sections such as 'Users Authorized To Change or Display All tables' is missing.

Explanation: The EWA for the Security Chapter will not show a sub-section if that section itself is rated GREEN. If you were to open the same EWA report session number in Session Workbench (transaction DSA), it will confirm that the sub-sections are indeed rated GREEN. For the threshold for critical rating, refer to SAP Note 863362.
 
Refer to the screenshot below where you will expect to only find Super Users Accounts in the EWA report. 
 


Additional Details
2719225 - Validate EWA Security Checks data source for 'Users Authorized to Change or Display all Tables' & 'Users Authorized to Start all Reports'

 

 

 

 

  • No labels