Palisade Magazine

October 2008

SAP Baseline Security Audit

by Rajesh Gopinath, GCIH |  Discuss this article »»

A SAP Baseline Security Audit tells enterprises how their SAP security posture stacks up against industry best practices. The Baseline Security Audit is the first step in a comprehensive security audit program and is ideal for generating a quick win early. This article outlines the areas covered under the SAP Baseline Security Audit we perform. The audit covers two high-level areas:

  1. Essential Technical Controls
  2. Essential Process Controls

Essential Technical Controls

The key components of the SAP infrastructure are checked for technical vulnerabilities. These components include:

  • SAP web servers
  • SAP ECC servers
  • SAP database servers
  • Firewalls

The technical controls we examine are categorized as:

  • Authentication and Access controls
  • Server controls
  • Network controls

Next, we drill down into a few specific checks to illustrate the type of checks that are performed in practice:

Authentication and Access Controls

  • Has a minimum password length (login/min_password_lng) been enforced?
  • Have the default passwords for default users (“SAP”, “DDIC”, etc) been changed?
  • Has an expiration time been set for passwords? (login/password_expiration_time)
  • Is the maximum number of failed logins before an account is locked set? (login/fails_to_user_lock)
  • Are multiple user sessions suppressed?
  • Have the password of default database accounts been changed?

Network Controls

  • Has RFC communication in the SAP gateway been secured with the secinfo file?
  • Is SSL or SNC in place to encrypt traffic for DIAG or RFC connections?
  • Has the network been segmented with adequate isolation for various SAP elements?
  • Does the firewall rulebase have insecure rules?
  • Are blocked connections logged?

Server Controls

  • Have the latest patches been applied on the server?
  • Are unnecessary and unsecured Internet services running?
  • Are the OS file permissions adequately restrictive?
  • Have OS commands that can be executed from SAP via SM49 been prevented?

Essential Process Controls

Key processes for administering the SAP environment are checked for compliance with the enterprise policy and industry best practices in this phase of the audit.

The area that are covered under this are:

  • Backup and Recovery Processes
  • Change Management Processes
  • Identity Management Processes
  • Incident Management Processes

Next, we drill down into a few specific checks to illustrate the type of checks that are performed in practice:

Key Roles and Responsibilities

  • Have responsibilities been defined for key roles?
  • Are key administrative roles separated? Eg. User creation and approval

Backup and Recovery Processes

  • Does the backup schedule adhere to policy?
  • Are backups encrypted?
  • Are backup tapes labeled?
  • Are offsite copies of backups maintained?
  • Is recovery tested periodically in line with policy?

Change Management Processes

  • Are well-defined processes adhered to for change management?
  • Does a change management committee review and approve all changes to production?
  • Are changes to production tested in staging before being migrated to production?

Identity Management Processes

  • Is the administrative process for communicating passwords to new users secure?

Incident Management Processes

  • Are incident management procedures defined and communicated to all key personnel?

The above are sample checks performed as part of the baseline audit.

What a Baseline Security Audit Does Not Cover

The Baseline Security Audit focuses on quick wins; it does not cover the following audits which require greater investment in time and effort:

  • Authorizations audit, to check if authorizations have been given correctly
  • Business process audit, to check if frauds can be permitted within the business processes in SAP
Discussion is open for this article — there are no reader comments yet. Add yours.