SAP Security Baseline 2.5 – Key Points

Information disclosure – HANA 

Data should be protected by enabling encryption for data volumes, logs and backups. Further, the corresponding encryption keys must be stored externally in case of a recovery situation. 

 

Information disclosure – Web Dispatcher 

Requirements have been adjusted for particular kernel versions (> kernel 7.81) and filtering of certain URL paths /sap/public/icman/* and /sap/public/icf_info/*. 

 

Directory Traversal Protection – ABAP 

Requirements for secure file handling from the ABAP stack have been updated by:  

• Profile parameter: abap/path_norm_Windows. 
• Parameter settings for transaction SFILE: REJECT_EMPTY_PATH and REJECT_EMPTY_PATH. 

 

Message Server Security – ABAP and JAVA 

General access to the message server should be restricted by making proper use of an Access Control List (ACL). This recommendation has been updated. 

 

No Testing Functionality in Production – ABAP 

Requirements have been added for testing authorizations in productions for functions S_DEVELOP FUGR and S_DEVELOP CLASS. As well as deactivation of testing services. 

 

User Control of Action – ABAP 

Some minor adjustments for parameter settings have been made.  

 

User types and allowed character sets for usernames 

Requirements have been added to make proper distinction in user type for personal and technical users in general. For ABAP systems, restrictions have been added on characters that can be used to create usernames. This prevents usernames that appear the same but are actually different or create confusion. For example: without proper settings, it is possible separate users as shown below (notice the ‘white spaces’ in front and in between the username): 

 

Password Policy – HANA 

The requirements for password policy have been enhanced with the following parameters to enforce a tighter security policy: 

• maximum_invalid_connect_attempts (Number of Allowed Failed Logon Attempts). 
• password_lock_for_system_user (Exempt SYSTEM User from Locking) 
• password_lock_time (User Lock Time) 
• minimum_password_lifetime (Minimum Password Lifetime) 
• password_expire_warning_time (Notification of Password Expiration) 

 

Trusting relations and trusted destinations – ABAP  

As stated in the baseline’s changelog, the requirements for trusting and trusted destinations have been added to only configure trusted relations. In summary, the controls entail: 

• Removal of any trusting/trusted relationships. 
• Migration of old relationships to new security methods. 
• Usage of SNC or TLS. 
• Control of authorizations with objects S_RFCACL, S_RFC_ADM_TT and S_ICF. 
• Configuration of parameters rfc/selftrust and rfc/allowoldticket4tt. 

 

Authorizations for ABAP 

Requirements have been added or enhanced for ABAP authorizations: 

• Authorization objects S_DBG, S_USER_GRP, S_TABU_DIS. 
• Customizing settings on US_ASGM_TRANSPORT and USER_REL_IMPORT 

 

Audit settings – HANA 

Requirement has been added to define audit policies according to the SAP best practices. 

 

Secure default settings in S/4 HANA 2023 and BW/4HANA 2023 

The new default settings for these products are mentioned. These partly concern settings that are mentioned above (Restricted character sets for usernames, customizing settings US_ASGM_TRANSPORT and USER_REL_IMPORT and parameter settings for rfc/allowoldticket4tt and HANA encryption).