Processed on SAP Solution Manager Service Center Release EHP 1 for Solution Manager 7.0 Telephone Service Tool 701_2011_1 SP0 Fax
|
|
- Naomi Blake
- 8 years ago
- Views:
Transcription
1 SERVICE REPORT SAP Security Optimization Self-Service SAP System ID SAP Product Release DB System Customer Processed on SAP Solution Manager Service Center Release EHP 1 for Solution Manager 7.0 Telephone Service Tool 701_2011_1 SP0 Fax Date of Session <Date of Session> Session No Date of Report <Date of Report> Installation No Author <Author> Customer No
2 1 EVALUATED ST14 ANALYSIS PREFACE GENERAL INFORMATION ABOUT THE SAP SECURITY OPTIMIZATION SERVICE DETECTED ISSUES SPECIAL FOCUS CHECKS ADDITIONAL SUPER USER ACCOUNTS FOUND (0022) USERS - OTHER THAN THE SYSTEM ADMINISTRATORS - ARE ALLOWED TO CALL ST14? (0168) AUTHENTICATION PASSWORDS Password Logon Is at Least Partly Allowed (0139) Users - Other Than User Administrators - Are Authorized to Change Passwords (0121) Interval for Logon with Initial Password Is Too Long (0123) Interval for Logon with Productive Password Is Too Long Interval for Logon with Reset Password Is Too Long (0124) Trivial Passwords Are Not Sufficiently Prohibited (0125) Minimum Password Length Is Too Short (0126) Interval for Password Change Is Too Long (0127) Number of Characters in Which Passwords Have to Differ is Too Low (0128) Required Number of Digits in Passwords Is Too Low (0129) Required Number of Letters in Passwords Is Too Low (0130) Required Number of Special Characters in Passwords Is Too Low (0131) GENERAL AUTHENTICATION Security Critical Events for End Users Are Not Logged in the Security Audit Log (0136) Interval After Which Inactive Users Are Logged Off Is Too Long (0137) Multiple Logons Using the Same User Id Is Not Prevented (0138) Users - Other Than the User Administrators - Are Authorized to Lock/Unlock Users (0135) PASSWORD BASED AUTHENTICATION ADMITS PASSWORD ATTACKS (0591) BASIS AUTHORIZATION BASIS ADMINISTRATION Users - Other Than the System Administrators - Are Authorized to Maintain System Profiles (0152) Users - Other Than the System Administrators - Are Authorized to Start/Stop Application Servers (0154) Users - Other Than the System Administrators - Are Authorized to Start/Stop Workprocesses (0156) Users - Other Than the System Administrators - Are Authorized to Lock/Unlock Transactions (0157) Users - Other Than the System Administrators - Are Authorized to Maintain Other User's Lock Entries (0159) Users - Other Than the System Administrators - Are Authorized to Maintain Own Lock Entries (0166) Users - Other Than the System Administrators - Are Authorized to Delete or Reprocess Broken Updates (0161) Users - Other Than the System Administrators - Are Authorized to Activate a Trace (0163) No Critical Transactions Are Locked (0158) Security-related SAP Notes Sending Trace Data to Remote Client (0169) BATCH INPUT Users - Other Than the Batch Input Administrators - Are Authorized to Run Batch Input Sessions in Dialog (0221) Users - Other Than the Batch Input Administrators - Are Authorized to Administer Batch Input Sessions (0222) SPOOL & PRINTER Users - Other Than the Spool Admins - Are Authorized to Display Other Users Spool Requests (0192) Users - Other Than the Spool Admins - Are Authorized to Display Protected Spool Requests of Other Users (0198) Users - Other Than the Spool Administrators - Are Authorized to Display the TemSe Content (0193). 22 SAP Security Optimization Self-Service, <Date> 2
3 7.3.4 Users - Other Than the Spool Administrators - Are Authorized to Change the Owner of Spool Requests (0194) Users - Other Than the Spool Admins - Are Authorized to Redirect a Print Request to Another Printer (0195) Users - Other Than the Spool Administrators - Are Authorized to Export a Print Request (0196) BACKGROUND Background Users That Are Not Used in Any Periodic Batch Job (0215) Users - Other Than the Background Administrators - Are Authorized to Schedule Jobs in SM36 (0212) Users - Other Than the Background Administrators - Are Authorized to Schedule Jobs in External Commands (0213) Users - Other Than the Background Admins - Are Authorized to Schedule Jobs Under Another User Id (0214) OS ACCESS Users - Other Than the System Administrators - Are Authorized to Define External OS Commands (0171) Users - Other Than the System Administrators - Are Authorized to Execute External OS Commands (0172) Users - Other Than the System Administrators - Are Authorized to View Content of OS Files with AL11 (0173) OUTGOING RFC Users - Other Than the System Administrators - Are Authorized to Administer RFC Connections (0255) Users - Other Than the System Administrators - Are Authorized to Access RFC Logon Information (0256) Users - Other Than the System Administrators - Are Authorized to Maintain Trusting Systems (0268) INCOMING RFC Users - Other Than the Communication Users - Are Authorized to Run any RFC Function (0241) Users - Other Than the Key Users - Are Authorized to Visualize all Tables via RFC (0245) Incoming RFC with Expired Password Is Allowed (0234) Users - Other Than the System Administrators - Are Authorized to Maintain Trusted Systems (0240) RFC Security in the Service Marketplace (0247) APPLICATION LINK ENABLING (ALE) Users - Other Than the System Administrators - Allowed to Maintain the ALE Distribution Model (0723) Users - Other Than the System Administrators - Allowed to Maintain the Partner Profile (0724) CHANGE MANAGEMENT DATA & PROGRAM ACCESS Users - Other Than Key Users - Are Authorized to Start All Reports (0512) Users - Other Than Key Users - Are Authorized to Display All Tables (0513) Users Are Authorized to Maintain All Tables (0514) Users - Other Than the System Admins - Are Authorized to Change the Authorization Group of Tables (0515) Users - Other Than the Query Adminstrators - Are Authorized to Administer Queries (0517) Users - Other Than the Query Users - Are Authorized to Run Queries (0519) Users Are Authorized to Execute All Function Modules (0520) CHANGE CONTROL System Change Option Not Appropriately Configured in the Production System (0301) Client Change Option Not Appropriately Configured (0302) Users - Other Than the System Administrators - Are Authorized to Change the System Change Option (0303) Users - Other Than the System Administrators - Are Authorized to Change the Client Change Option (0304) Users - Other Than the System Administrators - Are Authorized to Create New Clients (0305) Users - Other Than the System Administrators - Are Authorized to Delete Clients (0306) Users Are Authorized to Development in the Production System (0307) Users Are Authorized to Debug and Replace Field Values in the Production System (0308) Users Are Authorized to Perform Customizing in the Production System (0309) Users Are Authorized to Develop Queries in the Production System (0310) SAP Security Optimization Self-Service, <Date> 3
4 Users Are Authorized to Execute Catts in the Production System (0312) Users Are Authorized to Execute ecatts in the Production System (0313) Users Are Authorized to Use the Legacy Migration Workbench (0315) Users Are Authorized to Modify the Table Logging Flag for Tables (0318) DEVELOPMENT Development Sources Are Not Scanned for Critical Statements (0335) Development Keys Exist in the Productiv System (0338) TRANSPORT CONTROL Users - Other Than the System and Transport Admins - Are Authorized to Change the TMS Configuration (0341) Users - Other Than the System and Transport Admins - Are Authorized to Start Imports to Production (0342) Users - Other Than the System and Transport Admins - are Authorized to Create and Release Transports (0343) Users are Authorized to Approve Transports (0346) Transports Are Not Scanned for Viruses (0348) Program Versioning During Import is Not Enabled (0349) USER AUTHORIZATION USER MANAGEMENT Users - Other Than the User Administrators - Are Authorized to Maintain Users (0002) User Administrators Are Authorized to Change Their Own User Master Record (0003) Users Are Not Assigned to User Groups (0005) User Master Data Is Not Regularly Synchronized with a Corporate LDAP Directory (0007) Users with Authorizations for User and Role/Profile/Authorization Maintenance (0008) Users - Other Than the User Administrators - Are Authorized to Access Tables with User Data (0013) Users - Other Than the User Administrators - Are Authorized to Call Function Modules for User Admin (0019) SUPER USERS Users Have Nearly All Authorizations (0023) Unexpected Users Are Authorized to Change a Super User Accounts (0026) Users with the most Full Access Authorizations (* Field Values) (0027) Users with the most Roles (0028) % or max 30 of All Users That Have for the most Profiles (0029) Users with Profile SAP_NEW (0031) STANDARD USERS Not All Profiles Are Removed from User SAP* (0042) User SAP* Is Neither Locked nor Expired (0043) User SAP*'s Activities Are Not Logged in the Security Audit Log (0047) User DDIC's Activities Are Not Logged in the Security Audit Log (0050) User SAPCPIC Has Default Password in Some Clients (0051) User SAPCPIC Is Neither Locked nor Expired (0052) User SAPCPIC Not Assigned to the Group SUPER (0053) User SAPCPIC's Activities Are Not Logged in the Security Audit Log (0055) User EARLYWATCH's Activities Are Not Logged in the Security Audit Log (0060) ROLE & AUTHORIZATION MANAGEMENT Users Are Authorized to Maintain Roles Directly in the Production System (0072) Users Are Authorized to Maintain Profiles Directly in the Production System (0073) Users Are Authorized to Maintain Authorizations Directly in the Production System (0074) Users Are Authorized to Call Function Modules for Authorization, Role and Profile Management (0087) AUTHORIZATIONS Users Are Authorized to Disable Authorization Checks Within Transactions (0102) Users Are Authorized to Disable Authorization Checks Globally (0105) Users Are Authorized to Call Any Transaction (0110) Global Disabling of Authority Checks Is Not Prevented (0104) SAP Security Optimization Self-Service, <Date> 4
5 10 WEB APPLICATION SERVER INTERNET COMMUNICATION FRAMEWORK (ICF) Users - Other Than the Sysadmin - Authorized to Activate ICF Services (0655) Users - Other Than the Sysadmins - Are Authorized to Access Tables of ICF Services (0663) HTTP CLIENT Additional http Client Connections Found (0682) No Proxy Used to Connect to http Servers (0683) No Authorization for S_SICF Required for http Client Access (0684) Client Proxy Does Not Require Client Authentication (0685) No Encryption of Outgoing http Communication (0688) INTERNET COMMUNICATION MANAGER (ICM) Users - Other Than the System Administrators - Are Authorized to Administrate the ICM (0701) Users - Other Than the Sysadmins - Are Authorized to Display the http Server Cache (0705) Users - Other Than the Sysadmins - Are Authorized to Configure the ICM Monitor (0706) ICM (Internet Communication Manager) Is Active Although Not Used (0704) PSE MANAGEMENT Users - Other Than the System Administrators - Are Authorized to Maintain the System PSE's (0711)57 11 CUSTOMER SPECIFIC AUTHORIZATION CHECKS USERS AUTHORIZED TO THE CRITICAL AUTHORIZATION APPENDIX EVALUATED SDCCN DATA EVALUATED ST14 ANALYSIS Evaluated ST14 Analysis Analysis GUID SystemID Analysis Date Sequence Number Title D7WZ2UIHCKVY5U6BRHE2ESDMC NSP Security Optimization Service Preface The SAP Security Optimization service is a comprehensive support service that identifies security risks for your SAP system and helps you to determine the appropriate measures to protect it from these risks. This report documents the results of the SAP Security Optimization service in the following sections: - General information about the SAP Security Optimization service - Action list in which the results are summarized and prioritized - Detailed explanation of the findings 3 General information about the SAP Security Optimization Service The following contains general information about SAP Security Optimization that will help you to understand and apply the report. Objective of the SAP Security Optimization Service The objectives of SAP Security Optimization are: - To analyze the technical configuration of your SAP system for security risks - To provide recommendations for implementing measures to mitigate security risks - To provide a compressed overview of the implemented security level - To enable you to protect your business systems from typical security risks SAP Security Optimization Self-Service, <Date> 5
6 The security checks of SAP Security Optimization are performed for the following security aspects: - Availability: ensuring that a system is operational and functional at any given moment - Integrity: ensuring that data is valid and cannot be compromised - Authenticity: ensuring that users are the persons they claim to be - Confidentiality: ensuring that information is not accessed by unauthorized persons - Compliance: ensuring that the system security set-up is in accordance with established guidelines Scope of SAP Security Optimization SAP Security Optimization includes a collection of several hundred checks. These checks identify security vulnerabilities in the current set-up and configuration of mysap Technology. The checks are performed on the SAP software layer. For a security analysis of the underlying operating system and database, consult your vendor; for a security analysis of the network, contact your preferred network security provider. The Security Optimization Service is a highly automated, remote support service. For this reason, the service cannot cover customer-specific aspects that require a detailed on-site analysis, such as the following checks: - Segregation of duties for business-critical processes - Security organization (organizational security) - Security administration processes (operational security) For a complete overview of existing security risks to your business system, the topics listed above have to be taken into consideration. SAP's Security Consulting Team can assist you with individual on-site consulting services to obtain guidance on the security aspects. How to read this report The objective of this report is to document the vulnerabilities that have been detected by the SAP Security Optimization service. Since we perform several hundred checks in this support service, only the actual weaknesses are listed in the report so that it is concise; checks whose results were positive are not mentioned. In some checks, unexpected users with critical authorizations are determined. If you have indicated in the questionnaire that you want the user ID and the names of the users to be printed, they are listed in the findings of these checks. Note that no more than 30 users are listed - even if more users have been found - to keep the report concise. If you want to determine all users who have this authorization, you can do so in transaction ST14. For more information about using this transaction, see SAP Note For each productive client analyzed, the maximum number of users printed is 20. For other clients (for example 000 or 066), the maximum number of users printed for each client is 20 divided by the number of checked clients. This ensures that examples of all clients are printed. The number of counted users that we print is reduced by the number of superusers that we found in the system (check 0022). Since superusers (users with the SAP_ALL profile) have all authorizations, they are printed only once at the beginning of the report. The user types in the report are having the following meaning: A = Dialog C = Communication B = System S = Service L = Reference To enable you to identify major security weaknesses and to prioritize the measures to be implemented, an evaluated risk is determined for each check. The evaluated risk is calculated by the severity and the probability of a security violation. The meaning of the evaluated risk is as follows: - HIGH: The severity is high and the probability is high or the severity is high and the probability is medium or the severity is medium and the probability is high - Medium: The severity is high and the probability is low or the severity is medium and the probability is medium or the severity is low and the probability is high - Low: The severity is medium and the probability is low or the severity is low and the probability is medium or the severity is low and the probability is low How to implement the recommended security measures To protect your SAP system from security violations, we recommend that you implement the measures proposed in this report. To do so, proceed as follows: SAP Security Optimization Self-Service, <Date> 6
7 1. Read this report carefully. 2. Double-check that the identified risks actually apply to your system. (Note that incomplete data in the questionnaire can result in the report indicating more vulnerabilities than are actually in your system.) 3. Prioritize the risks and determine those that are acceptable for you. 4. Determine the effort to implement appropriate measures. 5. If required, perform a cost-benefit analysis before applying the measures. 6. Plan and implement the measures. Do not implement the recommended measures without considering them first. Double-check the impact of the recommended measures before applying them to your system. For example, implementing a new password policy might be confusing to end users if they have not been notified about the new policy. How to obtain support for the implementation In some cases, you may not have the required resources to implement the recommended security measures. If you need support when analyzing the results of the Security Optimization, as well as when determining and implementing the appropriate measures, contact SAP's Security Consulting Team for on-site consulting via SecurityCheck@sap.com. How to review the effectiveness of the implemented measures To prove the effectiveness of the implemented measures, you can request an additional complete SAP Security Optimization check. If you are supported by SAP Consulting during the implementation, our security consultants can perform individual checks to prove the effectiveness on-site. How to obtain additional security-related information Recommendations and guidelines concerning the security of SAP systems are included in the SAP Security Guide. This guide consists of three separate volumes, each with different levels of detail. Volume I provides an overview of SAP's security services. Volume II describes the services in detail. Volume III contains security checklists. For more information about these guides, see the SAP Service Marketplace at For additional security-related information, see the SAP Service Marketplace at Concluding remark SAP Security Optimization provides only a snapshot of the effectiveness of the implemented security measures. Over time, however, every system faces changes that might impact your overall system security. We therefore recommend that you run SAP Security Optimization at regular intervals. 4 Detected Issues The following list gives you an overview of all checks in the SAP Security Optimization service that are rated with a high risk: Action Items *** Special Focus Checks *** 5 Users - Other Than the System Administrators - Are Allowed to Call ST14? (0168) 4 Additional Super User Accounts Found (0022) *** Authentication *** *** Passwords *** 5 Users - Other Than User Administrators - Are Authorized to Change Passwords (0121) Interval for Logon with Reset Password Is Too Long (0124) Interval for Password Change Is Too Long (0127) *** General Authentication *** 5 Users - Other Than the User Administrators - Are Authorized to Lock/Unlock Users (0135) *** User Authorization *** SAP Security Optimization Self-Service, <Date> 7
8 Action Items *** User Management *** 5 Users - Other Than the User Administrators - Are Authorized to Maintain Users (0002) 5 User Administrators Are Authorized to Change Their Own User Master Record (0003) Users Are Not Assigned to User Groups (0005) 5 Users with Authorizations for User and Role/Profile/Authorization Maintenance (0008) 5 Users - Other Than the User Administrators - Are Authorized to Access Tables with User Data (0013) 5 Users - Other Than the User Administrators - Are Authorized to Call Function Modules for User Admin (0019) *** Super Users *** 5 Unexpected Users Are Authorized to Change a Super User Accounts (0026) *** Standard Users *** User SAPCPIC Has Default Password in Some Clients (0051) *** Role & Authorization Management *** 5 Users Are Authorized to Maintain Roles Directly in the Production System (0072) 5 Users Are Authorized to Maintain Profiles Directly in the Production System (0073) 5 Users Are Authorized to Maintain Authorizations Directly in the Production System (0074) 5 Users Are Authorized to Call Function Modules for Authorization, Role and Profile Management (0087) *** Authorizations *** 5 Users Are Authorized to Disable Authorization Checks Within Transactions (0102) 5 Users Are Authorized to Disable Authorization Checks Globally (0105) 5 Users Are Authorized to Call Any Transaction (0110) *** Basis Authorization *** *** Basis Administration *** 5 Users - Other Than the System Administrators - Are Authorized to Maintain System Profiles (0152) 5 Users - Other Than the System Administrators - Are Authorized to Start/Stop Application Servers (0154) 5 Users - Other Than the System Administrators - Are Authorized to Start/Stop Workprocesses (0156) 5 Users - Other Than the System Administrators - Are Authorized to Lock/Unlock Transactions (0157) 5 Users - Other Than the System Administrators - Are Authorized to Maintain Other User's Lock Entries (0159) 5 Users - Other Than the System Administrators - Are Authorized to Delete or Reprocess Broken Updates (0161) 5 Users - Other Than the System Administrators - Are Authorized to Activate a Trace (0163) *** Spool & Printer *** 5 Users - Other Than the Spool Admins - Are Authorized to Display Other Users Spool Requests (0192) 5 Users - Other Than the Spool Admins - Are Authorized to Display Protected Spool Requests of Other Users (0198) 5 Users - Other Than the Spool Administrators - Are Authorized to Display the TemSe Content (0193) 5 Users - Other Than the Spool Administrators - Are Authorized to Change the Owner of Spool Requests (0194) 5 Users - Other Than the Spool Admins - Are Authorized to Redirect a Print Request to Another Printer (0195) 5 Users - Other Than the Spool Administrators - Are Authorized to Export a Print Request (0196) *** Background *** 5 Users - Other Than the Background Administrators - Are Authorized to Schedule Jobs in SM36 (0212) 5 Users - Other Than the Background Administrators - Are Authorized to Schedule Jobs in External Commands (0213) 5 Users - Other Than the Background Admins - Are Authorized to Schedule Jobs Under Another User Id (0214) *** OS Access *** SAP Security Optimization Self-Service, <Date> 8
9 Action Items 5 Users - Other Than the System Administrators - Are Authorized to Define External OS Commands (0171) 5 Users - Other Than the System Administrators - Are Authorized to View Content of OS Files with AL11 (0173) *** Outgoing RFC *** 5 Users - Other Than the System Administrators - Are Authorized to Administer RFC Connections (0255) 5 Users - Other Than the System Administrators - Are Authorized to Access RFC Logon Information (0256) 5 Users - Other Than the System Administrators - Are Authorized to Maintain Trusting Systems (0268) *** Incoming RFC *** 5 Users - Other Than the Communication Users - Are Authorized to Run any RFC Function (0241) 5 Users - Other Than the Key Users - Are Authorized to Visualize all Tables via RFC (0245) 5 Users - Other Than the System Administrators - Are Authorized to Maintain Trusted Systems (0240) *** Application Link Enabling (ALE) *** 5 Users - Other Than the System Administrators - Allowed to Maintain the ALE Distribution Model (0723) 5 Users - Other Than the System Administrators - Allowed to Maintain the Partner Profile (0724) *** Change Management *** *** Data & Program Access *** 5 Users - Other Than Key Users - Are Authorized to Start All Reports (0512) 5 Users - Other Than Key Users - Are Authorized to Display All Tables (0513) 5 Users Are Authorized to Maintain All Tables (0514) 5 Users - Other Than the System Admins - Are Authorized to Change the Authorization Group of Tables (0515) 5 Users - Other Than the Query Adminstrators - Are Authorized to Administer Queries (0517) 5 Users Are Authorized to Execute All Function Modules (0520) *** Change Control *** System Change Option Not Appropriately Configured in the Production System (0301) 5 Users - Other Than the System Administrators - Are Authorized to Change the System Change Option (0303) 5 Users - Other Than the System Administrators - Are Authorized to Change the Client Change Option (0304) 5 Users - Other Than the System Administrators - Are Authorized to Create New Clients (0305) 5 Users - Other Than the System Administrators - Are Authorized to Delete Clients (0306) 5 Users Are Authorized to Development in the Production System (0307) 5 Users Are Authorized to Debug and Replace Field Values in the Production System (0308) 5 Users Are Authorized to Perform Customizing in the Production System (0309) 5 Users Are Authorized to Develop Queries in the Production System (0310) *** Transport Control *** 5 Users - Other Than the System and Transport Admins - Are Authorized to Change the TMS Configuration (0341) 5 Users - Other Than the System and Transport Admins - Are Authorized to Start Imports to Production (0342) 5 Users - Other Than the System and Transport Admins - are Authorized to Create and Release Transports (0343) *** Web Application Server *** *** Internet Communication Framework (ICF) *** 5 Users - Other Than the Sysadmin - Authorized to Activate ICF Services (0655) 5 Users - Other Than the Sysadmins - Are Authorized to Access Tables of ICF Services (0663) *** http Client *** Additional http Client Connections Found (0682) No Encryption of Outgoing http Communication (0688) SAP Security Optimization Self-Service, <Date> 9
10 Action Items *** Internet Communication Manager (ICM) *** 5 Users - Other Than the System Administrators - Are Authorized to Administrate the ICM (0701) 5 Users - Other Than the Sysadmins - Are Authorized to Display the http Server Cache (0705) 5 Users - Other Than the Sysadmins - Are Authorized to Configure the ICM Monitor (0706) *** PSE Management *** 5 Users - Other Than the System Administrators - Are Authorized to Maintain the System PSE's (0711) Look at the list of the action items above very carefully and decide if anything on this list needs to be adjusted in your environment. First, read the complete report, and then decide for each check whether it is advisable for you to change the current situation. Sometimes you will find out that your current situation is sufficient, even if checks are rated with a medium or even high risk. Since every SAP implementation is different, you have to adjust this general report to your particular situation. 5 Special Focus Checks 5.1 Additional Super User Accounts Found (0022) In this system, the following superuser accounts were found that were not mentioned in the questionnaire. (These are the users having the profile SAP_ALL). All superuser accounts that were found in your system are REMOVED from all the following checks. This means that checks that report 5 authorized users, for example, actually have 5 users and ALL superuser accounts authorized for your system. Keep this in mind when you look at all other checks below. 000 DDIC A SUPER 000 SAP* A SUPER 000 Count : DDIC A DDIC ddic SUPER 001 SAP* A SUPER 001 Count : 0002 Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. 5.2 Users - Other Than the System Administrators - Are Allowed to Call ST14? (0168) The download for the SAP Security Optimization can be viewed by any user who has authorization for transaction ST14. For this reason, this authorization is very critical and should only be given to very limited users. The SAP Security Optimization data is sensitive, it contains the current security situation for your SAP system. If this information falls in the wrong hands, there is a potential for major security issues. SAP Security Optimization Self-Service, <Date> 10
11 Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. Object 1: S_TCODE with TCD=ST14 [and all relevant parameter transactions] SAP Security Optimization Self-Service, <Date> 11
12 6 Authentication 6.1 Passwords Password Logon Is at Least Partly Allowed (0139) Logging on with passwords is at least partially allowed. Allow all users to log on with their password (login/disable_password_logon = 0), or at least special groups that are described in the parameter login/password_logon_usergroup. If you are not using Single Sign-On (SSO), at least think about implementing an SSO solution. To further increase the security of your systems, prevent users from logging on with their passwords Users - Other Than User Administrators - Are Authorized to Change Passwords (0121) The following users are allowed to change and reset passwords. This is very risky because all these users could change the password and log on themselves with any user. The only consequence is that the "real user" would no longer be able to log on, because the password has been changed. This results in the password being reset because there is a chance that the "real user" might think they have forgotten the correct password. Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: S_TCODE with TCD=SU01 or TCD=OIBB or TCD=OOUS or TCD=OPF0 or TCD=OPJ0 or TCD=OVZ5 [as well as all relevant parameter transactions] Object 2: S_USER_GRP with ACTVT= Interval for Logon with Initial Password Is Too Long (0123) PARAMETER: LOGIN/PASSWORD_MAX_IDLE_INITIAL Rating Instance Current Value Recommended Value All instances 0 7 As of SAP NetWeaver 6.40, SAP supports this parameter to encourage your users to create more secure passwords. Activate profile parameter login/password_max_idle_initial, and set it to a value between 1 and 7. This parameter specifies the maximum period for which an initial password (a password chosen by the administrator) remains valid if it is not used. After this period has expired, the password can no longer be used for authentication. SAP Security Optimization Self-Service, <Date> 12
13 6.1.4 Interval for Logon with Productive Password Is Too Long PARAMETER: LOGIN/PASSWORD_MAX_IDLE_PRODUCTIVE Rating Instance Current Value Recommended Value All instances 0 > 0 As of SAP NetWeaver 6.40, SAP supports this parameter to encourage your users to create more secure passwords. Activate profile parameter login/password_max_idle_productive. This parameter specifies the maximum period for which a productive password (a password chosen by the user) remains valid if it is not used. After this period has expired, the password can no longer be used for authentication Interval for Logon with Reset Password Is Too Long (0124) PARAMETER: LOGIN/PASSWORD_MAX_RESET_VALID Rating Instance Current Value Recommended Value All instances 7 As of SAP Web AS 6.40, SAP supports this new parameter to encourage your users to create more secure passwords. Activate the new profile parameter login/password_max_reset_valid, and set it to a value between 1 and Trivial Passwords Are Not Sufficiently Prohibited (0125) Parameters Description Current value Default Value USR40 Entries Number of entries in USR You already use entries in table USR40. They can be used on a generic level as well. Maintain at least 100 values in table USR40 to prevent passwords from being guessed easily Minimum Password Length Is Too Short (0126) PARAMETER: LOGIN/MIN_PASSWORD_LNG Rating Instance Current Value Recommended Value All instances 6 8 You are currently using a password length of 6 or 7 characters. Use the maximum of 8 characters for the profile parameter login/min_password_lng to make the passwords more secure Interval for Password Change Is Too Long (0127) PARAMETER: LOGIN/PASSWORD_EXPIRATION_TIME Rating Instance Current Value Recommended Value All instances 0 30 You are currently using a password change interval of more than 120, or you have deactivated this option completely. Change the profile parameter login/password_expiration_time to 30 (or at least not higher than 60, and definitely not to 0 (disabled)). SAP Security Optimization Self-Service, <Date> 13
14 6.1.9 Number of Characters in Which Passwords Have to Differ is Too Low (0128) PARAMETER: LOGIN/MIN_PASSWORD_DIFF Rating Instance Current Value Recommended Value All instances 1 3 As of SAP Web AS 6.10, SAP supports this new parameter to encourage your users to create more secure passwords. Activate the new profile parameter login/min_password_diff, and set its value to Required Number of Digits in Passwords Is Too Low (0129) PARAMETER: LOGIN/MIN_PASSWORD_DIGITS Rating Instance Current Value Recommended Value All instances 0 1 As of SAP Web AS 6.10, SAP supports this new parameter to encourage your users to create more secure passwords. Activate the new profile parameter login/min_password_digits, and set its value to 1 or higher Required Number of Letters in Passwords Is Too Low (0130) PARAMETER: LOGIN/MIN_PASSWORD_LETTERS Rating Instance Current Value Recommended Value All instances 0 1 As of SAP Web AS 6.10, SAP supports this new parameter to encourage your users to create more secure passwords. Activate the new profile parameter login/min_password_letters, and set its value to 1 or higher Required Number of Special Characters in Passwords Is Too Low (0131) PARAMETER: LOGIN/MIN_PASSWORD_SPECIALS Rating Instance Current Value Recommended Value All instances 0 1 As of SAP Web AS 6.10, SAP supports this new parameter to encourage your users to create more secure passwords. Activate the new profile parameter login/min_password_specials and set its value to at least '1'. 6.2 General Authentication Security Critical Events for End Users Are Not Logged in the Security Audit Log (0136) Client Logging 000 Deactivated 001 Deactivated SAP Security Optimization Self-Service, <Date> 14
15 Use transaction SM19 to activate logging of failed logon attempts for all your users in all clients. It is then possible to find out who performed which action, and how to detect an unauthorized logon attempt Interval After Which Inactive Users Are Logged Off Is Too Long (0137) PARAMETER: RDISP/GUI_AUTO_LOGOUT Rating Instance Current Value Recommended Value All instances If you deactivate this parameter by setting it to '0' or if you use a value higher than 1 hour, it is likely that users who are no longer in the office remain logged on. If you do not use screen savers at all workstations, this could result in other users accessing these workstations to get to unauthorized information. Set this value to 1800 or 3600, for example, to reduce this risk as far as possible. Also, do not automatically log off users who have been idle for only a few minutes Multiple Logons Using the Same User Id Is Not Prevented (0138) PARAMETER: LOGIN/DISABLE_MULTI_GUI_LOGIN Rating Instance Current Value Recommended Value All instances 0 1 Sharing user accounts does not allow you to trace security violations and may result in users having too many authorizations. Set this value to '1' so that each user has to log on with a different account Users - Other Than the User Administrators - Are Authorized to Lock/Unlock Users (0135) Unauthorized system access because it is possible to unlock any user. In addition, interfaces may malfunction which results in the connected user being locked. Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: S_TCODE with TCD=SU01 or TCD=OIBB or TCD=OOUS or TCD=OPF0 or TCD=OPJ0 or TCD=OVZ5 [as well as all relevant parameter transactions] Object 2: S_USER_GRP with ACTVT= Password Based Authentication Admits Password Attacks (0591) You have deactivated SNC (snc/enable=0) or at least do not use it for the authentication of SAP GUI users since there are no SNC entries in the table USRACL. SNC enables external authentication and therefore allows a higher security level for your system (by using smart cards with user credentials, for example). SAP Security Optimization Self-Service, <Date> 15
16 Since your system allows password authentication, a password attack is still possible (although you can minimize this risk by enforcing a password policy). SAP Security Optimization Self-Service, <Date> 16
17 7 Basis Authorization 7.1 Basis Administration Users - Other Than the System Administrators - Are Authorized to Maintain System Profiles (0152) This authorization allows security-critical system profile parameters to be disabled, or the system might not be restartable due to incorrect configuration. Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=RZ10 [as well as all relevant parameter transactions] Object2: S_RZL_ADM with ACTVT= Users - Other Than the System Administrators - Are Authorized to Start/Stop Application Servers (0154) The system might be unavailable due to unauthorized starting and stopping of servers. Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=RZ03 [as well as all relevant parameter transactions] Object2: S_RZL_ADM with ACTVT= Users - Other Than the System Administrators - Are Authorized to Start/Stop Workprocesses (0156) Unauthorized process administration can result in inconsistencies in processing. SAP Security Optimization Self-Service, <Date> 17
18 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=SM04 or TCD=SM50 or TCD=SM51 [as well as all relevant parameter transactions] Object2: S_ADMI_FCD with S_ADMI_FCD = PADM Users - Other Than the System Administrators - Are Authorized to Lock/Unlock Transactions (0157) Risk of unavailability of transactions due to incorrect configuration, or access to locked transactions might be possible. Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=SM01 [as well as all relevant parameter transactions] Object2: S_ADMI_FCD with S_ADMI_FCD = TLCK Users - Other Than the System Administrators - Are Authorized to Maintain Other User's Lock Entries (0159) Inconsistencies due to incorrect deletion of locks are possible. SAP Security Optimization Self-Service, <Date> 18
19 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=SM12 [as well as all relevant parameter transactions] Object2: S_ENQUE with S_ENQ_ACT = * or S_ENQ_ACT=ALL or S_ENQ_ACT = DLFU Users - Other Than the System Administrators - Are Authorized to Maintain Own Lock Entries (0166) Inconsistencies due to incorrect deletion of locks are possible. Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=SM12 [as well as all relevant parameter transactions] Object2: S_ENQUE with S_ENQ_ACT = * or S_ENQ_ACT=ALL or S_ENQ_ACT = DLOU Users - Other Than the System Administrators - Are Authorized to Delete or Reprocess Broken Updates (0161) Inconsistencies due to incorrect deletion or reprocessing of updates are possible. Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=SM13 [as well as all relevant parameter transactions] Object2: S_ADMI_FCD with S_ADMI_FCD = UADM SAP Security Optimization Self-Service, <Date> 19
20 7.1.8 Users - Other Than the System Administrators - Are Authorized to Activate a Trace (0163) Low system performance due to activated SQL trace (ST01). Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object1: S_TCODE with TCD=ST01 [as well as all relevant parameter transactions] Object2: S_ADMI_FCD with S_ADMI_FCD = ST0M No Critical Transactions Are Locked (0158) Every SAP system has many transactions that are not used in a specific customer environment. As some of these can cause problems if they are used "incorrectly", we recommend that you lock these transactions. Currently, either none or a maximum of one transaction has been locked by means of transaction SM01. Find out which additional transactions must be locked in your specific environment. You can maintain these transactions by using transaction SM Security-related SAP Notes Vulnerabilities exist in this system that can be closed easily. We found relevant security-related SAP Notes that have not been applied. Apply relevant security-related SAP HotNews and Notes. An overview about such notes is published on Service Marketplace at /securitynotes. To obtain a list of relevant security-related SAP Notes that can be applied easily, run the tool RSECNOTE in transaction ST13. It will provide a detailed list of the vulnerabilities discovered and the corresponding SAP Notes for correction. More security issues may exist. For more information, refer to SAP Note Sending Trace Data to Remote Client (0169) PARAMETER: RDISP/ACCEPT_REMOTE_TRACE_LEVEL Rating Instance Current Value Recommended Value All instances 1 0 The parameter rdisp/accept_remote_trace_level allows that the system provides trace data to a remote client. Deactivate the profile parameter if you do not need trace data at a remote client. SAP Security Optimization Self-Service, <Date> 20
21 7.2 Batch Input Users - Other Than the Batch Input Administrators - Are Authorized to Run Batch Input Sessions in Dialog (0221) This authorization allows batch input data to be manipulated during online processing. Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object 1: S_TCODE with TCD=SM35 [as well as all relevant parameter transactions] Object 2: S_BDC_MONI with BDCAKTI=AONL Users - Other Than the Batch Input Administrators - Are Authorized to Administer Batch Input Sessions (0222) This authorization allows batch input maps to be deleted or locked with the risk of system inconsistency. Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object 1: S_TCODE with TCD=SM35 [as well as all relevant parameter transactions] Object 2: S_BDC_MONI with BDCAKTI=DELE or BDCAKTI=LOCK 7.3 Spool & Printer Users - Other Than the Spool Admins - Are Authorized to Display Other Users Spool Requests (0192) This authorization allows unauthorized access to sensitive data contained in spool requests. SAP Security Optimization Self-Service, <Date> 21
22 Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object 1: S_TCODE with TCD = SP01 or SP01O [as well as all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD = SP01 or SP0R Object 3: S_SPO_ACT with SPOACTION = BASE and DISP and SPOAUTH = * or USER Users - Other Than the Spool Admins - Are Authorized to Display Protected Spool Requests of Other Users (0198) This authorization allows unauthorized access to sensitive data contained in protected spool requests. Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Object 1: S_TCODE with TCD = SP01 or SP01O [as well as all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD = SP01 or SP0R Object 3: S_SPO_ACT with SPOACTION = BASE and DISP and SPOAUTH = * or USER Users - Other Than the Spool Administrators - Are Authorized to Display the TemSe Content (0193) This authorization allows unauthorized access to sensitive data contained in spool requests. Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You SAP Security Optimization Self-Service, <Date> 22
SAP SECURITY OPTIMIZATION
SAP SECURITY OPTIMIZATION ABAP Checks This documents shows the description of all checks which are executed by the SAP Security Optimization Service for an ABAP system (Version from May 2014). Author:
More informationSAP SECURITY OPTIMIZATION
SAP SECURITY OPTIMIZATION ABAP Checks This document shows the description of all checks which are executed by the SAP Security Optimization Service for an ABAP system (Version from July 2011). Author:
More informationSAP SECURITY OPTIMIZATION
SAP SECURITY OPTIMIZATION Java Checks This documents shows the description of all checks which are executed by the SAP Security Optimization Service for an Java system (Version from May 2014). Author:
More informationSAP R/3 Security Assessment Framework
NII CONSULTING SAP R/3 Security Assessment Framework Version 1.0 N E T W O R K I N T E L L I G E N C E (IN D I A ) P VT. L TD. Contents Objective... 3 Methodology... 4 Phase 1: User Authentication... 4
More informationHardening of SAP HTTP- and Webservices
Hardening of SAP HTTP- and Webservices Frederik Weidemann Nürnberg 20.10.2010 Virtual Forge GmbH frederik.weidemann (at) virtualforge.de Copyright The Foundation Permission is granted to copy, distribute
More informationHardening of SAP HTTP- and Webservices
Hardening of SAP HTTP- and Webservices Sebastian Schinzel (Slides shamelessly stolen from by colleague Frederik Weidemann) Virtual Forge GmbH University of Mannheim Hardening of SAP HTTP- and Webservices
More informationIn this topic we will cover the security functionality provided with SAP Business One.
In this topic we will cover the security functionality provided with SAP Business One. 1 After completing this topic, you will be able to: Describe the security functions provided by the System Landscape
More informationSAP ECC Audit Guidelines
Applies to: Applies to SAP R/3 and ECC systems. F me infmation, visit the Security homepage. Summary The Purpose of this document is to provide the Security Administrat with guidance on preparing f the
More informationR/3 Security Guide : VOLUME II
SAP AG Neurottstr. 16 D-69190 Walldorf R/3 Security R/3 Security Guide : VOLUME II R/3 Security Services in Detail Version 2.0a : English July 31, 1998 R/3 Security Services in Detail Copyright Copyright
More informationNETWRIX IDENTITY MANAGEMENT SUITE
NETWRIX IDENTITY MANAGEMENT SUITE FEATURES AND REQUIREMENTS Product Version: 3.3 February 2013. Legal Notice The information in this publication is furnished for information use only, and does not constitute
More informationSAP Secure Operations Map. SAP Active Global Support Security Services May 2015
SAP Secure Operations Map SAP Active Global Support Security Services May 2015 SAP Secure Operations Map Security Compliance Security Governance Audit Cloud Security Emergency Concept Secure Operation
More informationPREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:
A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine
More information2 Performance Indicators for BWP
Analysis from 19.09.2011 Until 25.09.2011 Report: BWP Installation: 0020188132 Session: 1000000002826 EarlyWatch Alert - Productive 1 Service Summary During the EarlyWatch Alert Service, we did not detect
More informationIT Security Procedure
IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure
More information: C_TADM51702. SAP Certified Technology Associate System Administration (Oracle DB) with SAP NetWeaver 7.0 EhP2. Title : Version : Demo
Exam : C_TADM51702 Title : SAP Certified Technology Associate System Administration (Oracle DB) with SAP NetWeaver 7.0 EhP2 Version : Demo 1 / 7 1.Your customer is configuring a Central User Administration
More informationSAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH
SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH WWW.MANTRANCONSULTING.COM 25 Mar 2011, ISACA Singapore SOD SAS70 Project Controls Infrastructure security Configurable controls Change
More informationUsing PowerBroker Identity Services to Comply with the PCI DSS Security Standard
White Paper Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard Abstract This document describes how PowerBroker Identity Services Enterprise and Microsoft Active Directory
More informationNetIQ Advanced Authentication Framework - Client. User's Guide. Version 5.1.0
NetIQ Advanced Authentication Framework - Client User's Guide Version 5.1.0 Table of Contents 1 Table of Contents 2 Introduction 4 About This Document 4 NetIQ Advanced Authentication Framework Overview
More informationSession 0804 Security Control Center by SAP Active Global Support Kristian Lehment, Senior Product Manager, SAP AG
Orange County Convention Center Orlando, Florida June 3-5, 2014 Session 0804 Security Control Center by SAP Active Global Support Kristian Lehment, Senior Product Manager, SAP AG Abstract Running secure
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationChecking Security Configuration and Authorization.. or how best to protect your data and keep the availability of your SAP solutions
Checking Security Configuration and Authorization.. or how best to protect your data and keep the availability of your SAP solutions SAP Active Global Support Security Services November 2015 Disclaimer
More informationSecuring Remote Function Calls (RFC)
SAP Thought Leadership Paper Security Securing Remote Function Calls (RFC) SAP Security Recommendations Table of Contents 4 Introduction 7 Securing RFC Destination Configuration 9 Trusted System Security
More informationWorkflow Templates Library
Workflow s Library Table of Contents Intro... 2 Active Directory... 3 Application... 5 Cisco... 7 Database... 8 Excel Automation... 9 Files and Folders... 10 FTP Tasks... 13 Incident Management... 14 Security
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationSPICE EduGuide EG0015 Security of Administrative Accounts
This SPICE EduGuide applies to HSC information systems, specifically Administrative login accounts; (aka Admin accounts) and the faculty, staff and students who use them. Admin accounts are logon IDs and
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationAuditing the Security of an SAP HANA Implementation
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. 2015 Wellesley Information Services. All rights reserved. Auditing the Security of an SAP HANA Implementation Juan Perez-Etchegoyen
More informationMaster Data Governance Security Guide
Master Data Governance Security Guide PUBLIC Document Version: 01.08 2014 Master Data Governance Security Guide 70 1 Copyright Copyright 2013 SAP AG. All rights reserved. Portions Copyright 2014 Utopia
More informationWeb Plus Security Features and Recommendations
Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of
More informationCritical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management
Security Comparison Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309
More informationJPMorgan Chase Treasury Workstation. Certification Setup Guide Version 2.0
EMENTS JPMorgan Chase Treasury Workstation Certification Setup Guide Version 2.0 December 2010 TABLE OF CONTENTS Introduction... 1 About this Guide... 1 When to Create the Certificates... 2 Getting Help...
More informationOFFICE OF THE CITY CONTROLLER
OFFICE OF THE CITY CONTROLLER INFORMATION TECHNOLOGY DEPARTMENT ENTERPRISE RESOURE PLANNING (SAP) SECURITY LIMITED REVIEW PERFORMANCE AUDIT Ronald C. Green, City Controller David A. Schroeder, City Auditor
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationHow to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On
How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On How to implement the X.509 certificate based Single Sign-On solution from SAP Page 2 of 34 How to
More informationUser Guide. Version R91. English
AuthAnvil User Guide Version R91 English August 25, 2015 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS as updated from
More informationSAP BASIS and Security Administration
SAP BASIS and Security Administration An Article From thespot4sap LTD Contents 1.0 Introduction...2 2.0 SAP Security Components The Big Picture...2 2.1 SAP Authorization Concept...3 2.2 Composite Profiles...4
More informationSAP Netweaver Application Server and Netweaver Portal Security
VU University Amsterdam SAP Netweaver Application Server and Netweaver Portal Security Author: Nick Kirtley Supervisors: Abbas Shahim, Frank Hakkennes Date: 28-09-2012 Organization: VU University Amsterdam,
More informationPUBLIC Password Manager for SAP Single Sign-On Implementation Guide
SAP Single Sign-On 2.0 SP1 Document Version: 1.0 2015-10-02 PUBLIC Password Manager for SAP Single Sign-On Implementation Guide Content 1 Password Manager....4 2 Password Manager Installation Guide....5
More informationPowerLink for Blackboard Vista and Campus Edition Install Guide
PowerLink for Blackboard Vista and Campus Edition Install Guide Introduction...1 Requirements... 2 Authentication in Hosted and Licensed Environments...2 Meeting Permissions... 2 Installation...3 Configuring
More informationBefore starting with the installation of this building block, please see the document Quick Guide to Installing SAP Best Practices for CRM.
CRM Connectivity Standalone Contents Configuration Guide... 1 1 Prerequisites... 1 2 Local Settings... 1 2.1 SAP CRM... 1 2.1.1 Defining Logical System (SAP CRM)... 1 2.1.2 Assigning Logical System to
More informationWatchGuard SSL v3.2 Update 1 Release Notes. Introduction. Windows 8 and 64-bit Internet Explorer Support. Supported Devices SSL 100 and 560
WatchGuard SSL v3.2 Update 1 Release Notes Supported Devices SSL 100 and 560 WatchGuard SSL OS Build 445469 Revision Date 3 April 2014 Introduction WatchGuard is pleased to announce the release of WatchGuard
More informationLesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment
Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment (Exam 70-290) Table of Contents Table of Contents... 1 Course Overview... 2 Section 0-1: Introduction... 4
More informationIIS SECURE ACCESS FILTER 1.3
OTP SERVER INTEGRATION MODULE IIS SECURE ACCESS FILTER 1.3 Copyright, NordicEdge, 2006 www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 1 of 14 1 Introduction 1.1 Overview Nordic Edge One Time Password
More informationABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES
CONTENTS About Tools4ever... 3 About Deloitte Risk Services... 3 HelloID... 4 Microsoft Azure... 5 HelloID Security Architecture... 6 Scenarios... 8 SAML Identity Provider (IDP)... 8 Service Provider SAML
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationRSA Authentication Manager 8.1 Help Desk Administrator s Guide. Revision 1
RSA Authentication Manager 8.1 Help Desk Administrator s Guide Revision 1 Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm
More informationqliqdirect Active Directory Guide
qliqdirect Active Directory Guide qliqdirect is a Windows Service with Active Directory Interface. qliqdirect resides in your network/server and communicates with qliqsoft cloud servers securely. qliqdirect
More informationNetWrix Logon Reporter V 2.0
NetWrix Logon Reporter V 2.0 Quick Start Guide Table of Contents 1. Introduction... 3 1.1. Product Features... 3 1.2. Licensing... 4 1.3. How It Works... 5 1.4. Report Types Available in the Advanced Mode...
More informationPUBLIC Secure Login for SAP Single Sign-On Implementation Guide
SAP Single Sign-On 2.0 SP04 Document Version: 1.0-2014-10-28 PUBLIC Secure Login for SAP Single Sign-On Implementation Guide Table of Contents 1 What Is Secure Login?....8 1.1 System Overview.... 8 1.1.1
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More information11.1. Performance Monitoring
11.1. Performance Monitoring Windows Reliability and Performance Monitor combines the functionality of the following tools that were previously only available as stand alone: Performance Logs and Alerts
More informationWindows Operating Systems. Basic Security
Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationRSA Authentication Manager 8.1 Help Desk Administrator s Guide
RSA Authentication Manager 8.1 Help Desk Administrator s Guide Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm
More informationThe SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.
WatchGuard SSL v3.2 Release Notes Supported Devices SSL 100 and 560 WatchGuard SSL OS Build 355419 Revision Date January 28, 2013 Introduction WatchGuard is pleased to announce the release of WatchGuard
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More informationKentico CMS security facts
Kentico CMS security facts ELSE 1 www.kentico.com Preface The document provides the reader an overview of how security is handled by Kentico CMS. It does not give a full list of all possibilities in the
More informationUSING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)
USING MYWEBSQL MyWebSQL is a database web administration tool that will be used during LIS 458 & CS 333. This document will provide the basic steps for you to become familiar with the application. 1. To
More informationManageEngine ADSelfService Plus. Evaluator s Guide
ManageEngine ADSelfService Plus Evaluator s Guide Table of Contents Document Summary:...3 ADSelfService Plus Overview:...3 Core Features & Benefits:...4 ADSelfService Plus Architecture:...5 Admin Portal:...
More informationDeclaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007
Declaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007 SIEMENS AG Industry Sector Industry Automation D-76181 Karlsruhe, Federal Republic of Germany E-mail: pharma.aud@siemens.com Fax: +49
More informationWalton Centre. Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure
Page 1 Walton Centre Access and Authentication (network) Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure Page 2 Table of Contents Section
More information11 NETWORK SECURITY PROJECTS. Project 11.1. Understanding Key Concepts. Project 11.2. Using Auditing and Event Logs. Project 11.3
11 NETWORK SECURITY PROJECTS Project 11.1 Project 11.2 Project 11.3 Project 11.4 Project 11.5 Understanding Key Concepts Using Auditing and Event Logs Managing Account Lockout Policies Managing Password
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationU.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP Records Management
U.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP Records Management Disclaimer These materials are subject to change without notice. SAP AG s compliance analysis with respect to SAP software
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationSAP Web Application Server Security
SAP Web Application Server Security HELP.BCSECSWAPPS Release 6.10 Document Version 1.4 01/15/02 Copyright Copyright 2001 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted
More informationSAP Secure Support. Key SAP Solution Manager Functions in a High Security Infrastructure with Separate Network. SAP AG, Walldorf/Rot, December 2013
SAP Secure Support Key SAP Solution Manager Functions in a High Security Infrastructure with Separate Network SAP AG, Walldorf/Rot, December 2013 SAP AG 2013 Page 1 of 23 Contents 1 Introduction... 3 2
More informationMinimum Requirements for Integrating Services with Central Authentication Version 1.0 December 2008
Minimum Requirements for Integrating Services with Central Authentication Version 1.0 December 2008 To better safeguard the University s data and resources, the IT Security Office requires the following
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationFull Disk Encryption Pre-Boot Authentication Reference
www.novell.com/documentation Full Disk Encryption Pre-Boot Authentication Reference ZENworks 11 Support Pack 4 Beta April 2015 Legal Notices Novell, Inc., makes no representations or warranties with respect
More informationPassword Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.
DRAFT 6.1 Information Systems Passwords OVERVIEW Passwords are an important aspect of information security. They are the front line of protection for user accounts. A poorly chosen password may result
More informationPrivileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
More informationSAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT
SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT Foreword by Prof. Wolfgang Lassmann... 15 Foreword by Dr. Sachar Paulus... 17 1 Introduction...
More informationCentralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows Desktop Self-service Password Reset Layer v.3.2-007 PistolStar, Inc. dba PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200
More informationπωχ Notes on Domino Black Hat Las Vegas 2003 Aldora Louw PricewaterhouseCoopers
Notes on Domino Black Hat Las Vegas 2003 Aldora Louw PricewaterhouseCoopers Lotus Domino is inherently secure...a Misconception!!! Security is Not Automatic!!!! Slide #2 Security Requires Planning Design
More informationOnly LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.
This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and
More informationCopyright. Copyright. Arbutus Software Inc. 270-6450 Roberts Street Burnaby, British Columbia Canada V5G 4E1
i Copyright Copyright 2015 Arbutus Software Inc. All rights reserved. This manual may contain dated information. Use of these materials is based on the understanding that this manual may not contain all
More informationWatchDox Administrator's Guide. Application Version 3.7.5
Application Version 3.7.5 Confidentiality This document contains confidential material that is proprietary WatchDox. The information and ideas herein may not be disclosed to any unauthorized individuals
More informationAVG Business SSO Connecting to Active Directory
AVG Business SSO Connecting to Active Directory Contents AVG Business SSO Connecting to Active Directory... 1 Selecting an identity repository and using Active Directory... 3 Installing Business SSO cloud
More informationPassword Reset Server User Guide
Table of Contents Getting Started... 3 Product Overview... 3 Installation... 3 Accessing Password Reset Server... 3 Terminology... 4 Password Sources... 5 Creating a new Password Source... 5 Security Policies...
More informationMcAfee Endpoint Encryption for PC 7.0
Migration Guide McAfee Endpoint Encryption for PC 7.0 For use with epolicy Orchestrator 4.6 Software COPYRIGHT Copyright 2012 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee,
More informationSAP. Penetration Testing. with Onapsis Bizploit. Mariano Nuñez. Di Croce. HITB Security Conference, Dubai. April 22, 2010. mnunez@onapsis.
SAP Penetration Testing with Onapsis Bizploit Mariano Nuñez Di Croce mnunez@onapsis.com April 22, 2010 HITB Security Conference, Dubai Disclaimer This publication is copyright Onapsis SRL 2010 All rights
More informationSAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.
Exam : P_ADM_SEC_70 Title : SAP Certified Technology Professional - Security with SAP NetWeaver 7.0 Version : Demo 1 / 5 1.Which of the following statements regarding SSO and SAP Logon Tickets are true?
More informationSAP NetWeaver AS Java
Chapter 75 Configuring SAP NetWeaver AS Java SAP NetWeaver Application Server ("AS") Java (Stack) is one of the two installation options of SAP NetWeaver AS. The other option is the ABAP Stack, which is
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationEnterprise Single Sign-On City Hospital Cures Password Pain. Stephen Furstenau Operations and Support Director Imprivata, Inc. www.imprivata.
Enterprise Single Sign-On City Hospital Cures Password Pain Stephen Furstenau Operations and Support Director Imprivata, Inc. www.imprivata.com Application Security Most organizations could completely
More informationNovell Sentinel Log Manager 1.2 Release Notes. 1 What s New. 1.1 Enhancements to Licenses. Novell. February 2011
Novell Sentinel Log Manager 1.2 Release Notes February 2011 Novell Novell Sentinel Log Manager collects data from a wide variety of devices and applications, including intrusion detection systems, firewalls,
More informationSAP NetWeaver 04 Security Guide. Security Guide for SAP Mobile Infrastructure
SAP NetWeaver 04 Security Guide Security Guide for SAP Mobile Infrastructure Document Version 1.00 April 29, 2004 SAP AG Neurottstraße 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20
More informationImplementing Security Update Management
Implementing Security Update Management Wayne Harris MCSE Senior Consultant Certified Security Solutions Business Case for Update Management When determining the potential financial impact of poor update
More informationColumbia University Web Application Security Standards and Practices. Objective and Scope
Columbia University Web Application Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Application Security Standards and Practices document establishes a baseline
More informationHang Seng HSBCnet Security. May 2016
Hang Seng HSBCnet Security May 2016 1 Security The Bank aims to provide you with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of
More informationSophos Mobile Control Installation guide. Product version: 3
Sophos Mobile Control Installation guide Product version: 3 Document date: January 2013 Contents 1 Introduction...3 2 The Sophos Mobile Control server...4 3 Set up Sophos Mobile Control...16 4 External
More informationChoosing an SSO Solution Ten Smart Questions
Choosing an SSO Solution Ten Smart Questions Looking for the best SSO solution? Asking these ten questions first can give your users the simple, secure access they need, save time and money, and improve
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationCustomer Release Notes for Xerox Integrated Fiery Color Server for the Xerox Color C75 Press, version 1.0
Customer Release Notes for Xerox Integrated Fiery Color Server for the Xerox Color C75 Press, version 1.0 This document contains important information about this release. Be sure to provide this information
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More information