Skip to content

Prerequisites for an AI-driven SAP Security – Part 2: System Hardening

AI Security Hardening

We started talking about the potential of AI to improve your SAP Security posture some months ago and identified the need for reducing the attack surface of an SAP system so AI can unleash its full benefits when creating a security shield around your SAP environment. In the previous article, part 1 of our series about “Prerequisites for an AI-driven SAP Security”, we touched upon the critical topic of Patch Management, which is key for reducing the attack surface.  

How system configurations and settings impact your attack surface

While Patch Management helps you implement code fixes for known vulnerabilities in the system code, your SAP system still has a huge number of parameters and settings that influence the behavior of the application. Quite a few of them are security-related and have a significant impact on your attack surface 

It is key for the security of your business-critical SAP systems that you harden them. This involves changing the (sometimes insecure) default settings and parameters to more secure values and configuring system logging to ensure proper forensics and capture all necessary records. It also includes securing communication between the different systems and technical components via various APIs, like HTTP or RFC, and activating only those Internet Communication Framework (ICF) services you need. It is beneficial to harden these typical technical components responsible for communications like your SAP Router, Message Server, Web Dispatcher, and Internet Communication Manager (ICM) based on best-practice security recommendations. Do not forget to extend this security focus to other systems and components that all play an integral part in your SAP landscape like JAVA systems, SAP Business Objects, connected cloud-based systems, printers and scanners, etc. 

Managing access to your SAP systems is crucial for further reducing the attack surface. Make sure you follow the principle of least privileges within user authorizations and keep the group of users with elevated privileges (especially SAP_ALL) small. Also, check the settings of the RFC destinations in your SAP landscape. Prevent someone from accessing a critical system from a less critical one through an unsecured RFC call. This safeguards against directory traversal attacks which are very dangerous in SAP environments.   

These are pivotal topics to consider. Without them, no AI-based security monitoring system can protect your SAP application from being hacked. It would be a walk in the park for cybercriminals because your systems would have too many open backdoors.

Follow security recommendations and automate compliance checks

You don’t need to reinvent the wheel when configuring your SAP system. There are many configuration guidelines and baselines available, like the SAP Security Baseline or checklists from various SAP user groups such as the German-speaking user group, DSAG. Moreover, they all have one thing in common: they are highly comprehensive. Following these guidelines also ensures the compliance of your SAP system with common security frameworks or regulations, like SOX, NIST or KRITIS.  

SAP Security experts know how cumbersome it is to get the SAP system “clean” and how tedious it is to “stay clean” as there are always changes happening in an SAP environment. Therefore, automating these Security & Compliance checks is a key success factor for SAP system hardening.  

The SecurityBridge Platform helps you automate all SAP system checks needed to ensure security and compliance with all relevant security frameworks or regulations. It uses multiple baselines in parallel, including the SAP Security Baseline and the DSAG Security Guideline to ensure secure parameters across all SAP stacks, technical components and layers. In addition, it validates user authorizations, interface configurations and other application controls for providing administrative recommendations to further reduce the attack surface.  

These recommendations are presented as a daily updated Security Roadmap for SAP with ranked findings based on a balance between exploitation risk and resolution complexity. Starting with the “low hanging fruits” that have a high risk but can be mitigated easily, the roadmap also provides all necessary details for decision making and the recommended parameter values. With these, you are on the best track to harden your SAP systems and ensure their maintenance on that level moving forward. Finally, the SecurityBridge Platform provides compliance reports based on various regulations, like SOX or NIST, making the next SAP Security audit a walk in the park for you.  

Are you interested in learning how we can help you adopt Security & Compliance and establish an SAP Security Hardening RoadmapContact us and we will be happy to tell you more about our guided approach to SAP Security excellence. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!  

Posted by 

Holger Huegel

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

hacking
In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher”. This particular type of vulnerability is not common in SAP systems and therefore interesting to look at. As patching the SAP kernel executables is often not done promptly, we can expect this vulnerability present in the customer’s systems for quite some time.
code pc
In one of our recent articles, we pointed out the use of Access Control Lists (ACLs) to better manage access control. Below, we will show a practical example of how this can be done for inbound HTTP communication with the ‘Internet Communication Manager’ (ICM) component of an SAP system.
SAP Security Patch Tuesday 2024
For February 2024, 13 new Security Notes have been released and 3 have been updated. Lets look at some highlights, starting with the ‘HowNews’ notes.