Further. Forward. Faster.
Security Guide for SAP on SQL
Server 2012
Authors
Cameron Gardiner, Microsoft Senior Program Manager – SAP
Technical Reviewers
John Knie, Eddie Teng
Published
May 2012
Applies To
SAP NetWeaver 7.0 (SR3) and above
Summary
This white paper discusses how to secure SAP on SQL Server. This document also proposes a
techniques to secure SAP on SQL Server in a step by step guide. The document also compares
UNIX patching requirements to Windows patching.
DISCLAIMER
This document may discuss sample coding or other information that does not include SAP official interfaces and
therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten
during an upgrade.
SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in
this document, and anyone using these methods does so at his/her own risk.
SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this
technical article or code sample, including any liability resulting from incompatibility between the content within this
document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP
responsible or liable with respect to the content of this document.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed
as of the date of publication. Because Microsoft must respond to changing market conditions, the information presented
herein should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR
STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright,
no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form
or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual
property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos,
people, places, and events depicted herein are fictitious, and no association with any real company, organization,
product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
© 2012 Microsoft Corporation. All rights reserved.
Microsoft, the Microsoft logo, Hyper-V, SQL Server, Windows, Windows Server, and other product names are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Security Guide for SAP on SQL Server
Table of Contents
Table of Contents ......................................................................................................................... 3
1
Executive Summary ............................................................................................................... 5
2
Microsoft and SAP Partnership............................................................................................ 7
3
SAP Solution Security Implementation............................................................................... 9
3.1 SECURITY LAYERS.................................................................................................................................................................. 9
3.2 MINIMUM WINDOWS RELEASE PREREQUISITES ............................................................................................................... 9
3.3 SECURITY IMPLEMENTATION ............................................................................................................................................ 10
3.3.1
Step 1 – Create Dedicated SAP Management Station(s) .................................................................. 10
3.3.2
Step 2 – Isolate SAP backend systems in a dedicated VLAN .......................................................... 12
3.3.3
Step 3 – Close all inbound non-SAP ports .............................................................................................. 12
3.3.4
Step 4 – Close Web outbound ports ......................................................................................................... 14
3.3.5
Step 5 –Change Windows Terminal Services Port ............................................................................... 15
3.3.6
Step 6 –Use Terminal Services Client 6.0 ................................................................................................. 15
3.3.7
Step 7 –Create dedicated SAP Active Directory Container .............................................................. 15
3.3.7.1
Create Development, management station, QAS and production sub-containers........... 15
3.3.7.2
Enable Policy block on SAP container ................................................................................................. 16
3.3.8
Step 8 - Create a policy for the SAP servers using SCW ................................................................... 17
3.3.8.1
Windows firewall and network settings .............................................................................................. 21
3.3.8.2
Uninstall Internet Explorer ........................................................................................................................ 24
3.3.8.3
Check system auditing configuration .................................................................................................. 24
3.3.9
Step 9 – Move Management Station & SAP Servers to AD Containers ...................................... 25
3.3.10
Step 10 – Apply Policies to Management Station & SAP Containers .......................................... 25
3.3.11
Step 11 – Rename local administrator account using a function .................................................. 25
3.3.12
Step 12 – Remove Domain Admins and all other user accounts ................................................... 26
3.3.13
Step 13 – MS SQL Server Security .............................................................................................................. 26
3.3.13.1
SQL Server Security Configuration ................................................................................................... 26
3.3.13.2
Use of scripts & direct access to the database ........................................................................... 27
3.3.13.3
Security Requirements for SQL Server Service Accounts ........................................................ 27
3.3.13.4
Admin Connection ................................................................................................................................. 28
3.3.14
Step 14 – Secure SAP Service Accounts ................................................................................................... 28
3.3.14.1
Validate & Adjust DOMAIN\<sid>adm & DOMAIN\SAPService<SID> security .......... 29
3.3.15
Web Dispatcher & SAP MMC ...................................................................................................................... 29
3.3.16
Step – Physical Data Centre Security ......................................................................................................... 29
3.3.17
Windows Server Core Deployments .......................................................................................................... 29
4
A Scientific Comparison of AIX, HPUX, Solaris, Linux & Windows Server Security
Vulnerabilities ...................................................................................................................... 31
4.1 WINDOWS PLATFORM IN COMPARISON TO UNIX SECURITY - REALITY.................................................................... 31
4.1.1
Security Threats – Internal versus External ............................................................................................. 31
4.1.1.1
External Threats ............................................................................................................................................ 32
4.1.1.2
Internal Threats ............................................................................................................................................. 32
4.1.1.3
3rd Party Threats ........................................................................................................................................... 33
4.1.2
Desktop versus Server – Server Patching versus Desktop Patching ............................................. 33
Security Guide for SAP on SQL Server 2012
Page 3 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
4.1.3
National Institute for Standards & Technology – CVE Database Comparisons ....................... 33
4.1.4
How to Assess the Impact of a Security Vulnerability? ...................................................................... 36
4.1.4.1
Example: Integer overflow in cdd.dll in the Canonical Display Driver (CDD) ....................... 37
4.1.5
UNIX Patching vs. Windows Patching: Reboot Requirement .......................................................... 38
5
Patch Management ............................................................................................................. 41
5.1 MICROSOFT WINDOWS SECURITY PATCHES .................................................................................................................. 41
5.1.1
Security Patch Evaluation ............................................................................................................................... 41
5.1.1.1
Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code
Execution (2651026) ........................................................................................................................................................ 42
5.1.1.2
Cumulative Security Update for Internet Explorer (2675157) .................................................... 42
5.1.1.3
Vulnerability in Active Directory Could Allow Remote Code Execution (2640045) ........... 43
5.1.1.4
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
(2525694)43
5.2 SAP PATCHING STRATEGY ............................................................................................................................................... 46
5.2.1
Rolling Upgrades/Patching Reduces Downtime .................................................................................. 46
6
Auditing, Encryption & Additional Security Topics ......................................................... 47
6.1 SECURE SOCKET LAYER ..................................................................................................................................................... 47
6.2 TRANSPARENT DATA ENCRYPTION ................................................................................................................................. 47
6.2.1
Key Storage Devices ........................................................................................................................................ 47
6.3 ADVANCED SQL SERVER AUDITING ............................................................................................................................... 47
6.3.1
New Features in SQL Server 2012 .............................................................................................................. 47
6.4 ANTI-VIRUS OPTIONS ....................................................................................................................................................... 47
6.5 BITLOCKER TO PROTECT BOOT DISKS............................................................................................................................. 48
6.6 WINDOWS SINGLE SIGN ON ........................................................................................................................................... 48
6.7 IPSEC ................................................................................................................................................................................. 48
6.8 WINDOWS AUDITING ....................................................................................................................................................... 48
6.9 WINDOWS ATTACK SURFACE AREA ANALYSER ............................................................................................................. 48
7
Security Checklist ................................................................................................................ 49
8
Appendix I ............................................................................................................................ 51
9
Appendix II........................................................................................................................... 53
9.1 WINDOWS 2008 R2 VULNERABILITIES 3 MONTHS TO 17TH APRIL 2012 .................................................................. 53
9.2 AIX VULNERABILITIES 3 MONTHS TO APRIL 17TH 2012 ............................................................................................... 54
9.3 HP-UX VULNERABILITIES 3 MONTHS TO APRIL 17TH ................................................................................................... 55
10 Security Links and Online Resources ................................................................................. 57
10.1 MICROSOFT LINKS............................................................................................................................................................. 57
10.2 SAP LINKS.......................................................................................................................................................................... 57
10.3 GENERAL SECURITY LINKS ................................................................................................................................................ 57
Security Guide for SAP on SQL Server 2012
Page 4 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
1 Executive Summary
ERP business executives & IT professionals are convinced that a Windows SQL Server offers
scalable, high performance and low Total Cost of Ownership solution for SAP systems. One
question that remains unanswered for some is “How secure is SAP on Windows and SQL Server”?
This whitepaper demonstrates that the Microsoft Trustworthy Computing Initiative has created a
platform that is equal to or more secure than almost all UNIX based alternatives. Security tools and
utilities for the Microsoft platform are integrated in the Microsoft platform as opposed to the
expensive tools available for UNIX platforms that lack the ease of use available in Windows tools.
This whitepaper is for Microsoft customers & partners who wish to secure their business critical
SAP applications. The document is designed to empower the reader with the knowledge to secure
an SAP on Windows SQL system. The procedures in this document can be adapted to each
customer’s unique landscape, requirements and environment.
Securing SAP on Windows & SQL Server has become much more important since the UNIX market
has decreased significantly and more large multi-national companies run their core business on
Windows and SQL Server on commodity Intel platforms. In 2011 less than 2%1 of worldwide server
sales were on UNIX platforms as customers terminate investments into proprietary platforms.
Leading Industry Analyst Gartner reports that proprietary UNIX is losing share dramatically and
predicts a mass movement to commodity hardware.2 IDC shows a sharp decline in worldwide
shipments of proprietary UNIX servers across the last decade (Figure 1).3
Figure 1: Worldwide server shipments: Solaris, AIX, HPUX server units shipped per year
600,000
500,000
400,000
Sun/Oracle
300,000
IBM
200,000
Hewlett-Packard
100,000
0
2004 2005
2006 2007
2008 2009
2010 2011
1
http://www.theregister.co.uk/2011/11/29/gartner_q3_2011_server_numbers/
IDC Server Shipment data
2
http://www.intel.com/content/dam/doc/white-paper/performance-xeon-7500-next-gen-x86-paper.pdf
3
IDC, IDC Server Tracker, March 2011 & Gartner sources
Security Guide for SAP on SQL Server 2012
Page 5 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Commodity hardware improvements: SAPS is a sizing unit for SAP deployments. Figure 2 shows the
growth in SAPS numbers achieved for four-socket servers over the last 12 years. The SAPS per
server is based on a SAP SD standard benchmark. For detailed benchmark results and benchmark
history please see: http://www.sap.com/benchmark
Figure 2: Exponential improvement in performance of SAP on commodity hardware
Security Guide for SAP on SQL Server 2012
Page 6 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
2 Microsoft and SAP Partnership
Microsoft and SAP have been partners since 1993. The partnership was formed around
implementing SAP R/3 on Windows, and it expanded to include SQL Server and various integration
areas across the software portfolios on both sides. The partnership has grown to include Duet
Enterprise as a joint product offering.
For operating systems and DBMS platforms, a collaborative Microsoft-SAP team helps to ensure
that the adaptation of SAP software to new platform releases happens early in the development
cycle. As a result, new releases of Windows Server and SQL Server are supported very early and
without long delays. Further, the team rigorously tests new releases in development to verify that
Windows Server and SQL Server are ready at release to run the most challenging SAP systems. As a
final step of testing for upcoming releases of Windows Server and SQL Server, the team relies on
the help of Microsoft IT, as Microsoft itself runs a large SAP landscape of various SAP products. The
centre of the Microsoft SAP landscape is the SAP ERP system that runs business-critical processes.
Before new versions of Windows Server or SQL Server are released to the public, they must run
Microsoft’s SAP ERP system successfully.
In the case of SQL Server 2012, Microsoft moved a pre-release version into the production SAP ERP
system in November 2011; since that time, the system is running successfully.
Key highlights of the Microsoft and SAP partnership include:

Reduced TCO: SQL Server and SAP offer reduced total cost of ownership (TCO) for database
platforms through lower pricing, dramatically decreased administrative overhead, built-in high
availability, and superior quality and scalability.

Virtualization: Microsoft and SAP are aligned to support new industry developments, including
virtualization. The virtualization environments of different vendors support virtualization for
SQL Server 2012, 2008 R2, and 2008. For more information on Windows virtualization, see SAP
note 1409608.

Continuous improvement: Microsoft and SAP steadily work to implement and extend
functionalities that can increase the efficiency, scalability, and quality of Windows Server and
SQL Server. The partnership also focuses on more seamlessly adapting software to these
platforms.

Security and scalability: Ongoing investments in the Windows platform running SAP workloads
can help to reduce security risks and increase scalability. With such investments, Windows is
well positioned to lead security and scalability on industry-standard servers, placing it ahead of
LINUX options in this space.
The Microsoft and SAP partnership continues to yield productive work and actionable results. For
example, Table 1 illustrates some major features and functionalities implemented in SQL Server for
SAP customers in recent years.
Security Guide for SAP on SQL Server 2012
Page 7 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Table 1: Highlights of the Microsoft-SAP partnership across SQL Server releases
SQL Server 2005
SQL Server 2008
SQL Server 2008 R2
SQL Server 2012
 Online index
maintenance
 Data and index
compression
 Database mirroring
 Backup compression
 AlwaysOn: multiple
secondaries and backup
from secondary
 Supportability features
for SAP x64 release
 Minimal logging
 UCS2 compression,
reducing space
requirements for
SAP Unicode
implementations
 Table partitioning for
SAP BW
 Missing index
recommendations
 Single page restore
 In-place upgrade for
high availability and
disaster recovery
scenarios
 Improved hashkey
algorithm for SAP
migrations
 Transparent data
encryption
 No data movement
during partition merge
operation
 Automatic repair
 256 CPU support
 Auditing for non-SAP
database access
 Column store for SAP
BW
 Extended online table
maintenance
 15,000 partitions per
table
 Support for OS
Maximum number of
CPU (Windows 2012 =
640 CPU)
Security Guide for SAP on SQL Server 2012
Page 8 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
3 SAP Solution Security Implementation
A well secured SAP system has multiple filters, protections and validations at all layers of the SAP
application and infrastructure. A modern SAP NetWeaver™ solution is composed of many
interconnected application and infrastructure layers such as a database, operating system and
presentation layer. A security solution is in many cases as strong as its weakest layer. It is
therefore essential that all layers in the solution are identified and each layer secured.
The scope of this document is limited to the layers that are specific to Microsoft Windows® and
Microsoft SQL Server® based SAP systems. Topics such as securing RFC communication between
SAP systems are not covered as there is nothing specific to one operating system and/or database.
SAP application level security is critical to the overall security implementation. An SAP application
security specialist should be engaged to secure the non-operating system and database specific
aspects of SAP security such as preventing access to some basis transactions.
Direct Internet facing SAP systems such as e-Recruiting require specialist design and security
solutions and are not covered in this document.
3.1 Security Layers
SAP is a portable application that can run on Windows, various UNIX platforms, Linux and even
mainframes. Today SAP supports five different database systems – Microsoft SQL Server, Sybase,
Oracle, DB2 and MaxDB. Previously SAP has also supported Informix. In order to reduce the
resources required to port SAP to different operating systems and databases SAP limit the use of
features specific to one database. An exception to this is SQL Server compression, partitioning and
several other features. Some functionalities of a RDBMS are handled inside the SAP application.
An example of this is the database locking mechanism which is largely unused as SAP implemented
their own lock management system.
The vast majority of the features of Microsoft Windows are not used or required by SAP. SAP users
never access Windows or SQL Server resources directly. The approach in this security guide is to
reduce the surface area of Windows and SQL Server to a minimum while permitting the SAP
administrators to access the backend systems as required.
It is emphasized that changing security configuration should be handled in the same way as any
other change to a SAP system. Change management and strict change control are essential for a
successful security implementation and operation. Always deploy changes to a Sandbox or
Development system and test thoroughly before implementing in production. It is also important
to ensure that the test systems resemble the production systems – for example if the production
systems use MSCS (Microsoft Cluster Services) then at least one test system must use MSCS.
3.2 Minimum Windows Release Prerequisites
Windows 2003 and earlier Windows releases now in excess of 10 years old do not meet the
minimum level security requirements. The content of this security guide does not apply to these
out dated Windows releases. This guide assumes that SAP is installed on Windows 2008 R2 SP1 or
higher and SQL 2008 R2 SP1 or higher. In addition the Active Directory Domain Controllers should
be Windows 2008 R2 SP1 or higher.
Security Guide for SAP on SQL Server 2012
Page 9 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
The document assumes that the downwards compatible kernel 7.204 is used.
3.3 Security Implementation
The following procedure shows the steps and screenshots for a SAP System Administrator securing
an SAP system at a fictional company. The company is called TRC Limited and has 16 SAP
NetWeaver systems in one data centre and operates a Windows single domain single forest Active
Directory. The company uses a private IP network 10.x.x.x internally and has four subnets. TRC’s
network is shown below5:
SAP TEST VLAN
10.40.x.x
SAP PROD VLAN
10.30.x.x
SAP DB Server
SAPWeb
DB Server
SAP
Server
All Ports are open between Test
VLAN and Production VLAN
SAP Web Server
SAP
SAPWeb
DB Server
Server
Server
SAP
DB
Inbound ACL:
32xx 33xx 36xx 80xx 443xx 5xx00 5xx01 48xx 5xx04 81xx
4xx80 from TRC network
Inbound ACL:
32xx 33xx 36xx 80xx 443xx 5xx00 5xx01 48xx 5xx04 81xx
4xx80 from TRC network
Ports 1024 – 65336 need to be opened to the two AD
servers
Port 65000 is open for Management Station(s) only
Ports 1024 – 65336 need to be opened to the two AD
servers
Port 65000 is open for Management Station(s) only
TRC User LAN
10.10.x.x
Computer
TRC Server Backbone
10.20.x.x
Computer
Computer
Computer
SAP Management Station
TRC Domain Controllers
3.3.1 Step 1 – Create Dedicated SAP Management Station(s)
A dedicated SAP Management Station is required to administer the secured SAP system. The
Management Station is a server outside the SAP VLANs with special permission to Terminal Service
to the SAP systems. The Management Station acts as a “gateway” or proxy to allow access to the
SAP systems. The Management Station must therefore have some special security policy settings
to secure this system.
Read and review the “Windows Server® 2008 R2 SP1 Security Guide” which is delivered with the
Windows Security Compliance Manager (Security Compliance Management Toolkit Series).
http://blogs.msdn.com/b/saponsqlserver/archive/2011/11/13/sap-7-20-downwardscompatible-kernel-is-finally-released.aspx
4
Many of the screenshots, configuration files and utilities used are can be downloaded via the
links page at the back of this document
5
Security Guide for SAP on SQL Server 2012
Page 10 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
It is recommended that the SAP Administrator familiarize themselves with the use of these tools on the Management Server
prior to securing the SAP server. The process to secure the Management Station is similar to the process to secure the SAP
servers.
Action:
a.
Request Windows Server administrators to install Windows domain member server with a static IP
address located in the server backbone VLAN
b.
Run Windows Update and install all patches required
c.
Run the Windows Security Configuration Wizard and build a Policy
To create the Management Station policy
d.
1.
Logon to the Management Station with an administrative account.
2.
Install and configure antivirus and antispyware utilities on the Management Station
3.
Launch the Security Configuration Wizard GUI, select Create new policy, and point it to the Management Station
4.
Remove all server roles
5.
Remove all client features other than DNS Registration Client, Domain Member & Microsoft Networking Client to
reduce the server’s attack surface.
6.
For maximum protection, remove all administrative options except for Windows Firewall, Remote Desktop
Administration and IPSec (if IPSec services are used).
7.
Ensure that any additional services that are required by your baseline, such as backup agents or antivirus software, are
detected.
8.
Decide how to handle unspecified services in your environment. For extra security, you may wish to configure this policy
setting to Disable.
9.
Ensure the Skip this section checkbox is deselected in the "Network Security" section, and then click Next. The appropriate
ports and applications identified earlier are configured as exceptions for Windows Firewall. Uncheck all ports except the
default Terminal Services port.
10.
In the "Registry Settings" section configure as per Appendix
11.
In the "Audit Policy" section configure required level of auditing
12.
Select Save security policy as zSAP-MgmtStat.xml.
I
Upload Policy to AD using the SCW transform command
The SCW XML file can be converted to an Active Directory Policy. This allows the configuration to be applied
to individual servers or groups of servers.
Action: Ask the AD administrator to run the following command from a command prompt – domain admin
permissions are required as this command will upload a policy to the AD.
scwcmd transform /p:"C:\WINDOWS\security\msscw\Policies\zSAP-MgmtStat.xml"
/g:zSAP-MgmtStat6
e.
Install the Group Policy Editor Tool
The Group Policy Management Tool is a utility for customizing a policy.
Action: Install the Group Policy Management tool on the Management Station by adding the feature through
Server Manager
AD Domain controllers should be the same Windows release as the SAP servers for the policy
to work correctly
6
Security Guide for SAP on SQL Server 2012
Page 11 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
f.
Edit Group Policy Object
It is recommended to add the following AD policy settings to the Management Station
Action: Right click on the SAP Management Station Policy and select Edit as needed. By default Domain
Admin security is required to edit policies.
3.3.2 Step 2 – Isolate SAP backend systems in a dedicated VLAN
The SAP backend servers must be isolated from the general server network and the user LAN. This
step greatly increases the strength of the security solution by blocking almost all access the SAP
servers. This technique reduces the surface area of the SAP infrastructure exposed to external
threats.
Most modern network switches support adding Access Control Lists (ACLs) onto a VLAN. It is
recommend that almost all ports are blocked using this feature.
Action: Confirm with the data center network team that their network infrastructure supports ACLs.
Create at least two VLANs – one for Sandbox, Development and Test systems and another VLAN
for Productive systems.
Note : If the SAP servers are not in a separate VLAN it may be necessary to change the IP address of these systems to place
them in a new VLAN. This can be done but requires careful testing. RFC destinations, hosts file and SAP hostname buffer
need to be updated.
3.3.3 Step 3 – Close all inbound non-SAP ports
Almost all non-SAP ports can be closed thereby blocking access to Windows and SQL Server
services. The only ports that should be opened are the SAP specific ports such as 32xx, 33xx and
36xx for ABAP based systems and 5xx00 for Java based systems.
SAP published a document TCPIP Ports used by SAP Applications that specifies all of the ports
required for SAP applications. This document and the SAP system number can be used to calculate
all of the SAP ports required for each SAP component.
Note : The document provided by SAP also includes information regarding database ports. The VLAN should block all DB
and operating system ports – only SAP specific ports should be permitted.
Security Guide for SAP on SQL Server 2012
Page 12 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
There are some ports that must remain open between the SAP servers and the domain controllers
for Active Directory to function correctly. The domain controllers7 must be able to communicate
with the LSASS service to process domain logon requests and other tasks. Domain controllers
communicate using random ports in the range 1024 to 655368.
Care must be taken to ensure that backup servers also have the required access to the SAP servers.
Most backup software uses agents running on SAP servers that connect on their own dedicated
ports. The backup server will not normally need to have direct access to the file system or
database.
Ports used by Backup software or 3rd party software can be identified with the
commands:
netstat –ano
tasklist /svc
Monitoring applications such as System Center 2012 (SCCM) will also need to have specific ports
opened to MOM servers. It is recommended not to use SNMP based monitoring agents on SAP
servers9.
Some other utility systems such as archiving, printing, fax and interfaces10 may require additional
ports. It is recommended to restrict these ports to specific target IP addresses. Windows Print
servers may be able to be located outside the SAP VLAN in the general server VLAN reducing the
complexity of the SAP VLAN ACL.
The Management Station(s) require the Terminal Services Port to be opened. Before creating the
ACL please select a new port number as described in section 3.3.5
Example:
Only the domain controllers need access to the SAP VLAN on ports 1024 to 653356. No other
servers require this ACL
7
http://support.microsoft.com/kb/154596 describes how to specify a port range for RPC call
back
8
It is strongly recommended not to enable SNMP. The following link provides information on
how to secure SNMP http://support.microsoft.com/kb/324261
9
SAP systems such as XI will frequently interface SAP systems to legacy Unix applications.
Unix system administrators may sometimes request that FTP be enabled on an SAP server. It
is strongly recommended never to use any “first generation” protocols (Telnet, FTP, SNMP etc)
on SAP systems. This protocols are not secure. It is recommended to use https connections
or to use a “gateway” file server running only FTP and virus scanning software.
10
Security Guide for SAP on SQL Server 2012
Page 13 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Action: Build an ACL spreadsheet in Excel and discuss with the data center network team.
Implement on the Test VLAN first, then test for several days. When the ACL is verified implement
the ACL on the Production VLAN
3.3.4 Step 4 – Close Web outbound ports
It is recommended to permit all outbound traffic from the SAP servers to the general server
network and user LAN. There are three recommended ports to block – http, https and smtp11.
Example:
Action: Build an ACL spreadsheet in Excel and discuss with the data center network team.
Implement on the Test VLAN first, then test for several days. When the ACL is verified implement
the ACL on the Production VLAN12
It is also recommended to block outbound Netbios (137, 139, 445) except for specified servers
(management server). All printing and file serving should be done via servers outside the SAP
VLAN
If smtp mail is used it is recommend to permit outbound connections to specific
Exchange/smtp hosts only
11
For advanced customers we block outbound Netbios ports to all systems except the
Management Station(s)
12
Security Guide for SAP on SQL Server 2012
Page 14 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
3.3.5 Step 5 –Change Windows Terminal Services Port
The default Windows Terminal Services (RDP) port is 3389. By changing the RDP port on each
server to a secret port the SAP administrator can make unauthorized access to an SAP server much
more difficult or impossible, even if someone knows a valid username and password.
Action: Change the terminal services port to a secret port as described in this KB article
http://support.microsoft.com/kb/187623/
In the example below the terminal services port has been changed to 65000
3.3.6 Step 6 –Use Terminal Services Client 6.0
The latest version of Terminal Services Client contains improved encryption and should always be
used.
Action: Download and install the latest Terminal Services Client update on the SAP administrators
PC and the Management Station(s).
http://support.microsoft.com/?kbid=925876
3.3.7 Step 7 –Create dedicated SAP Active Directory Container
Placing the SAP systems into a dedicated Active Directory container allows the SAP administrator
to implement specific SAP security settings on the SAP servers in a controlled manner.
3.3.7.1
Create Development, management station, QAS and production sub-containers
Action: Request the Active Directory Administrator to create an SAP Organizational Unit with the
following structure.
It is no longer needed or desirable to create a separate Active Directory Domain specifically for SAP. Many thousands of
customers run SAP with Mirror or Cluster configurations with all SAP servers members of the main corporate directory. Our
general recommendation to all SAP on SQL customers is to join all SAP servers to the main corporate directory in a separate
container with Policy Block enabled.
SAP Servers should always be joined to an Active Directory and be member servers. Standalone (non-domain) servers are
not recommended.
Configuration of Security Policies and SSO is considerably easier on Domain Members.
Security Guide for SAP on SQL Server 2012
Page 15 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
If the SAP administrator is familiar with Active Directory the Active Directory team may delegate 13 authority to reset
password or create new accounts to the SAP administrator. Note: The SAP administrator will only have permissions to
change accounts inside the SAP Organizational Unit.
3.3.7.2
Enable Policy block on SAP container
To prevent other polices from “undoing” the SAP specific policies it is recommended to activate the
policy block setting on the SAP container.
Action: Start Group Policy Management tool and right click on the SAP container. Select Block
Inheritance. This is required to prevent domain level policies overriding the settings for the SAP
servers.
Active Directory Administrator can delegate limited control of the SAP OU. This also allows
the SAP Administrator to create the <SID>adm and SAPService<SID> accounts prior to
running the SAP installation program. This avoids the need to install SAP using a domain
administrator account or to install SAP using local service accounts (not recommended).
http://technet.microsoft.com/en-us/library/cc732524.aspx
13
Security Guide for SAP on SQL Server 2012
Page 16 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
The SAP container should now look like the following:
It is recommended to use one single policy for Sandbox, Test and Production containers. This ensures consistent behavior on
all SAP systems. When changing policy settings it is recommended to copy the Policy to a new name, block Inheritance on
the Sandbox container and apply the policy to Sandbox to perform testing. This process can be repeated on the Test
container.
3.3.8 Step 8 - Create a policy for the SAP servers using SCW
In this step a policy is built on an SAP reference system – usually a Sandbox or Development
system. This system should a super set of the SAP usage types. If the SAP landscape has only
ABAP systems the policy can be safely created on an ABAP only system. If some ABAP+Java
systems are present in the landscape, it is recommended to run SCW on an ABAP+Java system.
Solution Manager is a ABAP+Java system and can be used to develop the SAP server policy.
Security Guide for SAP on SQL Server 2012
Page 17 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Action:
Read and review the “Windows Server® 2008 R2 SP1 Security Guide” which is delivered with the
Windows Security Compliance Manager (Security Compliance Management Toolkit Series).
Use the Windows Security Configuration Wizard to build a Policy
To create the SAP server policy
1.
Logon to the SAP reference system with an administrative account.
2.
Ensure the SAP system services and instance is started. Ensure SAPOSCOL (or monitoring agent) and any other SAP services
are started (such as SAPCCMSR or CCMSPING).
3.
Launch the SCW GUI, select Create new policy, and point it to the Management Station
4.
Remove all server roles except File Server and Cluster Server (for MSCS systems)
5.
Remove all client features other than DNS Registration Client, Domain Member & Microsoft Networking Client to
reduce the server’s attack surface.
6.
For maximum protection, remove all administrative options except for Windows Firewall, Remote Desktop
Administration, Local Application Installation Service, Application Installation from Group Policy, Time
Synchronization and IPSec (if IPSec services are used).
7.
Ensure that the SAP services have been identified. Check any additional services that are required such as backup agents or
antivirus software are detected.
8.
Decide how to handle unspecified services in your environment. It is recommended to set do not change startup mode
9.
Ensure the Skip this section checkbox is deselected in the "Network Security" section, and then click Next. The appropriate
ports and applications identified earlier are configured as exceptions for Windows Firewall.. Add all ports defined in the
Excel spreadsheet created in section 3.3.3. It is also important to enable the file sharing ports on the host that holds the SAP
Transport System. Cluster Service ports are needed for MSCS systems.
10.
In the "Registry Settings" click Next. Configure as per Appendix
11.
In the "Audit Policy" section, click the Skip this section checkbox and then click Next. Configure appropriate values
12.
Select Save security policy as zSAP-System-1.0.xml.
I
Upload Policy to AD using the SCW transform command
The SCW XML file can be converted to an Active Directory Policy. This allows the configuration to
be applied to individual servers or groups of servers.
Action: Ask the AD administrator to run the following command from a command prompt –
domain admin permissions are required as this command will upload a policy to the AD.
scwcmd transform /p:"C:\WINDOWS\security\msscw\Policies\zSAP-System1.0.xml" /g:zSAP-System-1.0
It is recommended to retain the last three versions of the SAP Policy. When updating a policy copy the original policy to a
new name such as zSAP-System-1.1
Edit Group Policy Object
It is recommended to add the following AD policy settings to the SAP Server Policy
Action: Open Group Policy Management Tool on the Management Station14 and right click on the
SAP Server Policy and select Edit
There is no need to install the Group Policy Editor on the SAP servers. The SAP Server
Policy can be edited on the Management Station.
14
Security Guide for SAP on SQL Server 2012
Page 18 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Use the group policy Editor to set the following attributes
Set the “Network Security: LAN Manager Authentication level” as below
Do not display last user name
Security Guide for SAP on SQL Server 2012
Page 19 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Specify users allowed to Logon Locally and via Terminal Services
Create a group that contains all the SQL Server Service Accounts. Grant “Lock Pages in Memory”
permission to this group
Grant “Perform Volume Maintenance Tasks” to the SQL Server Service Account group15
http://blogs.msdn.com/b/sql_pfe_blog/archive/2009/12/23/how-and-why-to-enable-instantfile-initialization.aspx
15
Security Guide for SAP on SQL Server 2012
Page 20 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
3.3.8.1
Windows firewall and network settings
Action: Use the Group Policy Editor to add all of the ports from the VLAN ACL to the Windows
Firewall. MSCS and File and Printer Sharing ports should be opened as SAP servers within the
VLAN need to communicate with each other and access the SAPMNT share.
Right click on Inbound Rule and say “New Rule”
Specify “Port”
Enter these ports and/or port ranges16: 3200-3299, 3300-3399, 3600-3699, 3900-3999, 4800-4899,
5443, 8000-8099, 8100-8199, 50013-59913, 50014-59914, 50016-59916, 50000-59900, 5000159901, 44400-4449917
Security Configuration Wizard does not allow Port Ranges. GPO Editor does allow port
ranges
16
17
Review TCPIP Ports used by SAP Applications - Add LiveCache ports if SAP SCM Livecache
Security Guide for SAP on SQL Server 2012
Page 21 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Document the Ports
On SQL Server database servers with a default SQL Server instance specify “Port”.
Security Guide for SAP on SQL Server 2012
Page 22 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Review the rules
To increase the security of this firewall rule further a “scope” can be set for the rule. The scope
restricts the IP Addresses or subnet(s) that can use a rule. Most commonly customers will set the
scope to the SAP VLAN subnet. This prevents any IP address that is not on the SAP VLAN from
connecting to SQL Server.
For additional security the scope for the SQL Server Firewall policy can be set to the IP addresses of
the SAP application servers. No other host will be able to connect to SQL Server.
On named instances specify Port = 1434 UDP for SQL Browser. On SQL Server named instances
the Port that SQL Server Engine uses is randomly assigned, therefore it may be easier to specify
“Program” and the specify the SQL Server Executable.
Security Guide for SAP on SQL Server 2012
Page 23 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
3.3.8.2
Uninstall Internet Explorer
Internet Explorer must be uninstalled from Windows 2008 R2 in all cases. There is no valid reason
to have IE on any production SAP server. Critical and Important security patches18 are sometimes
issued for Internet Explorer and this software is sometimes the delivery mechanism for security
vulnerabilities19.
In the past, security vulnerabilities have been found in Internet Explorer, which made it necessary to
install Critical and Important security patches addressing the issues. Such patches can be safely
ignored if there is no Internet Explorer present on the server.
Many security vulnerabilities require Internet Explorer (or another browser) to be installed on a
server in order to run malicious code/scripts hosted on a web server.
Internet Explorer can be removed completely from Windows 2008 R2. Windows Server 2012 does
not install with Internet Explorer by default.
To remove Internet Explorer follow this steps in this KB article
http://support.microsoft.com/kb/957700#stepsforwin2008r2
3.3.8.3
Check system auditing configuration
Action: Using Group Policy Editor Tool check the system audit policy and adjust as required
Microsoft issue a security bulletin each month – see
http://www.microsoft.com/technet/security/current.aspx
18
A security vulnerability will often require the user to browse to an infected website or an
email message will automatically redirect to an infected website.
19
Security Guide for SAP on SQL Server 2012
Page 24 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
3.3.9 Step 9 – Move Management Station & SAP Servers to AD Containers
Action: The Active Directory administrator should now move the Management Station(s) and SAP
Servers to the appropriate container that was created in step 3.3.7
To move a server to a new container right click on the server and select move.
3.3.10 Step 10 – Apply Policies to Management Station & SAP Containers
Action: Using the Group Policy Editor Tool right click on the SAP Active Directory container and
select Link an Existing GPO.
Apply the SAP Policy to the Sandbox container and perform testing. After the configuration has
been tested and adjusted apply the SAP policy to the top level SAP container. This will apply the
policy on all SAP systems including Production. Apply the Management Station Policy to the
Management Station container. If necessary a policy inheritance block can be used on the
Management Station container.
To immediately apply a group policy on a server run the command line utility gpupdate.exe /force – otherwise the policy
will be applied within 10 to 20 minutes.
3.3.11 Step 11 – Rename local administrator account using a function
The local Windows server administrator account name is well known – “administrator”. It is
recommended to disable this account and create a new administrator account 20 . It is also
recommended to use a generated administrator user account name that is different on each server.
Changing the user account name prevents (or makes very difficult) someone who has discovered
the password21 from logging on.
A simple algorithm should be used generate a prefix or a suffix on a username. An example is
given below with a function that multiplies the last digit in the hostname by the last IP digit:
Hostname
IP address
User name prefix +
trcsap1
10.40.1.15
local-sap-adm
1 X 15 = 15
local-sap-adm-15
trcsap2
10.40.1.16
local-sap-adm
2 X 16 = 32
local-sap-adm-32
trcsap3
10.40.1.17
local-sap-adm
3 X 17 = 51
local-sap-adm-51
trcsap4
10.40.1.18
local-sap-adm
4 X 18 = 72
local-sap-adm-72
20
Function =
Generated username
The Windows Administrator SID is well known http://support.microsoft.com/kb/243330
Choose a password careful after reading http://technet.microsoft.com/enus/library/cc875839.aspx
21
Security Guide for SAP on SQL Server 2012
Page 25 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Hint : The function should be not be too complex for the SAP administrator to calculate! It is also
very important to clear the last logged on user name via the policy as well.
Action: Create a simple function, calculate the usernames for each server and right click create new
user with local administrator privileges. Right click and disable the default “administrator” account
In order for an unauthorized user to logon to a Windows server they need at least the following pieces of information (1)
hostname and/or IP address (2) username (3) password (4) RDP port (5) TCPIP connectivity. Already this security procedure
has blocked direct TCPIP access via a VLAN and a Windows Firewall ACL, set a strong password, changed the RDP port to a
secret number and in this step we have made the user name almost impossible to guess unless someone discovers the
username function.
3.3.12 Step 12 – Remove Domain Admins and all other user accounts
Action: It is recommended to prevent Backup Administrators, Domain Administrators and other
operations staff from logging on interactively to SAP Servers.
Routine operations activities such as monitoring free disk space can be accomplished using SCCM
or the built in CCMS monitoring system. There is seldom any legitimate requirement for a
Windows administrator to logon interactively to SAP systems.
An untrained or inexperienced Windows administrator who has not received basic training on the operations of an SAP
system represent one of the greatest threats to the stability of the system. Windows and SQL Server are designed to run
without regular administrator intervention.
3.3.13 Step 13 – MS SQL Server Security
3.3.13.1 SQL Server Security Configuration
Older SAP implementation required DOMAIN\SAPService<SID> to have sysadmin role in SQL
Server. This was required in order to do a “set user” command. Newer SAP releases (specifically
the 7.20 kernel) does an EXECUTE AS.
It is possible to remove sysadmin role from
DOMAIN\SAPService<SID> if this is required for audit and compliance purposes22.
Use integrated security for ABAP based systems.
Currently Java or abap+java based require mixed mode security.
Remove local administrators access to SAP database. Remove “Users” group access to SAPDATAx
and Transaction log files.
To further enhance security and minimize patching and update requirements it is recommended to
install only the SQL Server Engine. Do not install Books Online and Management Studio. The MS
DTC is not and has never been required to run SAP. SAP ABAP and Java components only require
SQL Server Engine
Some features of DBA Cockpit may not fully function without sysadmin, but this will not
impact the operation of the SAP application.
22
Security Guide for SAP on SQL Server 2012
Page 26 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Only SQL Server Engine is required for SAP. On clustered systems replication and full text must be
installed.
SQL Server Management Studio is not required and can be run from a central location and
configured to manage all SQL Server instances in a SAP Landscape.
3.3.13.2 Use of scripts & direct access to the database
It is strongly recommended not to use any external script or batch file that connects to the SAP
database. Direct access to the SAP database is a significant security risk.
It may appear “easy and convenient” to write a script to access some data inside SAP or to monitor
the SAP system. Often those customers who use scripts in this way find that they have very large,
unsupportable, hard to maintain scripts with different versions and releases on different systems. It
is recommended to use ABAP developments to read SAP application data and to use MOM or
CCMS to monitor SAP systems. SAP provides templates to allow customers to write custom
monitors that plug into CCMS.
3.3.13.3 Security Requirements for SQL Server Service Accounts
SQL 2012 Service Account permissions are detailed in this Books Online article
http://msdn.microsoft.com/en-us/library/ms143504.aspx
In general do not use Administrative accounts for starting Windows services unless there is a
specific requirement to do so.
The Service Account that starts SQLBrowser (required for Named Instances23) is documented in
Books Online24. Do not specify Administrative accounts for Services of SQL Server or other
applications.
SQL Browser service should be configured as below:
 Deny access to this computer from the network
 Deny logon locally
 Deny Log on as a batch job
 Deny Log On Through Terminal Services
 Log on as a service
 Read and write the SQL Server registry keys related to network communication (ports and
pipes)
23
Static ports can be configured for SQL Server and Browser stopped if required
24
http://msdn.microsoft.com/en-us/library/ms181087.aspx
Security Guide for SAP on SQL Server 2012
Page 27 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
SQL Server Service
Permissions granted by SQL Server
Setup
SQL Server Database Engine:
Log on as a service
(All rights are granted to the per-service SID. Default instance: NT
(SeServiceLogonRight)
SERVICE\MSSQLSERVER. Named instance: NT
Replace a process-level token
SERVICE\MSSQL$InstanceName.)
(SeAssignPrimaryTokenPrivilege)
Bypass traverse checking
(SeChangeNotifyPrivilege)
Adjust memory quotas for a
process (SeIncreaseQuotaPrivilege)
Permission to start SQL Writer
Permission to read the Event Log
service
Permission to read the Remote
Procedure Call service
SQL Server Agent:1
Log on as a service
(All rights are granted to the per-service SID. Default instance: NT
(SeServiceLogonRight)
Service\SQLSERVERAGENT. Named instance: NT
Replace a process-level token
Service\SQLAGENT$InstanceName.)
(SeAssignPrimaryTokenPrivilege)
Bypass traverse checking
(SeChangeNotifyPrivilege)
Adjust memory quotas for a
process (SeIncreaseQuotaPrivilege)
SQL Server Browser:
Log on as a service
(All rights are granted to a local Windows group. Default or named instance:
(SeServiceLogonRight)
SQLServer2005SQLBrowserUser$ComputerName. SQL Server Browser does
not have a separate process for a named instance.)
3.3.13.4 Admin Connection
SQL Server Admin connection should be configured.
http://msdn2.microsoft.com/en-us/library/ms178068.aspx
http://msdn2.microsoft.com/en-us/library/ms189595.aspx
3.3.14 Step 14 – Secure SAP Service Accounts
It is highly recommended to follow procedure at the back of the SAP Installation Guide to “precreate” all the users and groups prior to starting the SAP Installation. This removes any
requirement for the SAP installation to be performed with a Domain Admin account. Please
implement the procedure in the Installation Guide “Performing a Domain Installation Without
Being a Domain Administrator”
Security Guide for SAP on SQL Server 2012
Page 28 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
3.3.14.1 Validate & Adjust DOMAIN\<sid>adm & DOMAIN\SAPService<SID> security
Action: Check that the SAP user accounts are secured appropriately 25. Set the following security attributes on
the Global SAP Groups via GPO

These are the default settings DOMAIN\<SID>adm: Act as part of the operating system; Adjust
memory quotas for a process; Replace a process-level token

DOMAIN\SAPService<SID>: Deny log on locally; Deny log on through remote desktop services:
Restore files and directories

DOMAIN\SAPService<SID> should not have any of the rights; Act as part of the OS; Logon as a
batch job; Debug programs

Starting with SAP release 7.0 the DOMAIN\SAPservice<SID> user no longer needs to be a local
administrator. Therefore the right "Act as part of the operating system" is not necessary.

The permissions "Adjust memory quotas for a process" and "Replace a process-level token" are
needed by DOMAIN\<SID>adm to start the SAP system. Also "Restore files and directories"
permission is needed for DOMAIN\SAPService<SID> to load the registry hive.
3.3.15 Web Dispatcher & SAP MMC
SAP Webdispatcher is an application level proxy that further isolates the SAP backend servers from
the core user LAN. An application level proxy greatly reduces the impact of denial of service
attacks. Typically a DoS attack will at worst cause the Webdispatcher to stop functioning. The SAP
backend systems will normally not be impacted and the Webdispatcher can simply be restarted.
The SAP Webdispatcher also reduces the complexity of the VLAN and firewall configuration as all
traffic will be coming via the Webdispatcher. SAPRouter provides some similar functionality for
SAPGUI ABAP only based environments. The Active Directory Schema can be extended to allow
SAP systems to register into the AD and client applications such as SAPGUI and SAPMMC to read
this data. SAPMMC can then be run on the Management Station(s) and used to start and stop SAP
systems without the need to logon to the operating system.
3.3.16 Step – Physical Data Centre Security
Almost all security protections can be defeated if an intruder has physical access to a system,
whether it be a server, a network switch or backup tapes
Action: Request the data centre team to ensure that the following precautions are taken:
 Secure remote management cards and console devices
 The sever room is monitored with video cameras
 The SAP servers are in a locked cage
 Access to the server room is controlled
 Ensure backup media is securely stored
3.3.17 Windows Server Core Deployments
SQL Server 2012 is supported on Windows 2008 R2 Core Edition and will be supported on Window
Server 8 Core.
http://technet.microsoft.com/en-us/library/hh231669.aspx
The table below shows the time between reboots for Windows 2008 R2 Core. Customers who have
hardened the Windows OS could achieve results in excess of these numbers by mitigating
vulnerabilities.
25
SAP 1675282 - Security policies for SIDadm and SapServiceSID on Windows
Security Guide for SAP on SQL Server 2012
Page 29 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
WS08 Server Core
% Reduction in
patches
WS08 R2 Server Core
Critical** Only %
Reduction in patches
% Reduction
in patches
Critical Only %
Reduction in patches
All applicable patches
All roles
Months without reboots
Without AD, DNS, Print, Media
Services, Telnet, .Net,
Clustering, Hyper-V, IIS, or WINS
Months without reboots
42%
56%
37%
49%
13
19
10
13
53%
63%
51%
62%
15
21
10
13
48%
67%
40%
55%
16
26
10
13
60%
71%
54%
65%
19
28
10
13
Necessary patches only*
All roles
Months without reboots
Without AD, DNS, Print, Media
Services, Telnet, .Net,
Clustering, Hyper-V, or IIS
Months without reboots
*Necessary patches are: Where binary is in Server Core, but vulnerability is not exploitable
**Critical patches are those with a Critical rating on http://www.microsoft.com/technet/security/current.aspx
Security Guide for SAP on SQL Server 2012
Page 30 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
4 A Scientific Comparison of AIX, HPUX, Solaris, Linux &
Windows Server Security Vulnerabilities
The information and content in the following section applies to the Windows releases in this
document, specifically Windows 2008 R2 SP1 or higher. The comments in this section do not apply
to older Windows releases such as Windows 2003 or earlier. Windows 2003 does not meet the
security and patching requirements for large highly critical Line of Business applications. Windows
2003 is not recommended for modern SAP releases. SQL Server 2012 is not supported on
Windows 2003.
4.1 Windows Platform in Comparison to UNIX Security - Reality
This whitepaper is focused on hardening the Windows operating system to improve the operations
and maintenance cycles of SAP on SQL Server systems. Due to repeated requests from customers
the author is including a detailed comparison between UNIX, Linux & Windows patching
requirements.
This chapter has been included due to the requests from customers for greater transparency
around the Windows Security topic. The chapter is also included due to significant misinformation
in circulation about the Security & Patching requirements for SAP on Windows and SQL Server
systems relative to UNIX based systems.
This chapter also briefly discusses the broader topic of security threats, their origin and their risk
profile.
In summary the number of security patches for Windows Server is equal to or less than the number
of security patches for UNIX and considerably less than Linux. When appropriate hardening and
security policies are implemented the patching requirement for Windows Server running SAP on
SQL Server should be the same or less than UNIX platforms26. When appropriate hardening is
done on Windows, UNIX or Linux it is possible to create a very secure SAP Platform. Microsoft’s
Active Directory is the IT industry’s leading identity management security layer. It is considerably
easier to secure Windows servers because Active Directory can be used to centrally control and
enforce policies and configuration for both SAP and all access management requirements
throughout a company’s IT assets.
4.1.1 Security Threats – Internal versus External
CIOs, IT Managers and Security Administrators are sometimes unaware of the relative risk profiles
from external threats versus internal sources27. There are three main security threats to most
companies2829. Customers are highly recommended to ensure appropriate resources are deployed
in addressing security threats from Internal vs. External threats.
Windows Server 2008 R2 Core already delivers 13 months without security patches requiring
reboot. SQL 2012 is supported on this OS deployment. With additional hardening the reboot
requirement can reach 18 months or more.
26
27
http://newsroom.cisco.com/dlls/2008/ts_102808.html
28
http://www.networkworld.com/news/2008/111208-cisco-study-internal-security.html
Security Guide for SAP on SQL Server 2012
Page 31 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
4.1.1.1
External Threats
An external threat originates outside an organization, its employees or its agents. Typical examples
are Worms, Botnets, social engineering attacks, rootkits30 and other Malware. The intent behind
the vast majority of external threats is to cause malicious disruption.
Sometimes the motivation is to steal data from a specific organization. Customers report that it is
more common for external threats to be in the form of “mass” attacks. Attacking a well-defended
organization is a relatively poor risk vs. reward ratio for the hacker. If an organization was to detect
an attempt, alert law enforcement31 and thereby collect enough evidence to trace and prosecute an
individual the legal consequences usually far outweigh the possible gain.
Very occasionally external threats are politically motivated and directed at specific organizations.
External threats tend to be much more prominent in the media. Phishing, identity theft and fraud
from external sources are topics that are not relevant to Line of Business applications such as SAP.
It is important that client computers used by administrators are protected from external threats,
however this security whitepaper mandates the use of Management Stations and no actual system
administration tools or tasks should be performed from client computers.
4.1.1.2
Internal Threats
An internal threat originates within an organization, its employees and/or contractors. These
threats are dangerous in terms of data theft, fraud and other risks. Employees have the most
important element in unauthorized data access available to them: Time. Due to corporate policies
and the negative publicity legal action brings in such cases, unauthorized data access by
employees is thought to be under-reported. Unauthorized data access by internal employees is
sometimes financially motivated, such as selling IP or sales data to competitors.
What little information is available about Internal Threats can be summarized as:
1. The motivation generally falls into three categories: Disgruntled employees (malicious
damage), Industrial Espionage (theft of IP) and Criminal Theft (defrauding money or other
liquid assets)
2. Many perpetrators are aware that in a significant proportion of the time companies will not
prosecute due to the fear of adverse publicity
3. Employees have network access and time. In addition they may have internal knowledge of
systems and procedures that make gaining unauthorized access easier and make covering
up unauthorized access easier
4. Perpetrators are very rarely DBA or other System Administrators (who are the group of
people who often have unrestricted access to data)
5. “Accidental”32 33 34data access is an increasingly troublesome topic in some industries where
employees unintentionally breach compliance and regulatory standards. Example: breach
of privacy caused by an employee losing a laptop containing confidential data
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11506224.html
29
30
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
31
http://www.theregister.co.uk/2012/02/06/marriott_hacker_jailed/
32
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5057/lippis_report.pdf
Security Guide for SAP on SQL Server 2012
Page 32 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
4.1.1.3
3rd Party Threats
3rd Party Threats originate from unauthorized access to data from data centre outsourcers, backup
tape vault providers and other 3rd parties entrusted with an organizations data. This risk can be
mitigated through the use of data encryption, a standard feature in SQL Server.
4.1.2 Desktop versus Server – Server Patching versus Desktop Patching
There are a number of security studies (including some funded by UNIX vendors35) that compare
the number of vulnerabilities disclosed for “Windows” compared to a UNIX release. Some
“independent” reports contain a number of specious claims highlighting the number of Security
Patches for Windows Desktops (including Windows Desktop software from 1990s) and concluding
that this would mean modern Windows Server releases are not suitable for mission critical
applications. These studies and their conclusions often contain one or more fundamental flaws:
1. “Windows” vulnerabilities are classified as any vulnerability impacting a Desktop or a Server.
The study does not distinguish between the vulnerability that would impact a Desktop
directly connected to the Internet with a large number of third party software applications
many of which directly access Internet based sites without any firewall, filtering or
protection. The studies fail to consider that a very high percentage of “Windows” security
vulnerabilities do not apply to Windows 2008 R2 with Internet Explorer removed.
2. “Windows” is also categorized as nearly every Windows release since the 1990s. The
security profile of Microsoft Windows Server products in particular has greatly improved as
of Windows 2008 R2 (due to the ability to remove Internet Explorer and the availability of
Windows Server Core)
3. Windows Desktop and Server products are vastly more common than UNIX platforms and
therefore have vastly more 3rd party applications such as Adobe Flash etc. Very often
vulnerabilities in 3rd party applications that run on “Windows” are included as threats to
“Windows” platforms. Clearly Browser Plug-ins and other 3rd party software have no
relevance to appropriately secured Windows Server systems (Example: no browser is
installed and there is no web access from the SAP VLAN).
4.1.3 National Institute for Standards & Technology – CVE Database Comparisons
The most widely accepted and used security vulnerability database is run by the US Government
National Institute for Standards & Technology http://csrc.nist.gov/
The Vulnerability Database can be found here: http://web.nvd.nist.gov/view/vuln/search
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11499060.html
33
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11503131.html
34
http://www-01.ibm.com/common/ssi/cgibin/ssialias?infotype=SA&subtype=WH&htmlfid=POL03099USEN
35
Security Guide for SAP on SQL Server 2012
Page 33 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
As at 10th April 2012 the following search strings produce the following results (search parameter =
ALL):
Search String
Number of Hits Containing this String
Apple
2,710
Windows
2,982
36
Windows 2008 R2
183
Windows 2003
554
Windows XP
957
Windows 2000
517
AIX
302
HP-UX
249
Solaris
798
Linux
3,662
Adobe
730
VMWare
601
IBM
1,406
Novell
1,769
Oracle
1,480
Redhat
4,937
Symantec
345
SAP
276
Grand Total Vulnerabilities
50216
A uninformed interpretation of the statistics would be that “Windows is not secure” or “Linux is not
secure”. Those who review the facts and details of the NIST vulnerabilities in more detail will
observe that the vast majority of the vulnerabilities apply to Windows Desktops and not to modern
releases of Windows Server products.
A rigorous review of the security vulnerabilities for UNIX, Windows and Linux would reveal the
following:
1. Generic type search terms such as “Windows” and “Linux” are not accurate ways to assess
the security of a vendor or their technology
2. Newer versions of Windows Server contain dramatically less vulnerabilities
3. A very high percentage of vulnerabilities applicable to Windows 2008 R2 require the
presence of an Email client, a Web Browser or an Instant Messaging client to be installed on
the server. In many cases the vulnerability cannot be exploited unless someone logs onto
the Server with Administrator privileges and opens a website hosted by an attacker via an
email or Instance Message.
Appropriately hardened versions of Windows (such as
removing web browsers) make such vulnerabilities very difficult if not impossible to exploit.
36
Much less for Windows 2008 R2 with Service Pack 1 (approximately 51).
Security Guide for SAP on SQL Server 2012
Page 34 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
4. A very high percentage of vulnerabilities that are not web hosted and delivered via SPAM or
IM links require an authenticated user to be logged on to exploit the vulnerability. Without
valid logon credentials and sometimes without Administrative logon credentials the
vulnerability cannot be exploited.
5. A small percentage of vulnerabilities are “network” level and can be exploited without logon
credentials. Windows Firewall or network level ACLs would normally mitigate these risks
6. Apple, “Windows”, Linux and Redhat have Desktop variants and therefore contain
vulnerabilities for 3rd party software running on their operating system. Examples of this are
vulnerabilities in Adobe Flash. The vulnerability can be completely independent of the
operating system therefore these vulnerabilities are only relevant if the impacts 3rd party
software is installed.
7. UNIX platforms have dramatically lost market share 37 over the last 10 years and now
account for a tiny fraction of servers and a number so small as to be insignificant
percentage of “computers” (Servers, PCs and smartphones/tablets). 3rd party software
vendors have stopped porting their applications to UNIX38 to a large extent. This has led to
a decrease in 3rd party software vulnerabilities for UNIX platforms.
Conclusion: Modern Windows Server releases with basic hardening steps such as switching on
Windows Firewall and removing Internet Explorer are very secure and would not need to be
patched & restarted on a monthly basis. If all steps in this guide are deployed to harden the
Operating System (Windows Server 2008 R2 SP1 or higher) customers report they have been able
to run for in excess of 12-18 months39 without the need to reboot to apply a security patch.
Regardless of the Operating System (UNIX, Linux or Windows) basic hardening should always be
performed. When basic common sense hardening is deployed on modern versions of Windows
Server the patching & reboot requirements for Windows and UNIX are very similar.
37
UNIX server sales account for ~2% of all servers sold. Total UNIX Server shipments per year are
now less than 190,000 units. There were ~10 million Intel servers and >350 million PCs sold in
2011. More than 90% of PCs run Windows. Total smartphone and tablet sales will be in the
hundreds of millions. http://www.theregister.co.uk/2011/11/29/gartner_q3_2011_server_numbers/
& http://www.gartner.com/it/page.jsp?id=1786014&source=email_rt_mc
Example: Adobe Reader used to be available for Solaris. Adobe have stopped releasing new
versions of Adobe on UNIX platforms
38
Windows Core deployments already show 10-12 months is achievable. With additional
hardening and mitigations 18 months can be achieved
39
Security Guide for SAP on SQL Server 2012
Page 35 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
4.1.4 How to Assess the Impact of a Security Vulnerability?
The diagram below depicts the typical process flow for implementing security patches on Windows
and UNIX platforms. With SAP on SQL Server systems that meet the hardening requirements as
documented in this whitepaper it is recommended to follow the same identical process when
patching UNIX or Windows.
It is strongly recommended to follow the same change control processes when applying any
change to a SAP system. It is not recommended to “blindly” apply security patches without first
reviewing if they are applicable to a specific system.
Assess Patch
Assess Patch
Does Patch
Apply SAP on
UNIX?
Does Patch
Apply SAP on
Win/SQL?
Yes
No
Yes
No
Can Patch be
mitigated?
Can Patch be
mitigated?
No
Yes
Apply Patch at Next
Scheduled
Downtime
No
Yes
Arrange Emergency
Outage & Apply
Patch
Apply Patch at Next
Scheduled
Downtime
Arrange Emergency
Outage & Apply
Patch
Do not “blindly” apply any change to SAP on SQL Server systems without assessing the impact and
priority of such a change. All changes must be deployed to non-productive environments and
tested before being deployed to production. Security patches are no exception to the fundamental
concept of change management.
A blanket policy of “Always apply all security patches to all Windows servers” is a primitive and
unsophisticated approach to security and is not suitable for running Line of Business applications
such as SAP. Security administrators can mitigate the need to unnecessarily patch and restart
Windows servers by following the steps in this whitepaper.
Security Guide for SAP on SQL Server 2012
Page 36 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
4.1.4.1
Example: Integer overflow in cdd.dll in the Canonical Display Driver (CDD)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3678
Vulnerability is rated very high at 9.3 out of a possible score of 10.
Open the Link to the Microsoft Technet Article
http://technet.microsoft.com/en-us/security/bulletin/MS10-043
Vulnerability only applies to Windows Server with a full GUI. Core is not impacted.
Vulnerability only applies to Windows Servers that are running “Windows Aero”. This theme should
never be deployed and activated on SAP servers. In addition this vulnerability would be almost
impossible to exploit on a hardened server as there is no email, browser or IM software.
Security Guide for SAP on SQL Server 2012
Page 37 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
In addition experienced SAP administrators would be trained not to check their email and open
SPAM type emails on SAP servers.
The Security Update Deployment states a Restart is required
Conclusion: there is absolutely no reason to apply this patch immediately on a SAP on SQL system.
4.1.5 UNIX Patching vs. Windows Patching: Reboot Requirement
Many UNIX patches require a complete restart of the operating system or at least shutting down
into single user run level (which is going to result in a restart of SAP and a RDBMS).
There does not appear to be any significant difference between the reboot requirements for
security patches between Windows 2008 R2 or higher and UNIX distributions. In general Windows
and UNIX40 will need a complete restart of the OS to apply any patch that is in the kernel layers of
the operating system.41
Specific Examples:
Sun Solaris : Patch-ID# 147440-13
Keywords: security kernel lofi nfs ftpusers zfs mpt uucp looping
uucico race zoneadm aggr ld.so.1 fgetgrent_r dtrace panic ptc ptsl
sequenced code ldterm acl_fromtext n2cp gssd
Synopsis: SunOS 5.10: Solaris kernel patch
Date: Mar/12/2012
Solaris Live Upgrade still requires one reboot http://docs.oracle.com/cd/E19253-01/8175505/
40
Linux Ksplice has recently been acquired by Oracle. Ksplice has some capability for online
kernel changes. http://www.ksplice.com/uptrack/supported-kernels Ksplice cannot update 3rd
party device drivers without a reboot. SAP do not support KSplice
41
Security Guide for SAP on SQL Server 2012
Page 38 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Install Requirements: After installing this patch on an active boot
environment, the system will be in a potentially inconsistent state
until a reboot is performed.
Unless otherwise specified in the
Special Install Instructions below, it is normally safe to apply
further patches prior to initiating the reboot due to the
relatively small footprint of the patch utilities.
Normal
operations must not be resumed until after the reboot is performed.
Use Single User Mode (run level S) when installing this patch on an
active boot environment.
An alternative may be specified in the
Special Install Instructions.
Solaris Release: 10
SunOS Release: 5.10
Sun Solaris : Patch-ID# 147707-03 (The BEAST) 42
Keywords: security libcrypto crypto
Synopsis: SunOS 5.10: ssl patch
Date: Mar/22/2012
Install Requirements: After installing this patch on an active boot
environment, the system will be in a potentially inconsistent state
until a reboot is performed.
otherwise specified in the Special Install Instructions below, it
is normally safe to apply further patches prior to initiating the
reboot due to the relatively small footprint of the patch utilities.
Normal operations must not be resumed until after the reboot is
performed.
Use Single User Mode (run level S) when installing this patch on an
active boot environment.
An alternative may be specified in the
Special Install Instructions.
Solaris Release: 10
SunOS Release: 5.10
42
http://vnhacker.blogspot.jp/2011/09/beast.html
Security Guide for SAP on SQL Server 2012
Page 39 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
IBM AIX: IBM AIX 5.3, 6.1, and 7.1, and VIOS 2.1.x and 2.2.x, allows remote attackers to cause
a denial of service (system crash) via an ICMP Echo Reply packet that contains 1 in the
Identifier field
http://aix.software.ibm.com/aix/efixes/security/icmp_advisory.asc
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1385
Security Guide for SAP on SQL Server 2012
Page 40 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
5 Patch Management
5.1 Microsoft Windows Security Patches
Microsoft release security patches on the second Tuesday of each month. As previously discussed
in this whitepaper SAP does not use or require the vast majority of the functions of the underlying
operating system. Tools and utilities such as Internet Explorer, Windows Media Player and SNMP
should be disabled, not installed or blocked. The fact that these unused components are disabled
or blocked eliminates the immediate43 requirement to patch these components. Therefore an SAP
system administrator can consider not applying or delaying a security patch after carefully assessing
each patch. This condition is only true if the SAP servers have been adequately protected and the
SAP administrator and Security administrator have analysed the patch in detail.
As of April 2012 there were 51 “Critical” or “Important” and “Moderate” for Windows 2008 R2 SP1
and two patches for SQL 2008 R2 SP144. Below we analyse several examples of security patches
and evaluate if they are relevant for SAP systems.
5.1.1 Security Patch Evaluation
In the examples below it is assumed that the SAP infrastructure is running on Windows 2008 R2
SP1 Enterprise Edition for x64 systems with SP2 and SQL Server 2008 R2 SP1. These systems have
been secured as described in this document.
To review all current Security Bulletin information open following website:
http://www.microsoft.com/technet/security/current.aspx
In the screen below select the product, service pack and severity level. Press Go to search.
The system administrator may decide to patch Internet Explorer during the next planned
outage some months after the security bulletin is released. Often the system administrator
patches unused or disabled functionality for consistency reasons rather than security reasons.
Some customers have requirements that all Windows servers should be patched to a
consistent level, even if the functionality is completely disabled. In such cases the security
solution may alleviate the need for immediate emergency outages on adequately secured SAP
servers
43
44
Security patches for SQL Server are very rare in comparison to other RDBMS
Security Guide for SAP on SQL Server 2012
Page 41 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
The Security Bulletin website will retrieve a list of patches based on your selection criteria. Spend
some time navigating through the different sections of a security bulletin and become familiar with
the structure of the security bulletins. Pay special attention to the technical details of each
vulnerability and mitigating factors.
5.1.1.1
Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code
Execution (2651026)
Link : http://technet.microsoft.com/en-us/security/bulletin/MS12-016
Q.1 – Does this security bulletin apply to this Windows release and service pack?
A.1 – Yes – the security bulletin will always clearly identify the impacted products and releases
Q.2 – Does this security bulletin apply to an SAP server?
A.2 – No. SAP systems do not need .NET. SQL Server installer requires .NET, but Internet Explorer
is not installed. Therefore this vulnerability cannot be exploited on systems that have been
adequately secured
Q.3 – Do I need to immediately apply this patch and reboot the SAP server?
A.3 – No, there is no logical reason to immediately apply this patch to an SAP server and restart the
operating system. A system administrator could choose to apply this during a scheduled
downtime
5.1.1.2
Cumulative Security Update for Internet Explorer (2675157)
Link : http://technet.microsoft.com/en-us/security/bulletin/MS12-023
Security Guide for SAP on SQL Server 2012
Page 42 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Q.1 – Does this security bulletin apply to this Windows release and service pack?
A.1 – Yes, almost every Windows release and IE release is impacted.
Q.2 – Does this security bulletin apply to an SAP server?
A.2 – No. Internet Explorer is removed.
Q.3 – Do I need to immediately apply this patch and reboot the SAP server?
A.3 – No. SAP servers should not be used for browsing websites and Internet Explorer should be
removed.
5.1.1.3
Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)
Link : http://technet.microsoft.com/en-us/security/bulletin/MS11-095
Q.1 – Does this security bulletin apply to this Windows release and service pack?
A.1 – Yes
Q.2 – Does this security bulletin apply to an SAP server?
A.2 – No. SAP on Windows/SQL may use a variety of LDAP functionalities however SAP Servers are
LDAP clients. This bulletin applies to Windows 2008 R2 SP1 servers running AD Services.
Q.3 – Do I need to immediately apply this patch and reboot the SAP server?
A.3 – No. SAP systems should not be installed on servers running AD Services and the Windows
Firewall and VLAN are blocking port 389
5.1.1.4
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
(2525694)
Link : http://technet.microsoft.com/en-us/security/bulletin/MS11-041
Q.1 – Does this security bulletin apply to this Windows release and service pack?
A.1 – Yes
Q.2 – Does this security bulletin apply to an SAP server?
A.2 – Maybe. Expand each fix and review the details of each fix.
Security Guide for SAP on SQL Server 2012
Page 43 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Reviewing the details of the vulnerability identifies two attack methods. The first is via Internet
Explorer – this can be discounted since Internet Explorer is uninstalled and the VLAN blocks all
outbound web ports. In section 3.3.11 and via the AD Policy several safeguards have been
implemented making this vulnerability almost impossible to exploit. In the second case the
attacker would need to store a specially modified Font file on a network share and somehow force
the administrator to preview the Font file.
This whitepaper protects against this vulnerability in the following ways:
1. SAP Servers are behind a VLAN blocking almost all Windows ports thus preventing logon to
these server
2. SAP Servers are running Windows Firewall blocking almost all Windows ports
3. The terminal services Port has been changed to a secret port. The VLAN and Windows Firewall
block Terminal Services connections from all hosts other than the Management Station(s).
4. Domain Admins and all users other than the SAP Administrators have had their privilege to
logon locally removed.
5. The local Administrator user has been renamed using a function to a different name of each
server. A strong password has been set
Q.3 – Do I need to immediately apply this patch and reboot the SAP server?
A.3 – Any of the 5 steps above will stop an attacker from exploiting this vulnerability. Ultimately
whether or not to immediately apply a patch is the decision of the system administrator after
carefully reviewing the data released by Microsoft. In this particular case it would seem
extraordinarily unlikely that an attacker would be able to modify the ACL on the VLAN, stop the
Windows Firewall, discover the terminal services port and obtain a user name and password that
had sufficient privileges to logon locally45.
This document does not state that Windows or any other operating system is completely
invulnerable to any conceivable security threat. The key point is that by deploying a few
security strategies and using tools provided by Microsoft customers can create a platform for
SAP systems that is as secure or possibly more secure than other operating systems such as
Linux or UNIX. Customers that have deployed the security hardening detailed in this
document have reported that they achieve 12-18 months between operating system restarts
and achieve all the security and compliance requirements for their organization
45
Security Guide for SAP on SQL Server 2012
Page 44 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
A SAP administrator with several years experience and a basic general knowledge of networking
and security concepts should be able to assess Microsoft Security bulletins in the specific context of
their SAP servers secured as described in this document.
A general policy enforcing all security patches to all servers immediately is not a sophisticated
security policy for many reasons, chiefly that many security patches are issued reactively after
vulnerabilities have been discovered by third parties.
In some cases security administrators may be rely too heavily on patching as a means to secure a
system, potentially under-investing in technologies such as firewalls, dedicated VLANs and Active
Directory policies. A security administrator may mistakenly believe that if all Windows servers are
patched then the entire Windows infrastructure is “secure”. Clearly this is not the case.
Microsoft Security patches are only one part of a security solution46 and there are many more
aspects to building a well secured system. Therefore it is the recommendation of this document to
secure SAP servers by isolating them from the general network, reduce their attack surface area
and review each patch issued each month. If a patch is relevant for an SAP system it should be
implemented in production after adequate testing – this document has shown that in most cases
these patches are generally not relevant if the SAP systems have been adequately secured.
If patches are clearly not relevant for an SAP system they can be delayed until the next planned
downtime. Alternatively the patch can be delayed until Microsoft releases the next Windows
Service Pack which will include a “rollup” of all previous security patches.
46
Recommended reading “Formulate A Database Security Strategy To Ensure
Investments Will Actually Prevent Data Breaches And
Satisfy Regulatory Requirements” – Forrester January 2012
http://www.oracle.com/us/corporate/analystreports/infrastructure/forrester-thlp-db-security1445564.pdf
Security Guide for SAP on SQL Server 2012
Page 45 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
5.2 SAP Patching Strategy
5.2.1 Rolling Upgrades/Patching Reduces Downtime
Security Patches and Service Packs can be applied to inactive servers first, then fail over the services
(ASCS or SQL) to the already patched node. Application servers can be removed from logon load
balancing47 and restarted without impacting users.
47
Users will take some time to log off. Batch Work Processes can be changed to Class A
Security Guide for SAP on SQL Server 2012
Page 46 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
6 Auditing, Encryption & Additional Security Topics
In addition to providing a highly scalable, secure and low cost platform; SAP on
Windows & SQL Server offers additional security features bundled into the Windows and SQL
Server products
6.1 Secure Socket Layer
SAP and Microsoft support encrypting the communication between the SAP application server and
SQL Server.
For more information review: http://blogs.msdn.com/b/saponsqlserver/archive/2011/03/09/sqlserver-network-encryption-with-sap.aspx
6.2 Transparent Data Encryption
SQL Server fully supports encryption of datafiles and backups.
For more information review: http://blogs.technet.com/b/lobapps/archive/2011/12/01/sql-servertde-with-sap-applications-part-1-enabling-tde.aspx
6.2.1 Key Storage Devices
It is highly recommended to store the TDE keys in a hardware based device. Loss of keys will result
in the complete loss of the database.
6.3 Advanced SQL Server Auditing
SQL Server can audit all access to the SAP Database that did not originate from the SAP application.
The audit profile in this blog tracks direct access to the database
For more information review:
http://blogs.msdn.com/b/saponsqlserver/archive/2012/01/02/auditing-audit-all-except-thesapservice.aspx
6.3.1 New Features in SQL Server 2012
SQL Server 2012 introduces a new audit behaviour if SQL Server is unable to write to the audit log.
http://msdn.microsoft.com/en-us/library/cc280525(v=sql.110).aspx
6.4 Anti-virus Options
Customers that have followed the security deployment guidance in this whitepaper report that they
deactivate “real time” scanning functionality and configure daily or weekly file scans only. It is
strongly recommended to exclude database files from AV scanners. Due to the restrictions in this
security deployment AV definitions may need to be updated manually as internet access is
completely blocked.
Security Guide for SAP on SQL Server 2012
Page 47 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
6.5 BitLocker to Protect Boot Disks
Windows Server boot disk can be protected against tampering with BitLocker.
advanced key recovery and centralized management.
BitLocker has
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1339.pdf
Remote console features such as HP iLO is highly recommended if BitLocker is used to secure the
boot disk otherwise a server cannot be remotely restarted.
6.6 Windows Single Sign On
SAP ship Kerberos wrappers for Windows. It is simple and easy to setup single sign on for SAPGUI
and other applications:
Note 352295 - Microsoft Windows Single Sign-On options
Note 121178 - NT: Installation note for SSO Single Sign On
6.7 IPSEC
Windows includes comprehensive IPSEC functionality. Additional information can be found here:
http://technet.microsoft.com/en-us/library/bb742429.aspx
6.8 Windows Auditing
The Security Configuration Wizard can be used to specify a Windows Audit Policy. This Policy can
enforced to all SAP servers via a Group Policy Object.
Customers who wish to record all screen activity and audit all interaction with a Windows server
can do so with http://www.observeit-sys.com/products/Features/Windows
This software would typically be installed on the management station.
6.9 Windows Attack Surface Area Analyser
The Windows Attack Surface Area Analyser is still in Beta as of April 2012.
http://www.microsoft.com/en-us/download/details.aspx?id=19537
Security Guide for SAP on SQL Server 2012
Page 48 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
7 Security Checklist
Tasks
1. Download Documents
2. Build Management Server
3. Create AD Container for SAP
4. Build XLS of Ports
5. Create VLAN & set ACL
6. Run SCW and build policy
7. Upload Policy to AD
8. Test policy on non-Prod
9. Adjust Policy as needed
10. Deploy Policy on PRD
Description
Security Compliance Manager, TCPIP ports used by SAP
Status
Security is commonly understood as a sum of different functions. In simple words, systems, data or
applications are compromised if someone installs a virus or if an intruder breaks into systems. An
intruder may break into a system because they know about vulnerabilities or because they are a
former employee who still has a valid user id. In order to maximize security, typically we need to
recognize the possible threads, implement technology to avoid vulnerabilities and organize
operations accordingly. Just a short list of tasks:
1. Nobody can illegally intrude.
a) Harden the environment, close all possible entry points which are not in use
b) Enforce appropriate perimeter security (for example by using firewalls)
c) Enforce appropriate identity management (including the management of user identities
if employees leave the company)
d) Use appropriate IT architecture (DMZ etc.)
e) Avoid or mitigate known vulnerabilities – patch vulnerabilities that cannot be mitigated
f)
Assure physical security of the servers and intranet
2. Ensure data is not exposed
a) Enforce secure communication by using encryption – for example VPN (externally),
IPSEC or SSL internally
b) Enforce appropriate authentication
c) Use virus scanner and keep up to date
d) Use Network Access Protection
3. Secure operations
a) Train workforce to defend “social engineering” assaults
b) Monitor security on all levels of IT (Network, Servers, Application)
c) Perform security audits regularly
d) Learn from others – avoid problems before they appear
Security Guide for SAP on SQL Server 2012
Page 49 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
e) Ensure clients/desktops are adequately secured – use two factor authentication to
prevent key loggers and other client side threats. Protect mobile clients (Laptops etc)
with BitLocker to prevent unauthorized use
Security Guide for SAP on SQL Server 2012
Page 50 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
8 Appendix I
The screenshots below show the Security Configuration Wizard setting for Network
Tick both options
Domain account only (do not allow Local Accounts from remote computers)
Security Guide for SAP on SQL Server 2012
Page 51 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Deselect legacy operating system support. This will prevent Windows 95 clients from connecting.
If SAMBA is used for UNIX connectivity test carefully.
The following registry settings should be set.
Security Guide for SAP on SQL Server 2012
Page 52 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
9 Appendix II
9.1 Windows 2008 R2 Vulnerabilities 3 months to 17th April 2012
Entries marked in Yellow are either extremely difficult or impossible to exploit without Internet
Explorer, Media Player, Email Client or Instant Messaging software.
There are 14 matching records. Displaying matches 1 through 14.
CVE-2012-0151
Summary: The Authenticode Signature Verification function in Microsoft Windows XP SP2 and SP3, Windows
Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1,
and Windows 8 Consumer Preview does not properly validate the digest of a signed portable executable (PE)
file, which allows user-assisted remote attackers to execute arbitrary code via a modified file with additional
content, aka "WinVerifyTrust Signature Validation Vulnerability."
Published: 04/10/2012
CVSS Severity: 9.3 (HIGH)
CVE-2012-0157
Summary: win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server
2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1
does not properly handle window messaging, which allows local users to gain privileges via a crafted
application that calls the PostMessage function, aka "PostMessage Function Vulnerability."
Published: 03/13/2012
CVSS Severity: 7.2 (HIGH)
CVE-2012-0156
Summary: DirectWrite in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and
Windows 7 Gold and SP1 does not properly render Unicode characters, which allows remote attackers to
cause a denial of service (application hang) via a (1) instant message or (2) web site, aka "DirectWrite
Application Denial of Service Vulnerability."
Published: 03/13/2012
CVSS Severity: 4.3 (MEDIUM)
CVE-2012-0152
Summary: The Remote Desktop Protocol (RDP) service in Microsoft Windows Server 2008 R2 and R2 SP1
and Windows 7 Gold and SP1 allows remote attackers to cause a denial of service (application hang) via a
series of crafted packets, aka "Terminal Server Denial of Service Vulnerability."
Published: 03/13/2012
CVSS Severity: 4.3 (MEDIUM)
CVE-2012-0006
Summary: The DNS server in Microsoft Windows Server 2003 SP2 and Server 2008 SP2, R2, and R2 SP1
does not properly handle objects in memory during record lookup, which allows remote attackers to cause a
denial of service (daemon restart) via a crafted query, aka "DNS Denial of Service Vulnerability."
Published: 03/13/2012
CVSS Severity: 5.0 (MEDIUM) **SAP Servers do not run DNS Server
CVE-2012-0002
Summary: The Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3,
Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7
Gold and SP1 does not properly process packets in memory, which allows remote attackers to execute
arbitrary code by sending crafted RDP packets triggering access to an object that (1) was not properly
initialized or (2) is deleted, aka "Remote Desktop Protocol Vulnerability."
Published: 03/13/2012
CVSS Severity: 9.3 (HIGH)
CVE-2012-1194
Summary: The resolver in the DNS Server service in Microsoft Windows Server 2008 before R2 overwrites
cached server names and TTL values in NS records during the processing of a response to an A record query,
which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost
domain names" attack.
Published: 02/17/2012
CVSS Severity: 6.4 (MEDIUM)
CVE-2012-0154
Security Guide for SAP on SQL Server 2012
Page 53 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Summary: Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2
and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and
Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that triggers keyboard
layout errors, aka "Keyboard Layout Use After Free Vulnerability."
Published: 02/14/2012
CVSS Severity: 7.2 (HIGH)
CVE-2012-0150
Summary: Buffer overflow in msvcrt.dll in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and
R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted media
file, aka "Msvcrt.dll Buffer Overflow Vulnerability."
Published: 02/14/2012
CVSS Severity: 9.3 (HIGH)
CVE-2012-0148
Summary: afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2, Windows Server 2003 SP2,
Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 on 64-bit
platforms does not properly validate user-mode input passed to kernel mode, which allows local users to gain
privileges via a crafted application, aka "AfdPoll Elevation of Privilege Vulnerability."
Published: 02/14/2012
CVSS Severity: 7.2 (HIGH)
CVE-2010-5082
Summary: Untrusted search path vulnerability in colorcpl.exe 6.0.6000.16386 in the Color Control Panel in
Microsoft Windows Server 2008 SP2, R2, and R2 SP1 allows local users to gain privileges via a Trojan horse
sti.dll file in the current working directory, as demonstrated by a directory that contains a .camp, .cdmp,
.gmmp, .icc, or .icm file, aka "Color Control Panel Insecure Library Loading Vulnerability."
Published: 01/17/2012
CVSS Severity: 9.3 (HIGH)
CVE-2012-0013
Summary: Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP
SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1,
and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted ClickOnce
application in a Microsoft Office document, related to .application files, aka "Assembly Execution
Vulnerability."
Published: 01/10/2012
CVSS Severity: 9.3 (HIGH)
CVE-2012-0004
Summary: Unspecified vulnerability in DirectShow in DirectX in Microsoft Windows XP SP2 and SP3, Windows
Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and
SP1 allows remote attackers to execute arbitrary code via a crafted media file, related to Quartz.dll, Qdvd.dll,
closed captioning, and the Line21 DirectShow filter, aka "DirectShow Remote Code Execution Vulnerability."
Published: 01/10/2012
CVSS Severity: 9.3 (HIGH)
CVE-2012-0001
Summary: The kernel in Microsoft Windows XP SP2, Windows Server 2003 SP2, Windows Vista SP2,
Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly load structured
exception handling tables, which allows context-dependent attackers to bypass the SafeSEH security feature
by leveraging a Visual C++ .NET 2003 application, aka "Windows Kernel SafeSEH Bypass Vulnerability."
Published: 01/10/2012
CVSS Severity: 9.3 (HIGH)
9.2 AIX Vulnerabilities 3 months to April 17th 2012
There are 7 matching records. Displaying matches 1 through 7.
CVE-2012-0067
Summary: wiretap/iptrace.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers
to cause a denial of service (application crash) via a long packet in an AIX iptrace file.
Published: 04/11/2012
CVSS Severity: 4.3 (MEDIUM)
CVE-2012-1796
Security Guide for SAP on SQL Server 2012
Page 54 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
Summary: Unspecified vulnerability in IBM Tivoli Monitoring Agent (ITMA), as used in IBM DB2 9.5 before
FP9 on UNIX, allows local users to gain privileges via unknown vectors.
Published: 03/20/2012
CVSS Severity: 7.2 (HIGH)
CVE-2011-1385
Summary: IBM AIX 5.3, 6.1, and 7.1, and VIOS 2.1.x and 2.2.x, allows remote attackers to cause a denial of
service (system crash) via an ICMP Echo Reply packet that contains 1 in the Identifier field, a different
vulnerability than CVE-2012-0194.
Published: 03/02/2012
CVSS Severity: 7.8 (HIGH)
CVE-2012-0194
Summary: The TCP implementation in IBM AIX 5.3, 6.1, and 7.1, when the Large Send Offload option is
enabled, allows remote attackers to cause a denial of service (assertion failure and panic) via an unspecified
series of packets.
Published: 02/06/2012
CVSS Severity: 7.1 (HIGH)
CVE-2011-3597
Summary: Eval injection in the Digest module before 1.17 for Perl allows context-dependent attackers to
execute arbitrary commands via the new constructor.
Published: 01/13/2012
CVSS Severity: 7.5 (HIGH)
CVE-2011-1384
Summary: The (1) bin/invscoutClient_VPD_Survey and (2) sbin/invscout_lsvpd programs in invscout.rte
before 2.2.0.19 on IBM AIX 7.1, 6.1, 5.3, and earlier allow local users to delete arbitrary files, or trigger
inventory scout operations on arbitrary files, via a symlink attack on an unspecified file.
Published: 01/04/2012
CVSS Severity: 4.0 (MEDIUM)
9.3 HP-UX Vulnerabilities 3 months to April 17th
There are 5 matching records. Displaying matches 1 through 5.
CVE-2012-0131
Summary: Distributed Computing Environment (DCE) 1.8 and 1.9 on HP HP-UX B.11.11 and
B.11.23 allows remote attackers to cause a denial of service or possibly have unspecified other
impact via unknown vectors.
Published: 04/05/2012
CVSS Severity: 10.0 (HIGH)
CVE-2012-0126
Summary: Unspecified vulnerability in the WBEM implementation in HP HP-UX 11.11 and 11.23
allows remote attackers to obtain access to diagnostic information via unknown vectors, a related
issue to CVE-2012-0125.
Published: 03/28/2012
CVSS Severity: 5.8 (MEDIUM)
CVE-2012-0125
Summary: Unspecified vulnerability in the WBEM implementation in HP HP-UX 11.31 allows local
users to obtain access to diagnostic information via unknown vectors, a related issue to CVE2012-0126.
Published: 03/28/2012
CVSS Severity: 3.3 (LOW)
CVE-2012-1796
Summary: Unspecified vulnerability in IBM Tivoli Monitoring Agent (ITMA), as used in IBM DB2
9.5 before FP9 on UNIX, allows local users to gain privileges via unknown vectors.
Published: 03/20/2012
CVSS Severity: 7.2 (HIGH)
CVE-2011-3337
Security Guide for SAP on SQL Server 2012
Page 55 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server

VU#448051
Summary: eEye Audit ID 2499 in eEye Digital Security Audits 2406 through 2423 for eEye
Retina Network Security Scanner on HP-UX, IRIX, and Solaris allows local users to gain privileges
via a Trojan horse gauntlet program in an arbitrary directory under /usr/local/.
Published: 01/04/2012
CVSS Severity: 6.9 (MEDIUM)
Security Guide for SAP on SQL Server 2012
Page 56 of 57
Created: 28.05.2012
Security Guide for SAP on SQL Server
10 Security Links and Online Resources
10.1 Microsoft Links
SAP on SQL Server Blog
http://blogs.msdn.com/b/saponsqlserver/
Guide to TCPIP ports used by Windows components:
http://support.microsoft.com/kb/832017
How to change Terminal Server's listening port:
http://support.microsoft.com/kb/187623/
Windows Server – Threats and Countermeasures:
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch00.mspx
Windows Terminal Services 6.0 client:
http://support.microsoft.com/?kbid=925876
10.2 SAP Links
Note that the SAP OSS Notes and SAP Product Support Matrix are only available to registered customers of
SAP AG and SAP Service Marketplace.
TCPIP Ports used by SAP Applications.pdf
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/4e515a43-0e01-0010-2da19bcc452c280b
10.3 General Security Links
Information detailing the security vulnerabilities in first generation protocols :
http://en.wikipedia.org/wiki/Telnet
http://en.wikipedia.org/wiki/File_Transfer_Protocol
http://en.wikipedia.org/wiki/Remote_Shell
Did this paper help you? Please give us your feedback. On a scale of 1 (poor) to 5 (excellent), how would you
rate this paper?
Security Guide for SAP on SQL Server 2012
Page 57 of 57
Created: 28.05.2012