SAP Hardening and Patch Management Guide for Windows Server

Transcription

1 SAP Hardening and Patch Management Guide for Windows Server Microsoft Corporation November 15, 2005 Summary This whitepaper introduces security measures for SAP systems running on Windows Server. Two security measures are described: hardening and patch management. These security measures can help enhance security within your Windows Server-based SAP environment.

2 The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This Whitepaper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may own patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in a written license agreement from Microsoft, the furnishing of this document does not assign any license to these patents, trademarks, copyrights, or other intellectual property Microsoft Corporation. All rights reserved. Microsoft, SQL Server, Windows, Windows Server, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

3 Table of Contents 1 Introduction Hardening What Is Hardening? Multi-layered Hardening Harding Implementation Steps Implementation of Hardening... 7 Network Hardening... 7 Server Hardening Implement Other Hardening Other Hardening Information Operation Checks Final Security Check Other Methods for Checking Hardening Implementation Patch Management What Is Patch Management? Collecting Information Collecting Information about Security Vulnerability Assessing Risks Assessing the Consequences and Urgency of the Vulnerability What is a Vulnerability Assessment Matrix? Organizing the Information about Security Vulnerability Assessing the Pros and Cons of the Risk Determining the Degree of Urgency Devising a Plan for Responding to the Vulnerability Applying Security Update Program Points to Consider When Applying Security Patches Testing the Security Update Program before Application Testing the Application in a Test Environment Updating via Management Tools Monitoring the Results Verifying Behavior in the Test Environment... 63

4 Confirming the Steps for Roll-Back in the Test Environment Confirming that the Necessary Programs have been Applied Appendix: Report on Hardening Verification Verification Scenarios Contents of Verifications Verification Results Network Hardening Settings Network Hardening in SAP R/3 Enterprise Network Hardening in SAP ITS Network Hardening in SAP Enterprise Portal Service and Other Hardening Settings Service Hardening Using Templates Reconfigurations Made After the Application of Security Templates SAP Hardening and Patch Management Guide for Windows Server 4

5 1 Introduction Recently, there has been an increase in reports by newspapers and TV programs about computer virus damage and information leakages. Computer virus damage and information leakages may cause suspension of business and consume large amounts of company resources in taking countermeasures. In serious cases, it may pose a threat to the status and reputation of the company. SAP systems typically handle mission-critical operations, such as finance and sensitive company information. For this reason, if information leakage or virus problems occur in an SAP system, the company may suffer enormous damage. To reduce the risk of unplanned system shutdowns, effective security measures must be taken. This whitepaper presents hardening and patch management as security measures against such risks to Windows Server-based SAP systems. The purpose of hardening is to achieve a system environment that is less vulnerable to unauthorized access and virus attacks. In the Hardening chapter, we describe how to define and implement hardening, as well as verify the implementation. The purpose of patch management is to assess the specific risks to a company and to apply appropriately timed security update programs. With patch management, the minimum required security update programs can be applied to that helps to minimize the risks and costs of system changes. In the Patch Management chapter, defining patch management and operation is explained in five steps: "Collecting Information", "Assessing Risks", "Applying the Security Update Programs", and "Monitoring the Result." Throughout the chapter, risk assessment is emphasized. Note: Hardening and patch management are complementary procedures and implementation of one without the other will be insufficient. Hardening helps to reduce a system from possible attacks (such as from computer viruses), but may not be able to handle unfamiliar attack methods. To minimize this possibility, risk assessment (as a part of patch management) should be implemented. Purpose of This Whitepaper Secure system environments can be maintained by applying security update programs as soon as they are released. However, it may be difficult to apply them immediately after release because of issues such as the costs associated with verifying the effect of a security update program, the interruption of services when the programs are applied to the operating environment, and the risk of altering the operating environment. This whitepaper aims at helping to alleviate these problems and attempts to help you build a more secure SAP system. By applying what is described in this whitepaper to a Windows Server-based SAP system, help with securing an SAP system (and thus addressing an aspect of high system availability) is achieved and TCO may be reduced. Note that most of the configuration-specific guidance in this paper is applicable to Windows Server Similar procedures may be found in Windows Server 2000 documentation dependent on the particular topic covered. SAP Hardening and Patch Management Guide for Windows Server 1

6 Scope of Security Measures Covered in This Whitepaper Common security measures are further classified into "technical measures" (such as installation or configuration of hardware and software) and "institutional measures" (such as creation of policies, or determination and analyses of vulnerabilities). Figure 1 Security Measures Among the security measures illustrated in Figure 1, "Building a Secure System (Multi-layer Defense)" and "Patch Management" can be effective technical measures if implemented properly. SAP Hardening and Patch Management Guide for Windows Server 2

7 Multi-layer Defense Using a multi-layer approach Increases risk for attackers to be detected Reduces the possibility of successful attacks The idea is to protect the system from unexpected attacks. It enhances protection by setting multiple defense lines. Data Application Host Internal Network Boundaries Equipment Security Policies, Regulations and Awareness ACL, Encryption Enhancing Applications, Virus Protection Enhancing operation systems, Security Update Management, Authentication, HIDS Network Segment, IPSec, NIDS Firewall, VPN isolation Security Guard, Lock and Tracking Device User Education Figure 2 Multi-layer Defense SAP Hardening and Patch Management Guide for Windows Server 3

8 This whitepaper covers the security measures indicated under the Category column of Table 1: Common Security Measures. For security issues not listed here, appropriate measures will need to be implemented as necessary. Table 1: Common Security Measures Category Measures Coverage Technical measures Security breach inspection Building a secure system (multi-layer defense) Data Application Host Internal network Boundaries Yes Yes Equipment security Institutional measures Patch Management Policies, regulations, and awareness Monitoring viruses and unauthorized access Risk analysis Operation guidelines Risk management procedures Policy implementation Yes Yes It is also important to note that such security measures must be considered on every SAP system in your environment (regardless of the type of operating system or database used) as no platform is completely secure. SAP Hardening and Patch Management Guide for Windows Server 4

9 2 Hardening This chapter defines hardening and how to implement and verify it on a Windows Server-based SAP system. Contents of this Chapter This chapter defines hardening and how to implement and verify it on a Windows Server-based SAP system. 1. What is Hardening? 2. Multi-layered Hardening 3. Implementation of Hardening 4. Final Security Check 5. Summary 2.1 What Is Hardening? Hardening an SAP system is configuring your SAP system with only the minimum platform functions that are necessary for operating the system. In this way, security, availability and reduction of the operating cost of the system is addressed. Hardening Defined Definition: Configuring SAP systems with only the minimum platform functions that are necessary for operating the system. Effect: Effect: Effect: Enhances security Prevent the SAP system from exposure to unnecessary vulnerability risks and block computer virus attacks to a maximum extent. Ensures availability Minimize the frequency of applying security update programs that often require systems to be shutdown. Reduces operational cost Minimize the frequency of applying security update programs that may involve userside testing. SAP Hardening and Patch Management Guide for Windows Server 5

10 2.2 Multi-layered Hardening This whitepaper covers three types of hardening which are especially effective on SAP systems. Effective hardening methods for SAP systems This whitepaper covers three types of hardening can be effective on SAP systems, if implemented properly. 1. Network hardening (internal network layer) 2. Service hardening (host layer) 3. Other hardening (host layer) 2.3 Harding Implementation Steps Hardening should be implemented in stages. For example, take one item (such as network or service) at a time, check the behavior, then move on to the next item. Assure there is a means for rollback or backup the system configuration (*1) Implement network hardening Implement server hardening Implement other hardening Step-by-step implementation of hardening Repeat the procedure for each server and hardening (rollback when a problem arises) Operation checks Final security check (*2) Figure 3 - Hardening Implementation Steps *1 Use ASR backup of Windows Server 2003 or a third party image backup tool. *2 Use Microsoft Baseline Security Analyzer or other tools. SAP Hardening and Patch Management Guide for Windows Server 6

11 2.4 Implementation of Hardening Before implementing high-quality hardening, some preparation is required. Some important preparation tasks are: clarifying the required security level, checking the specifications of your system, determining what might need hardening, estimating the cost and the effect of the hardening, and determining what to harden. Preparations before implementing hardening Before implementing high-quality hardening, some preparation is required. 1. Clarifying the required security level Determine how far security should be enhanced. 2. Checking the system specifications Check the specifications of not only the SAP system but also systems other than SAP. This includes checking required communication paths, ports, and services. 3. Determining what might need hardening Determine what should be subjected to network, service, and other hardenings. 4. Estimating the cost and the effect of the hardening Estimate the effect and the associated cost beforehand to ensure maximum effect with minimum cost. 5. Determining what to harden Decide which items should be subjected to hardening and how extensively it should be done. Network Hardening Hardening networks on an SAP system is implementing packet filtering to block unnecessary communications. With this, the goal is to make stacks more difficult by blocking unnecessary communication. Network Hardening Defined Definition: Implementing packet filtering on SAP systems to block unnecessary communications. Effect: Blocks attacks that use unnecessary communications Making attacks against vulnerability more difficult by closing unnecessary communications to SAP systems. SAP Hardening and Patch Management Guide for Windows Server 7

12 Network hardening is important on SAP systems for the following reasons: 1) SAP systems only use specific ports that can be easily identified, 2) the ports used on SAP systems are typically less apt to be attacked by computer viruses, and 3) hardening networks to the maximum extent makes attacks more difficult for hackers. Importance of Network Hardening Reasons why network hardening is important on all SAP systems in your environment. Reason: SAP systems only use specific ports that can be easily identified. The ports are further limited when the functions of the SAP J2EE engine are suspended. Reason: The ports used on SAP systems are that are typically less apt to be attacked by computer viruses. The ports are also customizable. Reason: Therefore, hardening networks to the maximum extent makes attacks more difficult. As a first step, determine which servers are critical to deliver SAP services (which servers might be a single point of failure from a network hardening perspective?). SAP Central Instance SAP Database Instance Other non-redundant servers Such a determination will decrease the time necessary to install the applicable security patches which could lead to downtime for these servers from a standpoint of availability. Therefore, there would be implementation of port and services limits of these specific SAP application and database servers (also effective with SAP Router) while other servers may not have such strict limitations. Overall, separate SAP servers which potentially have a single point of failure (CI, DB, etc.) from others; thus creating a SAP server segment via firewall, router, etc. So that security patches can be done one by one, other SAP-related servers that are redundant are separate (e.g. SAP dialog instance, ITS AGate/WGate, etc.). SAP Hardening and Patch Management Guide for Windows Server 8

13 Figure 4 An Example of Network Hardening for a Corporate Network Ports and Packet Filtering Packet filtering should be taken into consideration to block all unnecessary network traffic on ports to SAP systems (as well as any 3 rd party tools) and IPSec script policy should be leveraged. Execute IPSec policy scripts on each Windows Server and hardware-based packet filtering to lock down specific ports can be done via a firewall, router, and layer 3 switch among network subnets. (See SAP Note #66687 ( Use of Network Security Products ) concerning SAP certification requirements for some 3 rd party network security tools.) Note that Microsoft ISA Server 2004 can provide advanced firewall protection and includes the following: One machine can act as both Firewall and SAP Router Application layer filtering Can decrypt HTTPS, inspect content and redeliver it internally Pre-authentication, form based Attachment control SAP Hardening and Patch Management Guide for Windows Server 9

14 Interface blocking Intrusion detection By applying the IPSec script policy to your server, you can confine the communication pathway and restrict the TCP and UDP ports used for the communication. For how to use IPSec, refer to: The following is includes an example of the IPSec script policy: :IPSec Policy Definition netsh ipsec static add policy name="packet Filters - R3" description="server Hardening Policy" assign=no :IPSec Filter List Definitions netsh ipsec static add filterlist name="all" description="server Hardening" netsh ipsec static add filterlist name="dialog" description="server Hardening" netsh ipsec static add filterlist name="mssql" description="server Hardening" :IPSec Filter Action Definitions netsh ipsec static add filteraction name=secpermit description="allows Traffic to Pass" action=permit netsh ipsec static add filteraction name=block description="blocks Traffic" action=block :IPSec Filter Definitions netsh ipsec static add filter filterlist="all" srcaddr=any dstaddr=me description="all" protocol=any srcport=0 dstport=0 netsh ipsec static add filter filterlist="dialog" srcaddr=any dstaddr=me description="dialog" protocol=tcp srcport=0 dstport=3200 netsh ipsec static add filter filterlist="mssql" srcaddr=me dstaddr= description="mssql" protocol=tcp srcport=0 dstport=1433 :IPSec Rule Definitions netsh ipsec static add rule name="all" policy="packet Filters - R3" filterlist="all" kerberos=yes filteraction=block netsh ipsec static add rule name="dialog" policy="packet Filters - R3" filterlist="dialog" kerberos=yes filteraction=secpermit netsh ipsec static add rule name="mssql" policy="packet Filters - R3" filterlist="mssql" kerberos=yes filteraction=secpermit netsh ipsec static set policy name="packet Filters - R3" assign=y Example: Create the sample code as a batch file and execute it on SAP R/3 Enterprise server. 1 Default communication blocked. 2 Permit dialog process access from clients (between clients and SAP R/3 Enterprise via destination port TCP 3200). 3 Permit access from SAP R/3 Enterprise to DB instances (between SAP R/3 Enterprise and SQL server via destination port TCP 1433). SAP Hardening and Patch Management Guide for Windows Server 10

15 Necessary Ports for Operating SAP Systems A list of ports used by: SAP systems (along with other security-related documentation): Security Detail Infrastructure Security. Windows Server System: Service Overview and Network Port Requirements for the Windows Server System SQL Server: over TCP: 1433, UDP: 1434 IIS (World Wide Web Publishing Service): 80, 443 Terminal Services and Remote Desktop: 3389 (default; can be configured): How to Change the Listening Port in the Windows Terminal Server Web Client Active Directory (dependent on design): How to Configure a Firewall for Domains and Trusts Restricting Active Directory Replication Traffic to a Specific Port SAP Hardening and Patch Management Guide for Windows Server 11

16 Table 2 Necessary (Destination) Ports for Operating SAP Systems Application Service Name Protocol Destination Port SAP R/3 Enterprise sapdpnn TCP 32NN sapgwnn TCP 33NN SAPlpd TCP 515 HTTP/HTTPS TCP 81NN/444NN sapmssid TCP 36NN HTTP/HTTPS TCP 80NN/443NN SMTP TCP 25 HTTP/HTTPS TCP 5NN00/5NN01 IIOP Initial context /IIOP over SSL TCP 5NN02/5NN03 P4/P4 over HTTP tunneling /P4 over SSL TCP 5NN04/5NN05/5NN06 IIOP TCP 5NN07 JMS TCP 5NN10 Telnet TCP 5NN08 Multiplexer TCP 4NN00 Portwatcher TCP 4NN01-79 HTTP TCP 4NN80-99 TCP 5NN17/5NN18/5NN19 MessageServer TCP 36NN HTTP/HTTPS TCP 81NN/444NN Engue Server TCP 32NN Eng. Replication TCP 33NN SAP ITS Wgate sapvw00_<sid> TCP 39NM sapvwmm_<sid> TCP 39N9 sapvw00_adm TCP 39NM sapvwmm_adm TCP 39N9 SAP ITS Agate HTTP/HTTPS TCP 80/443 sapdpnn TCP 32NN sapgwnn TCP 33NN sapmssid TCP 36NN SAP Enterprise Portal 6.0 HTTP/HTTPS TCP 5NN00/5NN01 IIOP Initial context /IIOP over SSL TCP 5NN02/5NN03 P4/P4 over HTTP tunneling /P4 over SSL TCP 5NN04/5NN05/5NN06 IIOP TCP 5NN07 JMS TCP 5NN10 Telnet TCP 5NN08 TCP 5NN17/5NN18/5NN19 SAP Enterprise Portal IIS Proxy HTTP/HTTPS TCP 80/443 HTTP/HTTPS TCP 5NN00/5NN01 Note: The port numbers are customizable. <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such as 00). SAP Hardening and Patch Management Guide for Windows Server 12

17 Table 3 Necessary (Destination) Ports for Operating SAP Systems (cont d) Application Service Name Protocol Destination Port SAP Router SAProuter TCP 3299 sapdpnn TCP 32NN sapgwnn TCP 33NN sapmssid TCP 36NN SAP Web Dispatcher HTTP/HTTPS TCP 80/443 HTTP/HTTPS TCP 80NN/443NN Active Directory See Microsoft Knowledge Base Article # How to Configure a Firewall for Domains and Trusts" and # ) at support.microsoft.com SQL Server SQL over TCP TCP 1433 Oracle TCP 1527 DB2/UDB TCP Customize SAPDB TCP 7200/7210 Informix TCP 3800 IIS HTTP TCP 80 HTTPS TCP 443 Terminal Services TCP 3389 Windows Server NetMeeting Remote Desktop Sharing (Used TCP 3389 by SAP Support) File Sharing (Used in the sharing of SAP TCP 445 migration files and in the shipping of UDP 445 SQL server logs) TCP 137 UDP 137 UDP 138 TCP 139 Clustering (Central instance and DB TCP 135 instance multiplexing) UDP 3343 For details, see Microsoft Knowledge Base Article # Port Requirements for the Microsoft Windows Server System". Note: The port numbers are customizable. <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such as 00). SAP Hardening and Patch Management Guide for Windows Server 13

18 Figure 5 Ports Used by SAP R/3 Enterprise Figure 6 Ports Used by SAP ITS (Wgate and Agate) SAP Hardening and Patch Management Guide for Windows Server 14

19 Figure 7 Ports Used by SAP Enterprise Portal 6.0 Figure 8 Ports Used by SAP Enterprise IIS Portal Proxy SAP Hardening and Patch Management Guide for Windows Server 15

20 Figure 9 Ports Used by SAP Router Figure 10 Ports Used by SAP Web Dispatcher SAP Hardening and Patch Management Guide for Windows Server 16

21 Configuration of Ports For configuration of ports and other steps for network hardening, use the "Microsoft Management Console (MMC)": Click Start, and then click Run. 1. Type "mmc" in the Name field of the Select File To Run dialog box, and then click OK. 2. The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar. 3. From the pull-down menu, select Add/Remove Snap-in. 4. The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab. 5. In the Standalone tab, click Add. 6. The Add Standalone Snap-in dialog box is displayed. Select IP Security Policy Management in the Available Standalone Snap-ins dialog box, and then click Add. 7. The Select Computer or Domain dialog box is displayed. Select Local Computer. Click Finish. 8. Click Close on the Add Standalone Snap-in dialog box. 9. Click OK on the Add/Remove Snap-in dialog box. 10. IP Security Policies on Local Machine is added under the Console Root on the Microsoft Management Console. 11. Click the added IP Security Policies on Local Machine to display the registered IP security policy in the right pane. Figure 11 IP Security Policy SAP Hardening and Patch Management Guide for Windows Server 17

22 12. Double-click the registered Packet Filters - R3. Figure 12 Packet Filter IP Security Policy 13. The Packet Filters - R3 Properties dialog box is displayed (see Figure 10). Click the Rules tab. 14. Select an IP filter that you want to verify from the IP Security Rules section on the Rules tab, and then click Edit. Figure 13 Edit Rule SAP Hardening and Patch Management Guide for Windows Server 18

23 15. Select the IP Filter List tab on the dialog box that is displayed. 16. Select an IP filter that you want to verify from the IP Filter List section in the IP Filter List tab, and then click Edit. 17. The IP Filter List dialog box is displayed and you can verify the configuration of the IP filter. Figure 14 IP Filter List 18. When you finish verifying the IP filter, click Cancel to close the dialog box. 19. To verify the configuration of the filter action, select the Filter Action tab in the Edit Rule Properties dialog box. Figure 15 Filter Actions SAP Hardening and Patch Management Guide for Windows Server 19

24 To un-assign network hardening, select then right-click on Packet Filters - R3 in the Microsoft Management Console. Then select Un-assign from the pop-up menu. To remove the network hardening, select Delete from the same pop-up menu. Figure 16 Un-assign IP Security Policy SAP Hardening and Patch Management Guide for Windows Server 20

25 Network Communication Paths Figure 17 Communication Paths for an SAP R/3 Enterprise Environment Figure 18 Communication Paths for an SAP ITS Environment SAP Hardening and Patch Management Guide for Windows Server 21

26 Figure 19 Communication Paths for an SAP Enterprise Portal Environment Figure 20 - Communication Paths for an SAP Enterprise Portal + Active Directory Environment SAP Hardening and Patch Management Guide for Windows Server 22

27 Active Directory Considerations As per SAP s Web AS installation guide, SAP application and database servers should be implemented in either of the following ways: Extra domain: SAP systems are embedded in their own SAP -specific domain and a separate domain is used for user accounts. Both domains must be incorporated in a domain tree with the user account domain as the root domain and the SAP domain as the child. Single domain: SAP servers and user accounts are in the same domain. Reference SAP Note # ( Domain Installation using Delegation of Administration in AD ) for information regarding the situation when installation of SAP cannot be performed by a domain administrator as specified in SAP s installation guides. Also, for SAP Enterprise Portal, situations may arise where it may be desired to prevent local users from another domain from logging into SAP EP. See SAP Note # ( Restrict Windows Authentication to Domains ) for specific configuration information to meet this need. Server Hardening An SAP system is under unnecessary security risks when there are services not applicable to SAP or have ineffective settings. Therefore, administrators should disable unnecessary services and strengthen security settings for others to the extent that SAP services can run without any issues. Such actions can be efficiently performed to some extent by utilizing security templates provided by Microsoft. Hardening Using Templates You can use the Windows Server 2003 Security Guide and the associated templates as a step towards implementation of hardening. There are three types of security templates that are differentiated according to the security environment and nine types of templates that are differentiated according to the server role. You will need to implement a hardening for each server role. For more information on the Windows Server 2003 Security Guide, visit the Microsoft Download Center. Three types of templates differentiated according to security environment Legacy client (security level: low) Enterprise client (security level: medium) High security (security level: high) SAP Hardening and Patch Management Guide for Windows Server 23

28 Nine types of templates differentiated according to server role Domain controller Member server Web server Infrastructure server (DHCP, WINS) File server Print server IAS server Certificate service server Bastion host Additional Information: After applying Windows Server 2003 templates, you can make your SAP system more secure by checking and changing the following configurations in accordance with the documents in Table 3. - Confirm that every partition of the disk is formatted in NTFS. - Confirm that an invulnerable password is set for the Administrator account. - Disable or delete unnecessary accounts. - Make sure that the old security configurations are not changed when you upgrade your system from previous versions. - Configure the Administrator account. - Delete all unnecessary file sharing. - Specify an appropriate ACL for every necessary file sharing. - Protect your Telnet server. - Enable IIS logging. - Unbind NetBIOS from TCP/IP. - Remove OS/2 and POSIX subsystems. - Disable the automatic generation of short file names (8.3 format). - Disable the creation of LM hashes. - Configure NTLMSSP security. - Disable automatic execution. Use Microsoft Management Console to apply security templates. Before you apply a security template, you need to backup the role security policies using an administrative tool called "Local Security Policy." SAP Hardening and Patch Management Guide for Windows Server 24

29 Backup Local Security Policy 1. Click Start, and then select All Programs. 2. Select Administrative Tools in the All Programs menu, and then click Local Security Policy. 3. The Local Security Policy dialog box is displayed. Select then right-click Security Settings in the dialog box. 4. Select Export Policy from the pop-up menu. Figure 21 Backup Local Security Policy 5. The Export Policy To dialog box is displayed. In the File Name field, type the name of the file that you want to export the policy to. 6. Click Save to export the local security policy to the file. SAP Hardening and Patch Management Guide for Windows Server 25

30 Applying the Security Template 1. Click Start, and then click Run. 2. Type "mmc" in the Name field of the Select File To Run dialog box and click OK. 3. The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar. 4. From the pull-down menu, select Add/Remove Snap-in. 5. The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab. 6. In the Standalone tab, click Add. 7. The Add Standalone Snap-in dialog box is displayed. Select Security Configuration and Analysis in the Available Standalone Snap-ins dialog box, and then click Add. 8. Click Close on the Add Standalone Snap-in dialog box. 9. Click OK on the Add/Remove Snap-in dialog box. 10. Security Configuration and Analysis is added under the Console Root on the Microsoft Management Console. 11. Select then right-click the added Security Configuration and Analysis. 12. Select Open Database from the pop-up menu. Figure 22 Security Configuration and Analysis SAP Hardening and Patch Management Guide for Windows Server 26

31 13. The Open Database dialog box is displayed. In the File Name field, type the name of the database that you want to open, and then click Open. 14. The Import Template dialog box is displayed. In the File Name field, select the security template file (INF file) downloaded from Internet, and then click Open. You should select a security template file appropriate for your server configuration. Figure 23 Importing Templates 15. On the Microsoft Management Console, select then right-click Security Configuration and Analysis. 16. Select Analyze Computer Now from the pop-up menu. Figure 24 Security Configuration and Analysis SAP Hardening and Patch Management Guide for Windows Server 27

32 17. When you execute analysis of the computer, red X marks appear to indicate the parts where the current settings should be changed. 18. If you want to change the template, double-click the entry. Figure 25 Analysis of Computer 19. If you want to change the template, change the entry. Figure 26 Property for Password Length SAP Hardening and Patch Management Guide for Windows Server 28

33 20. On the Microsoft Management Console, select then right-click Security Configuration and Analysis. 21. Select Configure Computer Now from the pop-up menu. Figure 27 Configuration of Computer Note: We recommend that the procedure be carried out step by step. If you want to provide against the worst case, it is recommended that you perform a system backup using Automatic System Recovery (ASR) or an image backup tool before applying a template. SAP Hardening and Patch Management Guide for Windows Server 29

34 Service Hardening Service hardening is the process of disabling the services that are unnecessary for operating your SAP system. In this way you can block attacks that use unnecessary services and improve the performance of the system. Service Hardening Defined Definition: Disabling services that are unnecessary for operating SAP systems. Effect: Effect: Blocking attacks that use unnecessary services Makes attacks against vulnerability more difficult by disabling services unnecessary for SAP systems. Improving performance Reduces the load on the server and improves performance by disabling services unnecessary for SAP systems. Service hardening investigates Windows services that are unnecessary for the operation of the SAP system and disables their Startup options in order to prevent any attacks through usage of these unnecessary services. There are three settings for Startup options: "Auto", "Manual", and "Disable." Set the option in accordance with the criteria described in the table below. Table 3: Setting the Startup Option Type of Service Services that are obviously unnecessary for operating the system Services that are obviously necessary for operating the system Other services Startup Option Disable Auto Manual Importance of Service Hardening Reasons why service hardening is important on all SAP systems in your environment. Reason: SAP systems only use specific Windows services that can be easily identified. Reason: As long as you are willing to give up some functionality, many of the services can be disabled and the SAP system will still function adequately. SAP Hardening and Patch Management Guide for Windows Server 30

35 Table 4: Services Necessary for SAP Systems Minimum required services for Windows Server Additionally required services for SAP R/3 Enterprise Additionally required services for SAP ITS Agate Additionally required services for SAP Enterprise Portal Event Log Logical Disk Manager Network Connections Plug and Play Protected Storage Remote Procedure Call Security Account Manager Windows Management Instrumentation Windows Management Instrumentation Extensions SAPOSCOL SAP<SID>_<NN> SAP<SID>_<NN> SAP ITS Manager - <SID> SAP ITS Manager - ADM ITS Watchdog SAP IACOR Manager SAP J2EE Engine Dispatcher Additionally required services for SQL Server Additionally required services for clusters Additionally required services for IIS Additionally required services for SAP ITS Wgate Additionally required services for SAP Enterprise Portal IIS Proxy Workstation Server MSSQLSERVER SQL Server Agent Remote Registry Cluster Service Removal Storage World Wide Web Publishing Service IIS Admin Service SAP IACOR Manager none Note: This table shows Windows services installed during a standard installation. Clustering environments may have different services. <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such as 00). For SAP R/3 Enterprise, there are two "SAP<SID>_<NN>" services - one is for central instances and the other is for central service instances. SAP J2EE Engine (Dispatcher and Server), SDM, and IGS of SAP R/3 Enterprise are started by central instance services. SAP J2EE Engine Server of SAP Enterprise Portal 6.0 is started by "SAP J2EE Engine Dispatcher" service. When you disable services not listed in this table, you should check the intended purpose of the services and test it in the appropriate system environment. SAP Hardening and Patch Management Guide for Windows Server 31

36 The tables below show the services that are not required for operating SAP various systems. Table 5: Unnecessary Services for SAP Systems Services not required by Domain Controller Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client DHCP Server Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration SAP Hardening and Patch Management Guide for Windows Server 32

37 Table 6: Unnecessary Services for SAP Systems Services not required for SAP R/3 Enterprise Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration SAP Hardening and Patch Management Guide for Windows Server 33

38 Table 7: Unnecessary Services for SAP Systems Services not required for SQL Server (for SAP R/3 Enterprise) Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging Kerberos Key Distribution Center License Logging Messenger Microsoft Search MSSQLServerADHelper NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration SAP Hardening and Patch Management Guide for Windows Server 34

39 Table 8: Unnecessary Services for SAP Systems Services not required for SAP ITS Agate Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration SAP Hardening and Patch Management Guide for Windows Server 35

40 Table 9: Unnecessary Services for SAP Systems Services not required for SAP ITS Wgate Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration SAP Hardening and Patch Management Guide for Windows Server 36

41 Table 10: Unnecessary Services for SAP Systems Services not required for SAP Enterprise Portal Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration SAP Hardening and Patch Management Guide for Windows Server 37

42 Table 11: Unnecessary Services for SAP Systems Services not required for SQL Server (SAP Enterprise Portal) Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging Kerberos Key Distribution Center License Logging Messenger Microsoft Search MSSQLServerADHelper NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration SAP Hardening and Patch Management Guide for Windows Server 38

43 Table 12: Unnecessary Services for SAP Systems Services not required for SAP Enterprise Portal IIS Proxy Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration SAP Hardening and Patch Management Guide for Windows Server 39

44 Implementing Service Hardening Use the administrative tool called "Services" to implement service hardening. 1. Click Start, and then select All Programs. 2. Select Administrative Tools in the All Programs menu, and then click Services. 3. The Services dialog box is displayed. Select then right-click on the service that you want to harden. 4. Select Properties from the pop-up menu. Figure 28 Service Hardening SAP Hardening and Patch Management Guide for Windows Server 40

45 5. The Properties dialog box is displayed. Set the Startup Type to Disable, and then click OK. 6. Repeat the above procedure for all services that you want to harden. Implement Other Hardening Figure 29 Disabling Services Internet Information Server (IIS) Hardening If using IIS 4.0 (NT 4.0) or 5.0 (Windows 2000) for SAP ITS or SAP Enterprise Portal, use the IIS Lockdown Tool to lock down services. The tool is available for download at The lockdown tool provides an wizard to change security settings and various templates for various scenarios are available. URLscan integration is also provided which decreases the possibility of attack by computer viruses as it analyzes HTTP requests and keeps IIS from accepting unordinary requests. When using IIS 6.0 however, such toolkit functionality is included with Windows Server Note that usage of IIS 6.0 is only available for ITS starting with SAP ITS version 6.20 patch level 3 and IIS 6.0 on Windows Server 2003 is not installed or setup by default. See SAP Note # for information on running SAP ITS on IIS 6.0. For reference, other security-related tools are available at SAP Hardening and Patch Management Guide for Windows Server 41

46 SQL Server Hardening If SQL Server 2000 is used as the database for SAP on Windows Server, refer to for information on steps to secure SQL Server Information for SAP running on Windows Server 2003 will be added to this whitepaper when available. Install most recent SQL Server Service Pack Assess your server security with MBSA Use Windows Authentication Mode Isolate your server and backup it up regularly Assign a strong SA password Limit privilege of SQL Server Service o One account per service o Simple Domain User right Disable SQL Server port on Firewall Use the most secure file system NTFS Delete or secure old setup files Audit connection to SQL Server Specific SAP Hardening For specific considerations for SAP applications (Basis level 4.6B and higher), refer to SAP Note # ( R/3 Security under Windows NT ). In addition: On servers without transport directory, you can restrict the directories \usr and \usr\sap to the local administrators: Administrators(Full Control). On the transport server, generate a further local group "SAP_LocalAdmin". Insert the SAP_<SID>_GlobalAdmin groups of all SIDs involved in the transport into this group. Assign the following authorizations to the directories \usr, \usr\sap and \usr\sap\trans: Administrators(Full Control) SAP_LocalAdmin(Full Control). The shares "SAPLOC" and "SAPMNT" can also be provided with this authorization list. Change password on default Users SAP*, DDIC Client 000 and 066 SAP Hardening and Patch Management Guide for Windows Server 42