Sap Hardering For Windows Server
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Sap Hardering For Windows Server as PDF for free.
More details
- Words: 21,339
- Pages: 101
SAP Hardening and Patch Management Guide for Windows Server Microsoft Corporation November 15, 2005
Summary This whitepaper introduces security measures for SAP systems running on Windows Server. Two security measures are described: hardening and patch management. These security measures can help enhance security within your Windows Server-based SAP environment.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This Whitepaper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may own patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in a written license agreement from Microsoft, the furnishing of this document does not assign any license to these patents, trademarks, copyrights, or other intellectual property. © 2005 Microsoft Corporation. All rights reserved. Microsoft, SQL Server, Windows, Windows Server, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents 1 Introduction........................................................................................................................................... 1 2 Hardening .............................................................................................................................................. 5 2.1 What Is Hardening? ......................................................................................................................... 5 2.2 Multi-layered Hardening................................................................................................................... 6 2.3 Harding Implementation Steps......................................................................................................... 6 2.4 Implementation of Hardening........................................................................................................... 7 Network Hardening............................................................................................................................. 7 Server Hardening ............................................................................................................................. 23 Implement Other Hardening ............................................................................................................. 41 2.5 Other Hardening Information ......................................................................................................... 44 2.6 Operation Checks .......................................................................................................................... 45 2.7 Final Security Check ...................................................................................................................... 47 2.8 Other Methods for Checking Hardening Implementation .............................................................. 47 3 Patch Management............................................................................................................................. 48 3.1 What Is Patch Management?......................................................................................................... 48 3.2 Collecting Information .................................................................................................................... 49 Collecting Information about Security Vulnerability.......................................................................... 49 3.3 Assessing Risks............................................................................................................................. 50 Assessing the Consequences and Urgency of the Vulnerability...................................................... 52 What is a Vulnerability Assessment Matrix? .................................................................................... 52 Organizing the Information about Security Vulnerability .................................................................. 53 Assessing the Pros and Cons of the Risk ........................................................................................ 54 Determining the Degree of Urgency................................................................................................. 54 Devising a Plan for Responding to the Vulnerability ........................................................................ 59 3.4 Applying Security Update Program................................................................................................ 61 Points to Consider When Applying Security Patches ...................................................................... 61 Testing the Security Update Program before Application ................................................................ 62 Testing the Application in a Test Environment................................................................................. 62 Updating via Management Tools ..................................................................................................... 62 3.5 Monitoring the Results ................................................................................................................... 63 Verifying Behavior in the Test Environment ..................................................................................... 63
Confirming the Steps for Roll-Back in the Test Environment........................................................... 64 Confirming that the Necessary Programs have been Applied ......................................................... 64 Appendix: Report on Hardening Verification .................................................................................... 65 1.1 Verification Scenarios .................................................................................................................... 65 1.2 Contents of Verifications ................................................................................................................ 66 1.3 Verification Results ........................................................................................................................ 66 1.4 Network Hardening Settings .......................................................................................................... 67 Network Hardening in SAP R/3 Enterprise ...................................................................................... 67 Network Hardening in SAP ITS ........................................................................................................ 69 Network Hardening in SAP Enterprise Portal................................................................................... 72 1.5 Service and Other Hardening Settings .......................................................................................... 77 Service Hardening Using Templates................................................................................................ 77 Reconfigurations Made After the Application of Security Templates ............................................... 94
SAP Hardening and Patch Management Guide for Windows Server
4
1 Introduction Recently, there has been an increase in reports by newspapers and TV programs about computer virus damage and information leakages. Computer virus damage and information leakages may cause suspension of business and consume large amounts of company resources in taking countermeasures. In serious cases, it may pose a threat to the status and reputation of the company. SAP systems typically handle mission-critical operations, such as finance and sensitive company information. For this reason, if information leakage or virus problems occur in an SAP system, the company may suffer enormous damage. To reduce the risk of unplanned system shutdowns, effective security measures must be taken. This whitepaper presents hardening and patch management as security measures against such risks to Windows Server-based SAP systems. The purpose of hardening is to achieve a system environment that is less vulnerable to unauthorized access and virus attacks. In the Hardening chapter, we describe how to define and implement hardening, as well as verify the implementation. The purpose of patch management is to assess the specific risks to a company and to apply appropriately timed security update programs. With patch management, the minimum required security update programs can be applied to that helps to minimize the risks and costs of system changes. In the Patch Management chapter, defining patch management and operation is explained in five steps: "Collecting Information", "Assessing Risks", "Applying the Security Update Programs", and "Monitoring the Result." Throughout the chapter, risk assessment is emphasized.
Note: Hardening and patch management are complementary procedures and implementation of one without the other will be insufficient. Hardening helps to reduce a system from possible attacks (such as from computer viruses), but may not be able to handle unfamiliar attack methods. To minimize this possibility, risk assessment (as a part of patch management) should be implemented.
Purpose of This Whitepaper Secure system environments can be maintained by applying security update programs as soon as they are released. However, it may be difficult to apply them immediately after release because of issues such as the costs associated with verifying the effect of a security update program, the interruption of services when the programs are applied to the operating environment, and the risk of altering the operating environment. This whitepaper aims at helping to alleviate these problems and attempts to help you build a more secure SAP system. By applying what is described in this whitepaper to a Windows Server-based SAP system, help with securing an SAP system (and thus addressing an aspect of high system availability) is achieved and TCO may be reduced. Note that most of the configuration-specific guidance in this paper is applicable to Windows Server 2003. Similar procedures may be found in Windows Server 2000 documentation dependent on the particular topic covered.
SAP Hardening and Patch Management Guide for Windows Server
1
Scope of Security Measures Covered in This Whitepaper Common security measures are further classified into "technical measures" (such as installation or configuration of hardware and software) and "institutional measures" (such as creation of policies, or determination and analyses of vulnerabilities).
Figure 1 – Security Measures
Among the security measures illustrated in Figure 1, "Building a Secure System (Multi-layer Defense)" and "Patch Management" can be effective technical measures if implemented properly.
SAP Hardening and Patch Management Guide for Windows Server
2
Multi-layer Defense Using a multi-layer approach Increases risk for attackers to be detected Reduces the possibility of successful attacks
Data Application Host Internal Network Boundaries Equipment Security Policies, Regulations and Awareness
The idea is to protect the system from unexpected attacks. It enhances protection by setting multiple defense lines. ACL, Encryption Enhancing Applications, Virus Protection Enhancing operation systems, Security Update Management, Authentication, HIDS Network Segment, IPSec, NIDS Firewall, VPN isolation Security Guard, Lock and Tracking Device User Education
Figure 2 – Multi-layer Defense
SAP Hardening and Patch Management Guide for Windows Server
3
This whitepaper covers the security measures indicated under the Category column of Table 1: Common Security Measures. For security issues not listed here, appropriate measures will need to be implemented as necessary.
Table 1: Common Security Measures Category
Measures
Technical measures
Security breach inspection
Coverage
Building a secure system
Data
(multi-layer defense)
Application Host
Yes
Internal network
Yes
Boundaries Equipment security Policies, regulations, and awareness Patch Management
Yes
Monitoring viruses and unauthorized access Institutional measures
Risk analysis
Yes
Operation guidelines Risk management procedures Policy implementation
It is also important to note that such security measures must be considered on every SAP system in your environment (regardless of the type of operating system or database used) as no platform is completely secure.
SAP Hardening and Patch Management Guide for Windows Server
4
2 Hardening This chapter defines hardening and how to implement and verify it on a Windows Server-based SAP system.
Contents of this Chapter This chapter defines hardening and how to implement and verify it on a Windows Server-based SAP system.
1. 2. 3. 4. 5.
What is Hardening? Multi-layered Hardening Implementation of Hardening Final Security Check Summary
2.1 What Is Hardening? Hardening an SAP system is configuring your SAP system with only the minimum platform functions that are necessary for operating the system. In this way, security, availability and reduction of the operating cost of the system is addressed.
Hardening Defined… Definition: Configuring SAP systems with only the minimum platform functions that are necessary for operating the system.
Effect:
Enhances security Prevent the SAP system from exposure to unnecessary vulnerability risks and block computer virus attacks to a maximum extent.
Effect:
Ensures availability Minimize the frequency of applying security update programs that often require systems to be shutdown.
Effect:
Reduces operational cost Minimize the frequency of applying security update programs that may involve userside testing.
SAP Hardening and Patch Management Guide for Windows Server
5
2.2 Multi-layered Hardening This whitepaper covers three types of hardening which are especially effective on SAP systems.
Effective hardening methods for SAP systems This whitepaper covers three types of hardening can be effective on SAP systems, if implemented properly.
1. Network hardening (internal network layer) 2. Service hardening (host layer) 3. Other hardening (host layer)
2.3 Harding Implementation Steps Hardening should be implemented in stages. For example, take one item (such as network or service) at a time, check the behavior, then move on to the next item.
Assure there is a means for rollback or backup the system configuration (*1)
Implement network hardening
Implement server hardening
Implement other hardening
Step-by-step implementation of hardening Repeat the procedure for each server and hardening (rollback when a problem arises) Operation checks
Final security check (*2)
Figure 3 - Hardening Implementation Steps *1 Use ASR backup of Windows Server 2003 or a third party image backup tool. *2 Use Microsoft Baseline Security Analyzer or other tools.
SAP Hardening and Patch Management Guide for Windows Server
6
2.4 Implementation of Hardening Before implementing high-quality hardening, some preparation is required. Some important preparation tasks are: clarifying the required security level, checking the specifications of your system, determining what might need hardening, estimating the cost and the effect of the hardening, and determining what to harden.
Preparations before implementing hardening Before implementing high-quality hardening, some preparation is required.
1. Clarifying the required security level Determine how far security should be enhanced.
2. Checking the system specifications Check the specifications of not only the SAP system but also systems other than SAP. This includes checking required communication paths, ports, and services.
3. Determining what might need hardening Determine what should be subjected to network, service, and other hardenings.
4. Estimating the cost and the effect of the hardening Estimate the effect and the associated cost beforehand to ensure maximum effect with minimum cost.
5. Determining what to harden Decide which items should be subjected to hardening and how extensively it should be done.
Network Hardening Hardening networks on an SAP system is implementing packet filtering to block unnecessary communications. With this, the goal is to make stacks more difficult by blocking unnecessary communication.
Network Hardening Defined… Definition: Implementing packet filtering on SAP systems to block unnecessary communications.
Effect:
Blocks attacks that use unnecessary communications Making attacks against vulnerability more difficult by closing unnecessary communications to SAP systems.
SAP Hardening and Patch Management Guide for Windows Server
7
Network hardening is important on SAP systems for the following reasons: 1) SAP systems only use specific ports that can be easily identified, 2) the ports used on SAP systems are typically less apt to be attacked by computer viruses, and 3) hardening networks to the maximum extent makes attacks more difficult for hackers.
Importance of Network Hardening Reasons why network hardening is important on all SAP systems in your environment.
Reason: SAP systems only use specific ports that can be easily identified. The ports are further limited when the functions of the SAP J2EE engine are suspended.
Reason: The ports used on SAP systems are that are typically less apt to be attacked by computer viruses. The ports are also customizable.
Reason: Therefore, hardening networks to the maximum extent makes attacks more difficult.
As a first step, determine which servers are critical to deliver SAP services (which servers might be a single point of failure from a network hardening perspective?).
SAP Central Instance
SAP Database Instance
Other non-redundant servers
Such a determination will decrease the time necessary to install the applicable security patches which could lead to downtime for these servers from a standpoint of availability. Therefore, there would be implementation of port and services limits of these specific SAP application and database servers (also effective with SAP Router) while other servers may not have such strict limitations. Overall, separate SAP servers which potentially have a single point of failure (CI, DB, etc.) from others; thus creating a “SAP server segment” via firewall, router, etc. So that security patches can be done one by one, other SAP-related servers that are “redundant” are separate (e.g. SAP dialog instance, ITS AGate/WGate, etc.).
SAP Hardening and Patch Management Guide for Windows Server
8
Figure 4 – An Example of Network Hardening for a Corporate Network
Ports and Packet Filtering Packet filtering should be taken into consideration to block all unnecessary network traffic on ports to SAP systems (as well as any 3rd party tools) and IPSec script policy should be leveraged. Execute IPSec policy scripts on each Windows Server and hardware-based packet filtering to lock down specific ports can be done via a firewall, router, and layer 3 switch among network subnets. (See SAP Note #66687 (“Use of Network Security Products”) concerning SAP certification requirements for some 3rd party network security tools.) Note that Microsoft ISA Server 2004 can provide advanced firewall protection and includes the following:
One machine can act as both Firewall and SAP Router
Application layer filtering
Can decrypt HTTPS, inspect content and redeliver it internally
Pre-authentication, form based
Attachment control
SAP Hardening and Patch Management Guide for Windows Server
9
Interface blocking
Intrusion detection
By applying the IPSec script policy to your server, you can confine the communication pathway and restrict the TCP and UDP ports used for the communication. For how to use IPSec, refer to: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod111.asp
The following is includes an example of the IPSec script policy: :IPSec Policy Definition netsh ipsec static add policy name="Packet Filters - R3" description="Server Hardening Policy" assign=no :IPSec Filter List Definitions netsh ipsec static add filterlist name="ALL" description="Server Hardening" netsh ipsec static add filterlist name="DIALOG" description="Server Hardening" netsh ipsec static add filterlist name="MSSQL" description="Server Hardening" :IPSec Filter Action Definitions netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block :IPSec Filter Definitions netsh ipsec static add filter filterlist="ALL" srcaddr=any dstaddr=me description="ALL" protocol=any srcport=0 dstport=0 netsh ipsec static add filter filterlist="DIALOG" srcaddr=any dstaddr=me description="DIALOG" protocol=TCP srcport=0 dstport=3200 netsh ipsec static add filter filterlist="MSSQL" srcaddr=me dstaddr=192.168.12.3 description="MSSQL" protocol=TCP srcport=0 dstport=1433 :IPSec Rule Definitions netsh ipsec static add rule name="ALL" policy="Packet Filters - R3" filterlist="ALL" kerberos=yes filteraction=Block netsh ipsec static add rule name="DIALOG" policy="Packet Filters - R3" filterlist="DIALOG" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="MSSQL" policy="Packet Filters - R3" filterlist="MSSQL" kerberos=yes filteraction=SecPermit
netsh ipsec static set policy name="Packet Filters - R3" assign=y
Example: Create the sample code as a batch file and execute it on SAP R/3 Enterprise server. 1 Default communication blocked. 2 Permit dialog process access from clients (between clients and SAP R/3 Enterprise via destination port TCP 3200). 3 Permit access from SAP R/3 Enterprise to DB instances (between SAP R/3 Enterprise and SQL server via destination port TCP 1433).
SAP Hardening and Patch Management Guide for Windows Server
10
Necessary Ports for Operating SAP Systems A list of ports used by:
SAP systems (along with other security-related documentation): http://service.sap.com/security Æ Security Detail Æ Infrastructure Security.
Windows Server System: “Service Overview and Network Port Requirements for the Windows Server System” http://support.microsoft.com/default.aspx?scid=kb;en-us;832017.
SQL Server: over TCP: 1433, UDP: 1434
IIS (World Wide Web Publishing Service): 80, 443
Terminal Services and Remote Desktop: 3389 (default; can be configured): “How to Change the Listening Port in the Windows Terminal Server Web Client” http://support.microsoft.com/default.aspx?scid=kb;en-us;326945)
Active Directory (dependent on design): “How to Configure a Firewall for Domains and Trusts” http://support.microsoft.com/kb/179442/EN-US/ “Restricting Active Directory Replication Traffic to a Specific Port” http://support.microsoft.com/default.aspx?scid=kb;en-us;224196
SAP Hardening and Patch Management Guide for Windows Server
11
Table 2 – Necessary (Destination) Ports for Operating SAP Systems Application SAP R/3 Enterprise
SAP ITS Wgate
SAP ITS Agate
SAP Enterprise Portal 6.0
SAP Enterprise Portal IIS Proxy
Service Name sapdpNN sapgwNN SAPlpd HTTP/HTTPS sapmsSID HTTP/HTTPS SMTP HTTP/HTTPS IIOP Initial context /IIOP over SSL P4/P4 over HTTP tunneling /P4 over SSL IIOP JMS Telnet Multiplexer Portwatcher HTTP MessageServer HTTP/HTTPS Engue Server Eng. Replication sapvw00_<SID> sapvwmm_<SID> sapvw00_ADM sapvwmm_ADM HTTP/HTTPS sapdpNN sapgwNN sapmsSID HTTP/HTTPS IIOP Initial context /IIOP over SSL P4/P4 over HTTP tunneling /P4 over SSL IIOP JMS Telnet HTTP/HTTPS HTTP/HTTPS
Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
Destination Port 32NN 33NN 515 81NN/444NN 36NN 80NN/443NN 25 5NN00/5NN01 5NN02/5NN03 5NN04/5NN05/5NN06 5NN07 5NN10 5NN08 4NN00 4NN01-79 4NN80-99 5NN17/5NN18/5NN19 36NN 81NN/444NN 32NN 33NN 39NM 39N9 39NM 39N9 80/443 32NN 33NN 36NN 5NN00/5NN01 5NN02/5NN03 5NN04/5NN05/5NN06 5NN07 5NN10 5NN08 5NN17/5NN18/5NN19 80/443 5NN00/5NN01
Note: • The port numbers are customizable. • <SID> represents an SAP system ID (such as P01) and represents an instance number (such as 00).
SAP Hardening and Patch Management Guide for Windows Server
12
Table 3 – Necessary (Destination) Ports for Operating SAP Systems (cont’d) Application SAP Router
SAP Web Dispatcher Active Directory SQL Server Oracle DB2/UDB SAPDB Informix IIS Terminal Services Windows Server
Service Name Protocol Destination Port SAProuter TCP 3299 sapdpNN TCP 32NN sapgwNN TCP 33NN sapmsSID TCP 36NN HTTP/HTTPS TCP 80/443 HTTP/HTTPS TCP 80NN/443NN See Microsoft Knowledge Base Article #179442 – “How to Configure a Firewall for Domains and Trusts" and #224196 – “256986) at support.microsoft.com SQL over TCP TCP 1433 TCP 1527 TCP Customize TCP 7200/7210 TCP 3800 HTTP TCP 80 HTTPS TCP 443 TCP 3389 NetMeeting Remote Desktop Sharing (Used TCP 3389 by SAP Support) File Sharing (Used in the sharing of SAP TCP 445 migration files and in the shipping of UDP 445 SQL server logs) TCP 137 UDP 137 UDP 138 TCP 139 Clustering (Central instance and DB TCP 135 instance multiplexing) UDP 3343 For details, see Microsoft Knowledge Base Article #832017 – “Port Requirements for the Microsoft Windows Server System".
Note: • The port numbers are customizable. • <SID> represents an SAP system ID (such as P01) and represents an instance number (such as 00).
SAP Hardening and Patch Management Guide for Windows Server
13
Figure 5 – Ports Used by SAP R/3 Enterprise
Figure 6 – Ports Used by SAP ITS (Wgate and Agate)
SAP Hardening and Patch Management Guide for Windows Server
14
Figure 7 – Ports Used by SAP Enterprise Portal 6.0
Figure 8 – Ports Used by SAP Enterprise IIS Portal Proxy
SAP Hardening and Patch Management Guide for Windows Server
15
Figure 9 – Ports Used by SAP Router
Figure 10 – Ports Used by SAP Web Dispatcher
SAP Hardening and Patch Management Guide for Windows Server
16
Configuration of Ports For configuration of ports and other steps for network hardening, use the "Microsoft Management Console (MMC)": Click Start, and then click Run. 1.
Type "mmc" in the Name field of the Select File To Run dialog box, and then click OK.
2.
The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.
3.
From the pull-down menu, select Add/Remove Snap-in.
4.
The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.
5.
In the Standalone tab, click Add.
6.
The Add Standalone Snap-in dialog box is displayed. Select IP Security Policy Management in the Available Standalone Snap-ins dialog box, and then click Add.
7.
The Select Computer or Domain dialog box is displayed. Select Local Computer. Click Finish.
8.
Click Close on the Add Standalone Snap-in dialog box.
9.
Click OK on the Add/Remove Snap-in dialog box.
10.
IP Security Policies on Local Machine is added under the Console Root on the Microsoft Management Console.
11.
Click the added IP Security Policies on Local Machine to display the registered IP security policy in the right pane.
Figure 11 – IP Security Policy
SAP Hardening and Patch Management Guide for Windows Server
17
12.
Double-click the registered Packet Filters - R3.
Figure 12 – Packet Filter IP Security Policy 13.
The Packet Filters - R3 Properties dialog box is displayed (see Figure 10). Click the Rules tab.
14.
Select an IP filter that you want to verify from the IP Security Rules section on the Rules tab, and then click Edit.
Figure 13 – Edit Rule
SAP Hardening and Patch Management Guide for Windows Server
18
15.
Select the IP Filter List tab on the dialog box that is displayed.
16.
Select an IP filter that you want to verify from the IP Filter List section in the IP Filter List tab, and then click Edit.
17.
The IP Filter List dialog box is displayed and you can verify the configuration of the IP filter.
Figure 14 – IP Filter List 18.
When you finish verifying the IP filter, click Cancel to close the dialog box.
19.
To verify the configuration of the filter action, select the Filter Action tab in the Edit Rule Properties dialog box.
Figure 15 – Filter Actions
SAP Hardening and Patch Management Guide for Windows Server
19
To un-assign network hardening, select then right-click on Packet Filters - R3 in the Microsoft Management Console. Then select Un-assign from the pop-up menu. To remove the network hardening, select Delete from the same pop-up menu.
Figure 16 – Un-assign IP Security Policy
SAP Hardening and Patch Management Guide for Windows Server
20
Network Communication Paths
Figure 17 – Communication Paths for an SAP R/3 Enterprise Environment
Figure 18 – Communication Paths for an SAP ITS Environment
SAP Hardening and Patch Management Guide for Windows Server
21
Figure 19 – Communication Paths for an SAP Enterprise Portal Environment
Figure 20 - Communication Paths for an SAP Enterprise Portal + Active Directory Environment
SAP Hardening and Patch Management Guide for Windows Server
22
Active Directory Considerations As per SAP’s Web AS installation guide, SAP application and database servers should be implemented in either of the following ways:
Extra domain: SAP systems are embedded in their own “SAP”-specific domain and a separate domain is used for user accounts. Both domains must be incorporated in a domain tree with the user account domain as the root domain and the SAP domain as the child.
Single domain: SAP servers and user accounts are in the same domain.
Reference SAP Note #711319 (“Domain Installation using Delegation of Administration in AD”) for information regarding the situation when installation of SAP cannot be performed by a domain administrator as specified in SAP’s installation guides. Also, for SAP Enterprise Portal, situations may arise where it may be desired to prevent local users from another domain from logging into SAP EP. See SAP Note #710032 (“Restrict Windows Authentication to Domains”) for specific configuration information to meet this need.
Server Hardening An SAP system is under unnecessary security risks when there are services not applicable to SAP or have ineffective settings. Therefore, administrators should disable unnecessary services and strengthen security settings for others to the extent that SAP services can run without any issues. Such actions can be efficiently performed to some extent by utilizing security templates provided by Microsoft.
Hardening Using Templates You can use the Windows Server 2003 Security Guide and the associated templates as a step towards implementation of hardening. There are three types of security templates that are differentiated according to the security environment and nine types of templates that are differentiated according to the server role. You will need to implement a hardening for each server role. For more information on the Windows Server 2003 Security Guide, visit the Microsoft Download Center. http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655521EA6C7B4DB&displaylang=en#filelist
Three types of templates differentiated according to security environment •
Legacy client (security level: low)
•
Enterprise client (security level: medium)
•
High security (security level: high)
SAP Hardening and Patch Management Guide for Windows Server
23
Nine types of templates differentiated according to server role •
Domain controller
•
Member server
•
Web server
•
Infrastructure server (DHCP, WINS)
•
File server
•
Print server
•
IAS server
•
Certificate service server
•
Bastion host
Additional Information: After applying Windows Server 2003 templates, you can make your SAP system more secure by checking and changing the following configurations in accordance with the documents in Table 3. - Confirm that every partition of the disk is formatted in NTFS. - Confirm that an invulnerable password is set for the Administrator account. - Disable or delete unnecessary accounts. - Make sure that the old security configurations are not changed when you upgrade your system from previous versions. - Configure the Administrator account. - Delete all unnecessary file sharing. - Specify an appropriate ACL for every necessary file sharing. - Protect your Telnet server. - Enable IIS logging. - Unbind NetBIOS from TCP/IP. - Remove OS/2 and POSIX subsystems. - Disable the automatic generation of short file names (8.3 format). - Disable the creation of LM hashes. - Configure NTLMSSP security. - Disable automatic execution.
Use Microsoft Management Console to apply security templates. Before you apply a security template, you need to backup the role security policies using an administrative tool called "Local Security Policy."
SAP Hardening and Patch Management Guide for Windows Server
24
Backup Local Security Policy 1.
Click Start, and then select All Programs.
2.
Select Administrative Tools in the All Programs menu, and then click Local Security Policy.
3.
The Local Security Policy dialog box is displayed. Select then right-click Security Settings in the dialog box.
4.
Select Export Policy from the pop-up menu.
Figure 21 – Backup Local Security Policy
5.
The Export Policy To dialog box is displayed. In the File Name field, type the name of the file that you want to export the policy to.
6.
Click Save to export the local security policy to the file.
SAP Hardening and Patch Management Guide for Windows Server
25
Applying the Security Template 1.
Click Start, and then click Run.
2.
Type "mmc" in the Name field of the Select File To Run dialog box and click OK.
3.
The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.
4.
From the pull-down menu, select Add/Remove Snap-in.
5.
The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.
6.
In the Standalone tab, click Add.
7.
The Add Standalone Snap-in dialog box is displayed. Select Security Configuration and Analysis in the Available Standalone Snap-ins dialog box, and then click Add.
8.
Click Close on the Add Standalone Snap-in dialog box.
9.
Click OK on the Add/Remove Snap-in dialog box.
10.
Security Configuration and Analysis is added under the Console Root on the Microsoft Management Console.
11.
Select then right-click the added Security Configuration and Analysis.
12.
Select Open Database from the pop-up menu.
Figure 22 – Security Configuration and Analysis
SAP Hardening and Patch Management Guide for Windows Server
26
13.
The Open Database dialog box is displayed. In the File Name field, type the name of the database that you want to open, and then click Open.
14.
The Import Template dialog box is displayed. In the File Name field, select the security template file (INF file) downloaded from Internet, and then click Open. You should select a security template file appropriate for your server configuration.
Figure 23 – Importing Templates 15.
On the Microsoft Management Console, select then right-click Security Configuration and Analysis.
16.
Select Analyze Computer Now from the pop-up menu.
Figure 24 – Security Configuration and Analysis SAP Hardening and Patch Management Guide for Windows Server
27
17.
When you execute analysis of the computer, red X marks appear to indicate the parts where the current settings should be changed.
18.
If you want to change the template, double-click the entry.
Figure 25 – Analysis of Computer 19.
If you want to change the template, change the entry.
Figure 26 – Property for Password Length
SAP Hardening and Patch Management Guide for Windows Server
28
20.
On the Microsoft Management Console, select then right-click Security Configuration and Analysis.
21.
Select Configure Computer Now from the pop-up menu.
Figure 27 – Configuration of Computer Note: • We recommend that the procedure be carried out step by step. • If you want to provide against the worst case, it is recommended that you perform a system backup using Automatic System Recovery (ASR) or an image backup tool before applying a template.
SAP Hardening and Patch Management Guide for Windows Server
29
Service Hardening Service hardening is the process of disabling the services that are unnecessary for operating your SAP system. In this way you can block attacks that use unnecessary services and improve the performance of the system.
Service Hardening Defined… Definition: Disabling services that are unnecessary for operating SAP systems.
Effect:
Blocking attacks that use unnecessary services Makes attacks against vulnerability more difficult by disabling services unnecessary for SAP systems.
Effect:
Improving performance Reduces the load on the server and improves performance by disabling services unnecessary for SAP systems.
Service hardening investigates Windows services that are unnecessary for the operation of the SAP system and disables their Startup options in order to prevent any attacks through usage of these unnecessary services. There are three settings for Startup options: "Auto", "Manual", and "Disable." Set the option in accordance with the criteria described in the table below.
Table 3: Setting the Startup Option Type of Service Services that are obviously unnecessary for operating the system Services that are obviously necessary for operating the system Other services
Startup Option Disable Auto Manual
Importance of Service Hardening Reasons why service hardening is important on all SAP systems in your environment.
Reason: SAP systems only use specific Windows services that can be easily identified. Reason: As long as you are willing to give up some functionality, many of the services can be disabled and the SAP system will still function adequately.
SAP Hardening and Patch Management Guide for Windows Server
30
Table 4: Services Necessary for SAP Systems Minimum required services for Windows Server
Additionally required services for SAP R/3 Enterprise
Additionally required services for SAP ITS Agate
Additionally required services for SAP Enterprise Portal Additionally required services for SQL Server
Additionally required services for clusters
Additionally required services for IIS Additionally required services for SAP ITS Wgate Additionally required services for SAP Enterprise Portal IIS Proxy
Event Log Logical Disk Manager Network Connections Plug and Play Protected Storage Remote Procedure Call Security Account Manager Windows Management Instrumentation Windows Management Instrumentation Extensions SAPOSCOL SAP<SID>_ SAP<SID>_ SAP ITS Manager - <SID> SAP ITS Manager - ADM ITS Watchdog SAP IACOR Manager SAP J2EE Engine Dispatcher Workstation Server MSSQLSERVER SQL Server Agent Remote Registry Cluster Service Removal Storage World Wide Web Publishing Service IIS Admin Service SAP IACOR Manager none
Note: • This table shows Windows services installed during a standard installation. Clustering environments may have different services. • <SID> represents an SAP system ID (such as P01) and represents an instance number (such as 00). For SAP R/3 Enterprise, there are two "SAP<SID>_" services - one is for central instances and the other is for central service instances. • SAP J2EE Engine (Dispatcher and Server), SDM, and IGS of SAP R/3 Enterprise are started by central instance services. • SAP J2EE Engine Server of SAP Enterprise Portal 6.0 is started by "SAP J2EE Engine Dispatcher" service. • When you disable services not listed in this table, you should check the intended purpose of the services and test it in the appropriate system environment.
SAP Hardening and Patch Management Guide for Windows Server
31
The tables below show the services that are not required for operating SAP various systems.
Table 5: Unnecessary Services for SAP Systems
Services not required by Domain Controller Alerter
Print Spooler
Application Layer Gateway Service
Remote Access Auto Connection Manager
Application Management
Remote Access Connection Manager
ClipBook
Remote Desktop Help Session Manager
COM+ System Application
Resultant Set of Policy Provider
DHCP Client
Routing and Remote Access
DHCP Server
Secondary Logon
Distributed Link Tracking Client
Shell Hardware Detection
Distributed Link Tracking Server
Smart Card
Distributed Transaction Coordinator
Special Administration Console Helper
Error Reporting Service
Task Scheduler
Help and Support
Telephony
HTTP SSL
Telnet
Human Interface Device Access
Terminal Services Session Directory
IMAPI CD-Burning COM Service
Themes
Indexing Service
Uninterruptible Power Supply
Internet Connection Firewall (ICF) / Internet Connection
Upload Manager
Sharing (ICS)
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
NetMeeting Remote Desktop Sharing
Windows Image Acquisition (WIA)
Network DDE
WinHTTP Web Proxy Auto-Discovery Service
Network DDE DSDM
Wireless Configuration
Portable Media Serial Number Service
SAP Hardening and Patch Management Guide for Windows Server
32
Table 6: Unnecessary Services for SAP Systems
Services not required for SAP R/3 Enterprise Alerter
Portable Media Serial Number Service
Application Layer Gateway Service
Print Spooler
Application Management
Remote Access Auto Connection Manager
ClipBook
Remote Access Connection Manager
COM+ System Application
Remote Desktop Help Session Manager
DHCP Client
Remote Procedure Call (RPC) Locator
Distributed Link Tracking Client
Resultant Set of Policy Provider
Distributed Link Tracking Server
Routing and Remote Access
Distributed Transaction Coordinator
Secondary Logon
Error Reporting Service
Shell Hardware Detection
File Replication
Smart Card
Help and Support
Special Administration Console Helper
HTTP SSL
Task Scheduler
Human Interface Device Access
Telephony
IMAPI CD-Burning COM Service
Telnet
Indexing Service
Terminal Services Session Directory
Internet Connection Firewall (ICF) / Internet Connection
Themes
Sharing (ICS)
Uninterruptible Power Supply
Intersite Messaging
Upload Manager
Kerberos Key Distribution Center
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
NetMeeting Remote Desktop Sharing
Windows Image Acquisition (WIA)
Network DDE
WinHTTP Web Proxy Auto-Discovery Service
Network DDE DSDM
Wireless Configuration
SAP Hardening and Patch Management Guide for Windows Server
33
Table 7: Unnecessary Services for SAP Systems
Services not required for SQL Server (for SAP R/3 Enterprise) Alerter
Network DDE DSDM
Application Layer Gateway Service
Portable Media Serial Number Service
Application Management
Print Spooler
ClipBook
Remote Access Auto Connection Manager
COM+ System Application
Remote Access Connection Manager
DHCP Client
Remote Desktop Help Session Manager
Distributed File System
Remote Procedure Call (RPC) Locator
Distributed Link Tracking Client
Resultant Set of Policy Provider
Distributed Link Tracking Server
Routing and Remote Access
Distributed Transaction Coordinator
Secondary Logon
Error Reporting Service
Shell Hardware Detection
File Replication
Smart Card
Help and Support
Special Administration Console Helper
HTTP SSL
Task Scheduler
Human Interface Device Access
Telephony
IMAPI CD-Burning COM Service
Telnet
Indexing Service
Terminal Services Session Directory
Internet Connection Firewall (ICF) / Internet Connection
Themes
Sharing (ICS)
Uninterruptible Power Supply
Intersite Messaging
Upload Manager
Kerberos Key Distribution Center
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
Microsoft Search
Windows Image Acquisition (WIA)
MSSQLServerADHelper
WinHTTP Web Proxy Auto-Discovery Service
NetMeeting Remote Desktop Sharing
Wireless Configuration
Network DDE
SAP Hardening and Patch Management Guide for Windows Server
34
Table 8: Unnecessary Services for SAP Systems
Services not required for SAP ITS Agate Alerter
Portable Media Serial Number Service
Application Layer Gateway Service
Print Spooler
Application Management
Remote Access Auto Connection Manager
ClipBook
Remote Access Connection Manager
COM+ System Application
Remote Desktop Help Session Manager
DHCP Client
Remote Procedure Call (RPC) Locator
Distributed File System
Resultant Set of Policy Provider
Distributed Link Tracking Client
Routing and Remote Access
Distributed Link Tracking Server
Secondary Logon
Distributed Transaction Coordinator
Shell Hardware Detection
Error Reporting Service
Smart Card
File Replication
Special Administration Console Helper
Help and Support
Task Scheduler
HTTP SSL
Telephony
Human Interface Device Access
Telnet
IMAPI CD-Burning COM Service
Terminal Services Session Directory
Indexing Service
Themes
Internet Connection Firewall (ICF) / Internet Connection
Uninterruptible Power Supply
Sharing (ICS)
Upload Manager
Intersite Messaging
Virtual Disk Service
Kerberos Key Distribution Center
WebClient
License Logging
Windows Audio
Messenger
Windows Image Acquisition (WIA)
NetMeeting Remote Desktop Sharing
WinHTTP Web Proxy Auto-Discovery Service
Network DDE
Wireless Configuration
Network DDE DSDM
SAP Hardening and Patch Management Guide for Windows Server
35
Table 9: Unnecessary Services for SAP Systems
Services not required for SAP ITS Wgate Alerter
Portable Media Serial Number Service
Application Layer Gateway Service
Print Spooler
Application Management
Remote Access Auto Connection Manager
ClipBook
Remote Access Connection Manager
COM+ System Application
Remote Desktop Help Session Manager
DHCP Client
Remote Procedure Call (RPC) Locator
Distributed File System
Resultant Set of Policy Provider
Distributed Link Tracking Client
Routing and Remote Access
Distributed Link Tracking Server
Secondary Logon
Distributed Transaction Coordinator
Shell Hardware Detection
Error Reporting Service
Smart Card
File Replication
Special Administration Console Helper
Help and Support
Task Scheduler
Human Interface Device Access
Telephony
IMAPI CD-Burning COM Service
Telnet
Indexing Service
Terminal Services Session Directory
Internet Connection Firewall (ICF) / Internet Connection
Themes
Sharing (ICS)
Uninterruptible Power Supply
Intersite Messaging
Upload Manager
Kerberos Key Distribution Center
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
NetMeeting Remote Desktop Sharing
Windows Image Acquisition (WIA)
Network DDE
WinHTTP Web Proxy Auto-Discovery Service
Network DDE DSDM
Wireless Configuration
SAP Hardening and Patch Management Guide for Windows Server
36
Table 10: Unnecessary Services for SAP Systems
Services not required for SAP Enterprise Portal Alerter
Portable Media Serial Number Service
Application Layer Gateway Service
Print Spooler
Application Management
Remote Access Auto Connection Manager
ClipBook
Remote Access Connection Manager
COM+ System Application
Remote Desktop Help Session Manager
DHCP Client
Remote Procedure Call (RPC) Locator
Distributed File System
Resultant Set of Policy Provider
Distributed Link Tracking Client
Routing and Remote Access
Distributed Link Tracking Server
Secondary Logon
Distributed Transaction Coordinator
Shell Hardware Detection
Error Reporting Service
Smart Card
File Replication
Special Administration Console Helper
Help and Support
Task Scheduler
HTTP SSL
Telephony
Human Interface Device Access
Telnet
IMAPI CD-Burning COM Service
Terminal Services Session Directory
Indexing Service
Themes
Internet Connection Firewall (ICF) / Internet Connection
Uninterruptible Power Supply
Sharing (ICS)
Upload Manager
Intersite Messaging
Virtual Disk Service
Kerberos Key Distribution Center
WebClient
License Logging
Windows Audio
Messenger
Windows Image Acquisition (WIA)
NetMeeting Remote Desktop Sharing
WinHTTP Web Proxy Auto-Discovery Service
Network DDE
Wireless Configuration
Network DDE DSDM
SAP Hardening and Patch Management Guide for Windows Server
37
Table 11: Unnecessary Services for SAP Systems
Services not required for SQL Server (SAP Enterprise Portal) Alerter
Network DDE DSDM
Application Layer Gateway Service
Portable Media Serial Number Service
Application Management
Print Spooler
ClipBook
Remote Access Auto Connection Manager
COM+ System Application
Remote Access Connection Manager
DHCP Client
Remote Desktop Help Session Manager
Distributed File System
Remote Procedure Call (RPC) Locator
Distributed Link Tracking Client
Resultant Set of Policy Provider
Distributed Link Tracking Server
Routing and Remote Access
Distributed Transaction Coordinator
Secondary Logon
Error Reporting Service
Shell Hardware Detection
File Replication
Smart Card
Help and Support
Special Administration Console Helper
HTTP SSL
Task Scheduler
Human Interface Device Access
Telephony
IMAPI CD-Burning COM Service
Telnet
Indexing Service
Terminal Services Session Directory
Internet Connection Firewall (ICF) / Internet Connection
Themes
Sharing (ICS)
Uninterruptible Power Supply
Intersite Messaging
Upload Manager
Kerberos Key Distribution Center
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
Microsoft Search
Windows Image Acquisition (WIA)
MSSQLServerADHelper
WinHTTP Web Proxy Auto-Discovery Service
NetMeeting Remote Desktop Sharing
Wireless Configuration
Network DDE
SAP Hardening and Patch Management Guide for Windows Server
38
Table 12: Unnecessary Services for SAP Systems
Services not required for SAP Enterprise Portal IIS Proxy Alerter
Portable Media Serial Number Service
Application Layer Gateway Service
Print Spooler
Application Management
Remote Access Auto Connection Manager
ClipBook
Remote Access Connection Manager
COM+ System Application
Remote Desktop Help Session Manager
DHCP Client
Remote Procedure Call (RPC) Locator
Distributed File System
Resultant Set of Policy Provider
Distributed Link Tracking Client
Routing and Remote Access
Distributed Link Tracking Server
Secondary Logon
Distributed Transaction Coordinator
Shell Hardware Detection
Error Reporting Service
Smart Card
File Replication
Special Administration Console Helper
Help and Support
Task Scheduler
Human Interface Device Access
Telephony
IMAPI CD-Burning COM Service
Telnet
Indexing Service
Terminal Services Session Directory
Internet Connection Firewall (ICF) / Internet Connection
Themes
Sharing (ICS)
Uninterruptible Power Supply
Intersite Messaging
Upload Manager
Kerberos Key Distribution Center
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
NetMeeting Remote Desktop Sharing
Windows Image Acquisition (WIA)
Network DDE
WinHTTP Web Proxy Auto-Discovery Service
Network DDE DSDM
Wireless Configuration
SAP Hardening and Patch Management Guide for Windows Server
39
Implementing Service Hardening Use the administrative tool called "Services" to implement service hardening. 1.
Click Start, and then select All Programs.
2.
Select Administrative Tools in the All Programs menu, and then click Services.
3.
The Services dialog box is displayed. Select then right-click on the service that you want to harden.
4.
Select Properties from the pop-up menu.
Figure 28 – Service Hardening
SAP Hardening and Patch Management Guide for Windows Server
40
5.
The Properties dialog box is displayed. Set the Startup Type to Disable, and then click OK.
6.
Repeat the above procedure for all services that you want to harden.
Figure 29 – Disabling Services
Implement Other Hardening Internet Information Server (IIS) Hardening If using IIS 4.0 (NT 4.0) or 5.0 (Windows 2000) for SAP ITS or SAP Enterprise Portal, use the IIS Lockdown Tool to lock down services. The tool is available for download at http://www.microsoft.com/technet/security/tools/locktool.mspx. The lockdown tool provides an wizard to change security settings and various templates for various scenarios are available. URLscan integration is also provided which decreases the possibility of attack by computer viruses as it analyzes HTTP requests and keeps IIS from accepting unordinary requests. When using IIS 6.0 however, such toolkit functionality is included with Windows Server 2003. Note that usage of IIS 6.0 is only available for ITS starting with SAP ITS version 6.20 patch level 3 and IIS 6.0 on Windows Server 2003 is not installed or setup by default. See SAP Note #585545 for information on running SAP ITS on IIS 6.0. For reference, other security-related tools are available at http://www.microsoft.com/technet/security/tools/default.mspx.
SAP Hardening and Patch Management Guide for Windows Server
41
SQL Server Hardening If SQL Server 2000 is used as the database for SAP on Windows Server, refer to http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp for information on steps to secure SQL Server 2000. Information for SAP running on Windows Server 2003 will be added to this whitepaper when available.
Install most recent SQL Server Service Pack
Assess your server security with MBSA
Use Windows Authentication Mode
Isolate your server and backup it up regularly
Assign a strong SA password
Limit privilege of SQL Server Service o
One account per service
o
Simple Domain User right
Disable SQL Server port on Firewall
Use the most secure file system – NTFS
Delete or secure old setup files
Audit connection to SQL Server
Specific SAP Hardening For specific considerations for SAP applications (Basis level 4.6B and higher), refer to SAP Note #165485 (“R/3 Security under Windows NT”). In addition:
On servers without transport directory, you can restrict the directories \usr and \usr\sap to the local administrators: Administrators(Full Control).
On the transport server, generate a further local group "SAP_LocalAdmin". Insert the SAP_<SID>_GlobalAdmin groups of all SIDs involved in the transport into this group.
Assign the following authorizations to the directories \usr, \usr\sap and \usr\sap\trans: Administrators(Full Control) SAP_LocalAdmin(Full Control).
The shares "SAPLOC" and "SAPMNT" can also be provided with this authorization list.
Change password on default Users SAP*, DDIC… Client 000 and 066
SAP Hardening and Patch Management Guide for Windows Server
42
Anti-Virus Considerations Even further protection beyond locking down ports and services, segmenting the SAP servers onto a separate network, etc. is the protection via anti-virus software. Most Microsoft customers running SAP on Windows Server have used anti-virus software with shield activated without experiencing performance issues or problems and the following several best practices can be considered:
Exclude the database file(s)
Exclude SAP temporary files
Scan only incoming traffic or file on write operations
Do not activate self decontamination but warn SAP administrators immediately
Well known viruses can many times be detected and immediately removed without infection as antivirus vendors typically have provided the capability to quickly scan a system and update all definition files immediately in case of critical news of widespread attack. Critical viruses are, on average, typically only “unknown” for 24 hours. Another option can also include implementation of an anti-virus gateway.
SAP Workstation Hardening Even if an SAP client is secured through SAP security administration, a workstation (host) could be compromised through operating system, network, and other application vulnerabilities. As a result, it may not be able to run applications, it could be used as a “zombie” to run attacks and it could be used by an attacker to steal data, including usernames and passwords. Protection of workstations includes the following considerations:
Security Configuration OS, Application, Browser, E-mail, etc. Security Patches Service Packs Host firewall Scanning, Analyzing, Remediation Deployment strategy Antivirus Software
In addition, evaluate the latest security enhancements in relation to Windows XP SP2:
Windows Firewall Internet Explorer Security Enhancements Outlook Express Security Enhancements OS Security Enhancements o Core services reviewed and rewritten o Memory protection Review SAP Notes #66971 and 738927 about Windows XP SP2 Identify, Assess, Test and Deploy latest security patches Deploy baseline security on new machines
Specifically, the firewall provided with Windows XP SP2 is on by default for all network interfaces, provides boot-time security and global and per-interface configurations, has an exceptions list (that can be disallowed), accounts for local subnet restrictions, supports multiple profiles and RPC, can be configured via command-line and has better group policy management.
SAP Hardening and Patch Management Guide for Windows Server
43
The firewall’s feature of “on by default” is:
Installed with new installations and upgrades Enabled when new interfaces are added Has default configuration that provides good protection against worms (e.g., Blaster) Can account for certain applications that might require special settings Manageable through Group Policy Administrative Templates, Network, Network Connections, Windows Firewall, profile, "Windows Firewall: protect all network connections“
The firewall’s “boot time security” features:
Provides a new, static filtering policy at boot time Permits DNS, DHCP, Netlogon WF policy that is applied after logon (policy then stays in effect until after IP stack is shut down) Closes hole that existed after boot, but before policy application
The firewall’s “perimeter protection”:
Could be a distributed environment Application layer inspection Pre-authentication Protocol filtering o HTTP content, URL, and other filtering Port blocking Intrusion detection Logging
2.5 Other Hardening Information Other considerations that impact overall total cost of ownership (TCO) for hardening that need to be considered are aspects such as the use of Active Directory with proper Organizational Unit (OU) architecture and Group Policy Objects that can help with securing the overall computing environment. As well, management tools such as Microsoft Operations Manager (MOM), Terminal Services, HP OpenView, etc. can be used for centralized, proactive security monitoring and administration.
SAP Hardening and Patch Management Guide for Windows Server
44
Other Reference Information Microsoft TechNet Security Center http://www.microsoft.com/technet/security/default.mspx Windows Server 2003 Security Guide http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.mspx Windows Server 2000 Security Hardening Guide http://www.microsoft.com/technet/security/prodtech/Windows2000/win2khg/default.mspx Windows XP Security Guide http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx From Blueprint to Fortress: A Guide to Securing IIS 5.0 http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/dep ovg/securiis.mspx SAP Network and Layer Transport Security http://service.sap.com/security Æ Security in Detail Æ Infrastructure Security Æ Network and Layer Transport Security (SAP NW ’04) SAP Security Guides http://service.sap.com/security Æ Security in Detail Æ SAP Security Guides Æ SAP Basis / Web AS Security Guides or SAP NetWeaver ’04 Security Guide (Complete)
2.6 Operation Checks You can perform an operation check of your SAP system by performing a basic operation check in accordance with the table below.
Table 13: Basic Operation Check Environment
Operations to be checked
SAP R/3 Enterprise environment
Are the services of SAP R/3 Enterprise started? Any errors in the log? Are the services of RDBMS started? Any errors in the log? Can you log on to SAP R/3 Enterprise?
SAP ITS environment
Are the services of ITS Wgate started? Any errors in the log? Are the services of ITS Agate started? Any errors in the log? Can you log on using a Web browser?
SAP Enterprise Portal environment
Are the services of SAP Enterprise Portal started? Any errors in the log? Are the services of RDBMS started? Any errors in the log? Can you log on using a Web browser?
SAP Hardening and Patch Management Guide for Windows Server
45
You can also check your system using the checklist and the transactions described in the table below. Checking these items verifies that there are no problems at the SAP basis level (note that problems in the application level are not checked).
Table 14: Operation Checklist Task
Transaction
Method
Check that every AP server is started.
SM51-SAP Servers
Verify the work processes.
SM50-Process Overview
Check that every work process is in either "running" or "waiting" status.
Check if any updates have failed.
SM13-Update Records
Use "*" as the user ID and check if any "Err." have occurred for all updates in the past year.
Verify the system log.
SM21-System Log
Investigate peculiar events such as "Errors", "Warnings", "Security", "messages", "Abends Database" and "problems".
Check for cancelled jobs.
SM37-Select Background jobs
Use "*" as user ID and check that every critical job has been successful.
Check that no locks have continued for long periods of time.
SM12-Lock entry list.
Use "*" as user ID.
Verify the user sessions.
SM04-Users AL08 - Users
Check for unknown or suspicious user IDs.
Verify that there are no problems with spooling.
SP01-Spool: Request Screen
Investigate any processes with "in process" status lasting more than an hour.
Verify the job logs.
SM35-Batch input: Initial Screen
Investigate "New jobs" and "Incorrect jobs."
Analyze the dump.
ST22-ABAP Dump Analysis
Analyze the workload statistics.
ST03N-Workload:Analysis of <SID>
Analyze the buffer statistics.
ST02-Tune Summary
Investigate the error log.
ST04-DB Performance Analysis
Check usage of the table area.
DB12
Verify the system log.
OS06-OS Monitor
Investigate the swaps.
Investigate the OS log.
SAP Hardening and Patch Management Guide for Windows Server
46
2.7 Final Security Check After completing the hardening implementation, you need to check whether it has been implemented without omission. Use Microsoft Baseline Security Analyzer (MBSA) to check the security of your Microsoft products. With this tool, you can make a simple security check of Windows Server 2003, IIS and SQL Server. For the details about Microsoft Baseline Security Analyzer (MBSA), see •
Whitepaper: Microsoft Baseline Security Analyzer V1.2 www.microsoft.com/technet/security/tools/mbsawp.mspx
2.8 Other Methods for Checking Hardening Implementation You can also check your hardening implementation by using tools such as Ping, Event Viewer and group policy resultant sets.
Summary This chapter has explained how to implement hardening to improve your Windows Serverbased SAP systems.
1. Hardening is a solution that brings significant benefits to SAP system administrators. Hardening enables you to enhance security, ensure availability, and reduce the operating cost of the system.
2. Hardening is not a sufficient security measure in and of itself. To keep an SAP system secure, you should also include patch management in the implementation.
SAP Hardening and Patch Management Guide for Windows Server
47
3 Patch Management This chapter describes how to implement patch management for your Windows Server-based SAP system, from collecting information about security vulnerability to monitoring the results of security update programs. In this whitepaper, the focus is on the risk assessment used to determine whether you should apply a security update program depending on the system.
Contents of this Chapter This chapter describes how to implement patch management for your Windows Server-based SAP system.
1. 2. 3. 4. 5. 6.
What Is Patch Management? Collecting Information Assessing Risks Applying the Security Update Program Monitoring the result Summary
Microsoft and SAP work closely during the release cycle for service packs as Microsoft provides SAP all pending services packs prior to their release. Thorough testing occurs by SAP before Microsoft releases a particular service pack to ensure that installation will not cause a disruption of a running SAP system. See SAP Note #663621 (“Supporting Microsoft Hot Fixes with Windows Update”) for more information on SAP support of service packs. Specific SAP support statements for Microsoft Windows Server service packs can be found at SAP Note #30478 (“Support Packs on Windows”).
3.1 What Is Patch Management? Patch management is comprehensively controlling the application of released security update programs from the perspective of the processes involved and of your team (organization). This whitepaper concentrates on the security update programs. In an environment in which you have appropriately implemented hardening as described in Chapter 2 "Hardening", you may often find after implementing a risk assessment (which is one of the patch management steps), that it is not urgent to apply the patch immediately to protect against both known and new security vulnerabilities. Patch management can be divided into four major processes: 1) "Collecting Information", where you periodically check announcements about security vulnerability; 2) "Assessing Risks", where you analyze risks identified through the collected security vulnerability information; 3) "Applying the Security Update Program", where you test and apply the security update program; and 4) "Monitoring the Result", where you check that all the necessary security update programs have been applied. The following sections describe patch management based on these four processes.
SAP Hardening and Patch Management Guide for Windows Server
48
Collecting Information 3.2
Announcement about Security Vulnerability
Risk Analysis
Yes No
Have all update programs been applied? No
Monitoring the Result Check that the necessary update programs have all been applied
No Any problems after update?
Security update programs need to be applied? Assessing Risks 3.3
Restore system through a roll-back process Yes
Applying the security update program 0
Yes
Devise a plan to respond to the vulnerability
Test the security update program before application
Apply the security update program
Figure 30 – Example of the Patch Management Processes
3.2 Collecting Information Before implementing patch management, you must collect information about security vulnerability. There is a lot of information about security available from the Microsoft Web site. To effectively gather information, you should predetermine what information you are looking for and organize the latest information for easy checking and analysis.
Collecting Information about Security Vulnerability Since October of 2003 when it revised its policy concerning the publication of security vulnerability information, Microsoft releases information about security vulnerability on the "Microsoft Security Bulletin Summaries" site the second Tuesday of every month. By using the free "Microsoft Security Notification Service", you can be notified of the latest updated information by e-mail, eliminating the need for you to periodically check the site yourself. The "Microsoft Security Bulletin Summaries" describe in detail the nature of the vulnerability at issue, any affected software, the maximum severity rating, countermeasures, workarounds, etc. In addition, you can download any available security update programs as a countermeasure against the security vulnerability.
SAP Hardening and Patch Management Guide for Windows Server
49
Additional information: In an urgent situation (for example, the threat of infection by a computer virus or worm), Microsoft may release information about the security vulnerability anytime other than during the second week of the month in order to publish it as soon as possible. But by also subscribing to the "Microsoft Security Notification Service" (http://www.microsoft.com/technet/security/bulletin/notify.mspx), you can receive these urgent unscheduled release notifications by e-mail. We highly recommend use of this service.
Table 15: Sites Providing Information on Security Vulnerability Site Name Microsoft Security Bulletin Summaries Microsoft TechNet Security Center Microsoft Security Notification Service
Address http://www.microsoft.com/technet/security/bulletin/summary.mspx http://www.microsoft.com/technet/security/default.mspx http://www.microsoft.com/technet/security/bulletin/notify.mspx
3.3 Assessing Risks Risk Assessment means that, according to the system environment for each enterprise, you comprehensively determine your degree of urgency based on the information gathered in "3.2 Collecting Information"). In the environment for which you have properly implemented hardening as described in Chapter 2 "Hardening", you will often find that an "urgent application" is unnecessary because the degree of urgency is lower than that in the environment for which hardening has not been implemented. Microsoft applies the severity rating system to each Microsoft report on security vulnerability to help you determine the urgency of applying the security update program. The following table lists the ratings and their definitions. However, this rating information is based on the assumption that you have not implemented hardening for your system. You should determine the degree of urgency for your enterprise by comprehensively assessing such aspects as the importance of your system and the state of your hardening implementation. In the environment for which you have properly implemented hardening as described in Chapter 2 "Hardening", the degree of urgency is less critical than in the environment for which hardening has not been implemented.
SAP Hardening and Patch Management Guide for Windows Server
50
Table 16: Definitions of the Severity Ratings Rating Critical Important
Moderate
Low
Definition Describes vulnerability that, if exploited, could allow propagation of an Internet worm without user action. Describes vulnerability that, if exploited, could compromise user data confidentiality, integrity, or availability, as well as compromise the integrity or availability of processing resources. Describes vulnerability for which the possibility of exploitation is significantly lessened by the existing configuration, or by the difficulty of infiltration or exploitation. Describes vulnerability that is extremely difficult to exploit or the exploitation of which has minimal impact.
For more information, see the Microsoft Security Response Center Security Bulletin Severity Rating System (http://www.microsoft.com/technet/security/bulletin/rating.mspx). This whitepaper uses four categories to describe the urgency of applying the security update program: "Urgent application", "Applying during regular operation", "Applying with the service pack", and "No application". Determine the appropriate emergency assessment category to suit your operation depending on your system environment and security policies.
Example of the Emergency Assessment Categories Determine the appropriate emergency assessment category to suit your operation depending on your system environment and security policies.
1. Urgent application Apply within 1 month.
2. Applying during the regular course of operation At least once every 3 to 6 months.
3. Applying with the service pack When installing the next service pack.
4. No application OS, functionality, product not affected.
SAP Hardening and Patch Management Guide for Windows Server
51
Additional information: You can also obtain general emergency assessment from http://www.microsoft.com/technet/itsolutions/techguide/msm/default.mspx. However, this example of the emergency assessment categories was written based on actual SAPrelated consulting cases provided by Microsoft Consulting Services with some changes added. You should consider the trade-offs among various assessment factors, such as your hardening circumstances, risks, costs, time necessary to assess the security update program, and other practicalities, when deciding your emergency assessment category.
Assessing the Consequences and Urgency of the Vulnerability As described above, Microsoft releases information about security vulnerability once a month. But taking measures against all security vulnerabilities would increase costs and shutdown times for your system resulting in decreased availability. Since the consequences of the vulnerability vary depending on the environment, it is important to determine the degree of urgency for your particular situation. Even if the maximum severity rating of the security vulnerability is "Critical", if you do not use that particular vulnerable service, in many cases you can respond to the vulnerability by application during the regular course of operation (once every 3 to 6 months) or by application with the next service pack (when installing the next service pack). To reduce the operational cost involved in applying the security update program and to maintain high availability, you can create a matrix as one method for determining the consequences of the vulnerability and the degree of urgency. It will be referred to as the vulnerability assessment matrix in this whitepaper.
Example of a Method for Determining the Degree of Urgency Determine the appropriate emergency assessment category to suit your operation depending on your system environment and security policies.
- Vulnerability Assessment Matrix
What is a Vulnerability Assessment Matrix? The vulnerability assessment matrix is a matrix that can help you to determine the consequences of the vulnerability on your system and the countermeasures to take against it, even if your system environment is complex. You can create the matrix based on the information provided by Microsoft about the security vulnerability.
SAP Hardening and Patch Management Guide for Windows Server
52
Creating the Vulnerability Assessment Matrix The vulnerability assessment matrix consists of three major parts: "Organizing the information about the security vulnerability", "Assessing the pros and cons of the risk", and "Determining the degree of urgency for applying the security update program for each enterprise" (see Table 18: Vulnerability Assessment Matrix. Once you organize the information about the security vulnerability, you can create the steps "Organizing the information about the security vulnerability" and "Assessing the pros and cons of the risk". The portion "Organizing the information about the security vulnerability" is taken from the monthly Security Bulletin described in section 0, “Collecting Information about Security Vulnerability" (summarized from http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx, for example), available from the Microsoft Security Bulletin Summaries at http://www.microsoft.com/technet/security/bulletin/summary.mspx. For the contents of the excerpt, see the following section, "Organizing the Information about the Security Vulnerability". The part "Assessing the pros and cons of the risk" is created based on the information organized in the "Organizing the Information about the Security Vulnerability" along with your system configuration, and provides the criteria for determining the degree of urgency. By this determination, you can decide when to apply the security update program. To create the vulnerability assessment matrix, you must perform the following steps.
Step 1: Organizing Information about Security Vulnerability
Step 2: Assessing Pros and Cons of Risks
Step 3: Determining Urgency for Each Enterprise
Figure 31 – Process for Creating the Vulnerability Assessment Matrix
Organizing the Information about Security Vulnerability In this step, you organize the following information about the security vulnerability.
Consequences of the vulnerability Maximum severity rating Affected software Technical details o Technical description o Mitigating factors Workarounds Information about the security update program o Restart requirement o Information about uninstalling the program SAP Hardening and Patch Management Guide for Windows Server
53
Assessing the Pros and Cons of the Risk Assess each criterion based on the information from the step "Organizing the Information about Security Vulnerability". Are there consequences of the vulnerability? o Is there an affected OS? o Are there affected products or functionality? Is it possible for someone to attack anonymously? (simply an open port makes such an attack possible) Is it possible for someone to obtain or upgrade privileges? There is no effective workaround. Is it possible that the hardening implemented by each enterprise is not effective?
Determining the Degree of Urgency The degree of urgency for each enterprise is determined by the result of the step "Assessing the Pros and Cons of the Risk". See below for examples. In the first example, the determination is "Urgent application" because all the criteria in "Assessing the Pros and Cons of the Risk" apply to the system. In the second example, the determination is "Applying during regular operation" because the criterion "Your system is affected by the vulnerability" applies to the system and the maximum severity rating is "Important". The determination will vary depending on system configurations and environments.
Table 17: Determining Whether to Apply the Security Update Program Determination Urgent application Applying during regular operation
Applying with the service pack
No application
Criteria All the criteria in the "Assessing the Pros and Cons of the Risk" apply to your system. The criterion "Are there consequences of the vulnerability?" applies to your system and the maximum severity rating is "Critical" or "Important". The criterion "Are there consequences of the vulnerability?" applies to your system and the maximum severity rating is other than "Critical" or "Important". Your system is not affected.
SAP Hardening and Patch Management Guide for Windows Server
54
To help in the determination of whether to apply the security update program, you may want to create a flowchart. Note that the flowchart will vary according to system configurations and environments. Start
Affected by the Pros/Cons of the Risk
NO
YES
Pros and Cons of the Risk: All criteria apply to the system.
YES
NO
Maximum severity is "Critical" or "Important"
NO
YES Urgent application
Apply during the regular course of operation
Apply with the service pack
No application
Figure 32 – Sample Flowchart for Determining Whether to Apply the Security Update Program
SAP Hardening and Patch Management Guide for Windows Server
55
Table 18: Vulnerability Assessment Matrix
Determination Sample 1 - Hardening has not been Implemented Step 1: Organizing the Information about Security Vulnerability Security Bulletin No.
MS03-026
URL for information about the vulnerability
http://www.microsoft.com/technet/security/bulletin/MS03026.mspx July 17, 2003
Original release date of the vulnerability information report Time elapsed between information release and occurrence of computer virus Affected software
Maximum Severity Rating Nature of the vulnerability Characteristics
Mitigating factors
Restart required This security update program can be uninstalled
Microsoft Windows NT Server 4.0 Microsoft Windows NT Server 4.0 Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Critical Buffer overruns in RPC interface could allow code execution (823980) (MS03-026) There is vulnerability in a part of RPC that handles message exchange over TCP/IP. The issue stems from incorrect handling of illegal messages. In order to exploit this vulnerability, the attacker would need to have specially altered or sent a request to port 135, 139, 445 on the remote machine, or to another port configured for RPC. Yes Yes
Pros and Cons of the Risk
Step 2: Assessing the Pros and Cons of the Risk Are there consequences of the vulnerability? Is there an affected OS? Are there affected products or functionality?
Yes Yes
Is it possible for someone to attack anonymously? Is it possible for someone to obtain privileges?
Yes
There is no effective workaround. Is it possible that the hardening implemented by each enterprise is not effective?
Yes Yes
Yes
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise Determination
Urgent application. (After hardening is implemented, the degree of urgency will be lessened.)
SAP Hardening and Patch Management Guide for Windows Server
56
Table 19: Vulnerability Assessment Matrix
Determination Sample 2 - Hardening has not been Implemented Step 1: Organizing the Information about Security Vulnerability Security Bulletin No.
MS04-003
URL for information about the vulnerability
http://www.microsoft.com/technet/security/bulletin/MS04003.mspx
Original release date of the vulnerability information report Time elapsed between information release and occurrence of computer virus Affected software
January 14, 2004
Maximum Severity Rating
Important
Nature of the vulnerability
Buffer overrun in MDAC function could allow code execution (832483)
Characteristics
Microsoft Data Access Components (MDAC) is a collection of components that provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client.
Mitigating factors
For an attack to be successful, an attacker would have to simulate an SQL server that is on the same IP subnet as the target system.
Restart required
Yes
This security update program can be uninstalled
No
Microsoft Windows
Pros and Cons of the Risk
Step 2: Assessing the Pros and Cons of the Risk Are there consequences of the vulnerability? Is there an affected OS? Are there affected products or functionality?
Yes Yes -
Is it possible for someone to attack anonymously? Is it possible for someone to obtain privileges?
No Yes
There is no effective workaround. Is it possible that the hardening implemented by each enterprise is not effective?
No Yes
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise Determination
Apply during the regular course of operation. (After implementing hardening, the degree of urgency will be lessened.)
SAP Hardening and Patch Management Guide for Windows Server
57
Table 20: Vulnerability Assessment Matrix
Determination Sample 3 - Hardening has not been Implemented Step 1: Organizing the Information about Security Vulnerability Security Bulletin No.
MS04-006
URL for information about the vulnerability
http://www.microsoft.com/technet/security/bulletin/MS04006.mspx
Original release date of the vulnerability information report Time elapsed between information release and occurrence of computer virus Affected software
February 11, 2004
Maximum Severity Rating
Microsoft Windows 2000 Server
Nature of the vulnerability
Microsoft Windows Server 2003
Characteristics
Important
Mitigating factors
Vulnerability in the Windows Internet Naming Service (WINS) could allow code execution (830352)
Restart required
A security vulnerability exists in the Windows Internet Naming Service (WINS). This vulnerability exists because of the method that WINS uses to validate the length of specially-crafted packets.
This security update program can be uninstalled
The WINS service is not installed by default.
Microsoft Windows NT Server
Pros and Cons of the Risk
Step 2: Assessing the Pros and Cons of the Risk Are there consequences of the vulnerability? Is there an affected OS? Are there affected products or functionality?
No No No
Is it possible for someone to attack anonymously? Is it possible for someone to obtain privileges?
No
There is no effective workaround. Is it possible that the hardening implemented by each enterprise is not effective?
No Yes
No
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise Determination
Only needs to be applied to the WINS server. Application to the WINS server during regular operation. (After hardening is implemented, the degree of urgency will be lessened.)
SAP Hardening and Patch Management Guide for Windows Server
58
Applying the Security Update Program After you determine that the security update program needs to be applied through the result of risk assessment of the vulnerability, you should apply it to your system. Applying the security update program is performed according to the following steps: "Devising a plan for responding to the vulnerability", "Testing the security update program before applying", "Applying the security update program", "Verifying the behavior after application", and if problems occur from the application, then "Restoring through the roll-back process".
Step 1: Devising a plan for responding to the vulnerability
Step 2: Testing the security update program before application
Step 3: Applying the security update program
Step 4: Verifying the behavior after application
Step 5: Restoring through the roll-back process
Figure 33 – Process Flow of Applying the Security Update Program
For the details on applying security update programs, see the document listed below.
Table 21: Reference Information How To Implement Patch Management http://msdn.microsoft.com/library/en-us/secmod/html/secmod108.asp
Devising a Plan for Responding to the Vulnerability To apply the security update program, you should first devise a plan for responding to the vulnerability. It is important to clarify the required security level since it varies depending on the system environment. Before applying the security update program, you may want to create a flowchart for managing the modification. By creating the flowchart, you can implement a better quality application. When devising the plan, you should refer to SAP Notes 30478, 62988 and 664607 to check whether this security update program has ever caused problems in the SAP environment.
SAP Hardening and Patch Management Guide for Windows Server
59
Start
Emergency? NO
YES
Normal process
Emergency process
Plan the steps for rapid change and restoration
Plan the steps for change and restoration
NO
Test the steps for change and restoration
Testing required? YES
Successful?
NO
Test quickly
YES Successful?
Adjust before applying to the production environment
Apply to the production environment
NO
YES Adjust before applying, then apply to the production environment
Finish
Finish
Figure 34 – Sample Flowchart for Managing Changes
SAP Hardening and Patch Management Guide for Windows Server
60
3.4 Applying Security Update Program Points to Consider When Applying Security Patches
Apply revision in order of registration o
Applying the Security Patch and service packs causes old program files to be overwritten with newer versions. Failure to observe the registration order will result in old modules being in the place of new modules.
Reapply revision if necessary o
When the system modules of network components and device drivers are added to Windows NT systems to which the Security Patch and Service Packs have already been applied, the manager must manually re-apply the Service Packs and Security Patch.
Re-application is also recommended for Windows 2000, XP, and 2003.
Apply only the correct update o
Security Patch and service packs vary with the version of the corresponding product.
Table 22: Security Patch Considerations System Upgrade Types
Timing of Patch Application to SAP System
If SAP System is Halted after Patch Application Problem solving based on SAP
Security Patch (Windows)
Note #664607 (uninstall, etc.)
Security Path (SQL Server)
Immediately after Microsoft releases the Revision Program (SAP Note #62988)
Service Packs (with strict change management process and testing)
Once support is offered by SAP (SAP Notes #30478, 62988 and hardware/management tool manufacturers)
SAP Hardening and Patch Management Guide for Windows Server
Contact SAP Support
61
Testing the Security Update Program before Application There may be rare occasions when a security update program will cause problems to a monitoring tool or other programs. Therefore, you should test the security update program in a test environment before applying it to the production environment. The test involves the following steps: "Testing the application in a test environment", "Verifying the behavior in the test environment", and "Confirming the steps for a roll-back in the test environment".
Test Steps Test the security update program in a test environment before applying it to the production environment.
1. Testing the application in a test environment 2. Verifying the behavior in the test environment 3. Confirming the steps for a roll-back in the test environment
Note: Before applying the security update program Refer to the SAP Notes (especially 30478, 62988, and 664607) and check whether this security update program has ever caused problems in the SAP environment.
Testing the Application in a Test Environment The steps for applying the security update program can vary depending on the enterprise. Before applying the security update program to the production environment, you need to confirm the application steps in a test environment and verify the system behavior after application.
Updating via Management Tools The cost involved in applying a security update program increases in proportion to the number of machines. To help reduce this cost, Microsoft offers the following tools: Software Update Services (SUS) which is provided free of charge, and Systems Management Server 2003 (SMS) which requires licenses. •
Software Update Services (SUS) SUS automatically provides notification of important updates to Windows computers, and delivers them to all of the Windows desktop computers and servers in your organization. For more information about SUS, see the Microsoft Software Update Services Whitepaper (http://www.microsoft.com/windowsserversystem/sus/susoverview.mspx).
SAP Hardening and Patch Management Guide for Windows Server
62
•
Systems Management Server 2003 (SMS 2003) Systems Management Server 2003 (SMS 2003) provides a comprehensive solution for change and configuration management for the Microsoft platform, enabling you to provide relevant software and updates quickly. For more information about Systems Management Server 2003 (SMS 2003), see the Systems Management Server 2003 Reviewer's Guide (http://www.microsoft.com/smserver/evaluation/revguide).
Note: Points to observe when applying the security update program • Reapply as necessary If a system module was added after application of the security update program or service pack, check the security vulnerability information report to confirm the need for reapplying the program. Be sure to reapply when necessary. • Apply the program that corresponds to your software You should apply the security update program and service pack that precisely corresponds to your software because the programs and packs are designed for specific products, versions and languages. For example, do not apply a service pack for English-version products to Japanese-version products.
3.5 Monitoring the Results Verifying Behavior in the Test Environment After applying the security update program, you will need to verify proper operation of your SAP system. You should check your Windows and SAP system behavior. Verification of the SAP system behavior consists of basic operation verification, as well as operation verification using a checklist and SAP transactions. To verify your SAP system's operation, you should check the following:
Verification of Your Windows System (OS, RDBMS, IIS) You will need to verify proper operation of your SAP system by checking your Windows system behavior.
1. Checking event logs 2. Checking the logs of various products and functions 3. Verifying the operation of the necessary services
Verification of Your SAP System You will need to verify proper operation of your SAP system by checking your SAP system behavior.
1. Verifying operation using the checklist 2. Executing test transactions to verify its operation 3. Verifying the operation of extracted business applications
SAP Hardening and Patch Management Guide for Windows Server
63
Confirming the Steps for Roll-Back in the Test Environment There are steps for confirming a roll-back in the event there are problems caused by the application of the security update program or by faulty implementation.
If problems are caused by faulty implementation o Restore from a backup. If problems are caused by the application of the security update program o Uninstall the security update program. Restore from a backup.
Confirming that the Necessary Programs have been Applied After applying the security update program, you need to verify that it has been applied properly and that possible problems that might have been caused by the vulnerability have been avoided. Microsoft provides a free tool, the Microsoft Baseline Security Analyzer (MBSA), for checking whether any computers have failed to apply the security update program. Microsoft also licenses a tool, the Systems Management Server 2003 (SMS 2003), that comprehensively performs the implementation process including applying of the security update programs, to checking and managing them. •
Microsoft Baseline Security Analyzer (MBSA) For more information, see “Final Security Check”.
•
Systems Management Server 2003 (SMS 2003) For more information, see "Applying the Security Update Program".
Summary This chapter described how to keep your Windows Server 2003-based SAP system secure by implementing patch management.
1. Patch management (specifically, risk assessment) minimizes the cost and risk associated with system changes. 2. It is important to maintain a well-balanced combination of patch management and hardening practices.
SAP Hardening and Patch Management Guide for Windows Server
64
Appendix: Report on Hardening Verification This following explains the actual settings used for and the results of hardening verification of a Windows Server 2003-based SAP system.
1.1 Verification Scenarios Verification environments were constructed for three common SAP configuration patterns: SAP R/3 Enterprise, SAP ITS, and SAP Enterprise Portal.
Verification Scenarios Verification environments were constructed for three common SAP configuration patterns.
1. SAP R/3 Enterprise 2. SAP ITS 3. SAP Enterprise Portal
The versions of software systems used for the verification of these configurations are summarized below.
Table 1 – Software Versions Category
Microsoft Products
SAP Products
Directory
Windows Server 2003 (Active Directory)
-
SAP R/3 Enterprise
Windows Server 2003
R/3 Enterprise 4.70 SR1 Ext.2.00, J2EE
RDBMS (for R/3)
Windows Server 2003, SQL Server 2000
Engine 6.30 SP2 (JDK1.3.1_10) -
(SP3+Hotfix 844 + new collation) SAP ITS – Agate
Windows Server 2003
ITS 6.20 SP8
SAP ITS – Wgate
Windows Server 2003, IIS 6.0
ITS 6.20 SP8
SAP Enterprise Portal
Windows Server 2003
Enterprise Portal 6.0 SP2 Patch3 + hotfix 2,J2EE Engine 6.20 SP20 (JDK1.3.1_10)
RDBMS (for EP)
Windows Server 2003, SQL Server 2000
-
(SP3+Hotfix 844 + new collation) EP IISProxy
Windows Server 2003, IIS 6.0
IIS Proxy 1.5.0.0
Note: The latest security update programs as of March 1, 2004 had been applied to the respective versions of Windows Server 2003 and SQL Server 2000.
Appendix: Report on Hardening Verification
65
1.2 Contents of Verifications Two types of verification were conducted: network hardening (packet filtering using the IPSec script policy)" and "service and other hardening (disabling and reconfiguring services using security templates).
Contents of Verifications Two types of verification were conducted.
1. Network hardening (packet filtering using the IPSec script policy) 2. Service and other hardening (disabling and reconfiguring services using security templates)
Table 2 – Contents of Hardening Verifications Category
Description
Network hardening
Configurations were implemented such that default communications
(packet filtering using the IPSec script policy)
were blocked and communication was granted only for necessary "communication routes" and "(destination) ports."
Service and other hardening (disabling and
Unnecessary services were disabled and proper security configurations
reconfiguring services using security templates)
were implemented for each server role.
1.3 Verification Results For each verification scenario, configurations were set according to the verification contents and confirmation was made that the SAP system ran without problems. Verification notes: • Hardening was carried out after the target system was disconnected from the network and all setup procedures were completed. • Tests were carried out on R/3 Enterprise, ITS, and Enterprise Portal in that order. • For each scenario, single sign-on to an Active Directory was assumed. Reasons - "Single sign-on to an Active Directory" is expected to become a mainstream configuration in the future. - Scenarios without single sign-on can be included. • Network hardening was carried out after configuration/rollback scripts were prepared. • A backup copy of the pre-hardening settings was taken whenever a security template was applied. • For operation verification, hardening checks were made using SAP security checklists, MBSA, and simple ping commands.
Appendix: Report on Hardening Verification
66
1.4 Network Hardening Settings
Network Hardening in SAP R/3 Enterprise Packet filtering was implemented using the IPSec script policy in the environment shown below and as summarized in Table 3 to Table 5.
Figure 1 – SAP R/3 Enterprise Environment
Appendix: Report on Hardening Verification
67
Table 2 – Packet Filtering Settings (1. Domain Controller) Service
All
Protocol
Any
Source Destination
Source
Port
Port
Address
Any
Any
Any
traffic SAP R/3
Any
Any
Any
Any
Any
Any
R/3) Other Domain
Mirroring
Remarks
Address This
Block
Yes
All blocked by default.
Grant
Yes
All communications from SAP
computer
Enterprise SQL Server (for
Destination Action
Any
Any
Any
Controller
SAP R/3
This
Enterprise
computer
SQL Server
This
(for R/3)
computer
Other
This
Domain
computer
R/3 Enterprise granted. Grant
Yes
Grant
Yes
All communications from SQL Server (for R/3) granted. All communications from other domain controllers granted.
Controller ICMP ICMP
ICMP ICMP
Any Any
Any Any
This
SAP R/3
computer
Enterprise
This
SQL Server
computer
(for R/3)
Grant
Yes
Grant
Yes
Communication to SAP R/3 Enterprise Communication to SQL Server (for R/3)
Table 3 – Packet Filtering Settings (2. SAP R/3 Enterprise) Service
All
Protocol
Any
Source Destination
Source
Port
Port
Address
Any
Any
Any
traffic SAP DIALOG
TCP
Any
3200
This
Remarks
Block
Yes
All blocked by default.
Any
This
Grant
Yes
Communication from SAP
computer TCP
Any
1433
R/3) Client Domain Member
Mirroring
Address
computer
Server SQL Server (for
Destination Action
Any
Any
Any
This
SQL Server
computer
(for R/3)
This
Domain
computer
Controller
GUI Grant
Yes
Grant
Yes
Communication to SQL Server (for R/3) Communication to Domain Controller
Table 4 – Packet Filtering Settings (3. SQL Server (for R/3)) Service
All
Protocol
Any
Source Destination
Source
Port
Port
Address
Any
Any
Any
traffic SQL Server (for
Member
Mirroring
Remarks
Address This
Block
Yes
All blocked by default.
Grant
Yes
Communication from SAP R/3
Grant
Yes
computer TCP
Any
1433
R/3) Domain
Destination Action
Any
Any
Any
SAP R/3
This
Enterprise
computer
This
Domain
computer
Controller
Appendix: Report on Hardening Verification
Enterprise Communication to Domain Controller
68
Network Hardening in SAP ITS Packet filtering was implemented using the IPSec script policy in the environment shown below and as summarized in the Table 6to Table 10.
Figure 2 – SAP ITS Environment
Appendix: Report on Hardening Verification
69
Table 6 – Packet Filtering Settings (1. Domain Controller) Service
All
Protocol
Any
Source Destination
Source
Port
Port
Address
Any
Any
Any
traffic SAP R/3
Any
Any
Any
Any
Any
Any
R/3) SAP ITS - Agate ICMP ICMP ICMP
Mirroring
Remarks
Address This
Block
Yes
All blocked by default.
Grant
Yes
All communications from SAP
computer
Enterprise SQL Server (for
Destination Action
Any ICMP ICMP ICMP
Any Any Any Any
Any Any Any Any
SAP R/3
This
Enterprise
computer
SQL Server
This
(for R/3)
computer
SAP ITS -
This
Agate
computer
This
SAP R/3
computer
Enterprise
This
SQL Server
computer
(for R/3)
This
SAP ITS -
computer
Agate
R/3 Enterprise granted. Grant
Yes
Grant
Yes
All communications from SQL Server (for R/3) granted. All communications from SAP ITS - Agate granted
Grant
Yes
Grant
Yes
Communication to SAP R/3 Enterprise Communication to SQL Server (for R/3)
Grant
Yes
Communication to SAP ITS Agate
Table 7 – Packet Filtering Settings (2. SAP R/3 Enterprise) Service
All
Protocol
Any
Source Destination
Source
Port
Port
Address
Any
Any
Any
traffic SAP DIALOG
TCP
Any
3200
TCP
Any
3300
Server HTTP Server
Mirroring
This
Block
Yes
All blocked by default.
TCP
Any
8000
SAP ITS -
This
Agate
computer
Grant
Yes
Communication from SAP ITS
SAP ITS -
This
Grant
Yes
Agate
computer
Any
This
- Agate
TCP
Any
44300
Any
This
Grant
Yes
Grant
Yes
TCP
Any
1433
R/3) Client Domain
Any
Any
Any
Member
This
SQL Server
computer
(for R/3)
This
Domain
computer
Controller
Communication from Web browser
computer SQL Server (for
Communication from SAP RFC/BAPI program
computer HTTPS Server
Remarks
Address
computer
Server SAP RFC
Destination Action
Communication from Web browser
Grant
Yes
Communication to SQL Server (for R/3)
Grant
Yes
Communication to Domain Controller
Table 8 – Packet Filtering Settings (3. SQL Server) Service
All
Protocol
Any
Source Destination
Source
Port
Port
Address
Any
Any
Any
traffic SQL Server (for
Member
Mirroring
Remarks
Address This
Block
Yes
All blocked by default.
Grant
Yes
Communication from SAP R/3
computer TCP
Any
1433
R/3) Domain
Destination Action
Any
Any
Any
SAP R/3
This
Enterprise
computer
This
Domain
computer
Controller
Appendix: Report on Hardening Verification
Enterprise Grant
Yes
Communication to Domain Controller
70
Table 9 – Packet Filtering Settings (4. IIS + SAP ITS WGate) Service
Protocol
Source Destination
Source
Destination
Port
Port
Address
Address
Action
Mirroring
All traffic
Any
Any
Any
Any
This computer
Block
Yes
HTTP Server
TCP
Any
80
Any
This computer
Grant
Yes
HTTPS Server
TCP
Any
443
Any
This computer
Grant
Yes
HTTP Server for mgmt
TCP
Any
8080
Any
This computer
Grant
Yes
SAP ITS - Agate Client1
TCP
Any
3900
This
SAP ITS - Agate
Grant
Yes
SAP ITS - Agate
Grant
Yes
SAP ITS - Agate
Grant
Yes
SAP ITS - Agate
Grant
Yes
Remarks
For administration purposes
computer SAP ITS - Agate Client2
TCP
Any
3910
This computer
SAP ITS - Agate Client1
TCP
Any
3918
(for Mgmt) SAP ITS - Agate Client2
TCP
Any
3928
(for Mgmt) Domain Member
This computer This
purposes
computer Any
Any
Any
For administration For administration purposes
This
Domain
computer
Controller
Grant
Yes
(oa.corp.com)
Table 10 – Packet Filtering Settings (5. SAP ITS Agate) Service
Protocol
Source Destination
Source
Destination
Port
Port
Address
Address
Action
Mirroring Remarks
All traffic
Any
Any
Any
Any
This computer
Block
Yes
SAP ITS - Agate Server1
TCP
Any
3900
SAP ITS -
This computer
Grant
Yes
This computer
Grant
Yes
This computer
Grant
Yes
Wgate SAP ITS - Agate Server2
TCP
Any
3910
SAP ITS Wgate
SAP ITS - Agate Server1
TCP
Any
3918
(for Mgmt) SAP ITS - Agate Server2
Wgate TCP
Any
3928
(for Mgmt) SAP DIALOG Client SAP RFC Client Domain Member
SAP ITS SAP ITS -
purposes This computer
Grant
Yes
This
SAP DIALOG
Grant
Yes
computer
Server
This
SAP RFC
Grant
Yes
computer
Server Grant
Yes
Wgate TCP TCP Any
Any Any Any
3200 3300 Any
For administration For administration purposes
This
Domain
computer
Controller (sap.corp.com)
Appendix: Report on Hardening Verification
71
Network Hardening in SAP Enterprise Portal Packet filtering was conducted using the IPSec script policy in the environment shown below and as summarized in the Table 11 to Table 18.
Figure 3 - SAP Enterprise Portal Environment
Appendix: Report on Hardening Verification
72
Table 11 – Packet Filtering Settings (1. Domain Controller) Service
All
Protocol Source
Any
Destination
Source
Port
Port
Address
Any
Any
Any
traffic SAP R/3
Any
Any
Any
Any
Any
Any
Any
Any
Any
SAP R/3
This
Enterprise
computer This
R/3)
computer
SAP ITS - Agate
This
Agate SAP
This
SQL Server (for
(for R/3) SAP ITS -
Address Block
Yes
All blocked by default.
Grant
Yes
All communications from SAP
computer
Enterprise SQL Server
Destination Action Mirroring Remarks
R/3 Enterprise granted. Grant
Yes
Grant
Yes
Server (for R/3) granted.
computer Any
Any
Any
Enterprise
SAP Enterprise
This
Portal
computer
All communications from SQL All communications from SAP ITS - Agate granted.
Grant
Yes
All communications from SAP Enterprise Portal granted.
Portal SQL Server
Any
Any
Any
(for EP) ICMP
ICMP
Any
Any
SQL Server
This
(for EP)
computer
This computer
SAP R/3
Grant
Yes
Server (for EP) granted. Grant
Yes
Enterprise ICMP
ICMP
Any
Any
This computer
SQL Server
ICMP
Any
Any
This computer
SAP ITS -
Grant
Yes
Grant
Yes
ICMP
Any
Any
This computer
SAP
Communication to SQL Server (for R/3)
Agate ICMP
Communication to SAP R/3 Enterprise
(for R/3) ICMP
All communications from SQL
Communication to SAP ITS Agate
Grant
Yes
Enterprise
Communication to SAP Enterprise Portal
Portal ICMP
ICMP
Any
Any
This computer
SQL Server
Grant
Yes
(for EP)
Communication to SQL Server (for EP)
Table 12 – Packet Filtering Settings (2. SAP R/3 Enterprise) Service
All
Protocol
Any
Source
Destination
Source
Port
Port
Address
Any
Any
Any
traffic SAP DIALOG
TCP
Any
3200
TCP
Any
3300
Server SAP RFC
TCP
Any
3300
Server HTTP Server
Mirroring Remarks
Address This
Block
Yes
All blocked by default.
Grant
Yes
Communication from SAP
computer
Server SAP RFC
Destination Action
TCP
Any
8000
SAP ITS -
This
Agate
computer
SAP ITS -
This
Agate
computer
SAP Enterprise
This
Portal
computer
Any
This
ITS - Agate Grant
Yes
Grant
Yes
RFC/BAPI program
TCP
Any
44300
Any
This
Grant
Yes
TCP
Any
1433
This computer
(for R/3) Client Domain
SQL Server
Grant
Yes
Grant
Yes
Any
Any
Any
This computer
Appendix: Report on Hardening Verification
Domain Controller
Communication from Web browser
(for R/3)
Member
Communication from Web browser
computer SQL Server
Communication from SAP Enterprise Portal
computer HTTPS Server
Communication from SAP
Communication to SQL Server (for R/3)
Grant
Yes
Communication to Domain Controller
73
Table 13 – Packet Filtering Settings (3. SQL Server) Service
All
Protocol
Any
Source
Destination
Source
Port
Port
Address
Destination Action
Any
Any
Any
This
traffic SQL Server
Block
Yes
All blocked by default.
Grant
Yes
Communication from
computer TCP
Any
1433
(for R/3) Domain
Mirroring Remarks
Address
Any
Any
Any
SAP R/3
This
Enterprise
computer
This computer
Member
Domain
SAP R/3 Enterprise Grant
Yes
Controller
Communication to Domain Controller
Table 14 – Packet Filtering Settings (4. SAP Enterprise Portal 6.0) Service
All traffic
Protocol
Any
Source
Destination
Source
Port
Port
Address
Any
Any
Any
Destination Action
Mirroring Remarks
Address This
Block
Yes
computer SAP J2EE Dispatcher
TCP
Any
50000
Server (HTTP) SAP J2EE Dispatcher
TCP
Any
50001
Server (HTTPS) HTTP Client
TCP
Any
80
Any (EP
This
IISPROXY)
computer
Any (EP
This
IISPROXY)
computer
This computer
SAP ITS -
All blocked by default.
Grant
Yes
Grant
Yes
Grant
Yes
Grant
Yes
Grant
Yes
Grant
Yes
Grant
Yes
Grant
Yes
SAP ITS - Wgate
Wgate HTTPS Client
TCP
Any
443
This computer
SAP ITS Wgate
HTTP Client
TCP
Any
8000
This computer
SAP R/3
SAP R/3 Enterprise
Enterprise HTTPS Client
TCP
Any
44300
This computer
SAP R/3 Enterprise
RFC Client
TCP
Any
3300
This computer
SAP R/3 Enterprise
SQL Server (for EP)
TCP
Any
1433
This computer
Client Domain Member
SQL Server (for R/3)
Any
Any
Any
This computer
Domain Controller
Appendix: Report on Hardening Verification
Communication to SQL Server (for R/3)
Grant
Yes
Communication to Domain Controller
74
Table 15 – Packet Filtering Settings (5. SQL Server) Service
Protocol
All
Any
Source
Destination
Source
Port
Port
Address
Any
Any
Any
Destination Action
This
traffic SQL Server
Block
Yes
All blocked by default.
Grant
Yes
Communication from SAP
computer TCP
Any
1433
SAP Enterprise
This
Portal
computer
(for EP) Domain
Mirroring Remarks
Address
Any
Any
Any
This computer
Member
Domain
Enterprise Portal Grant
Yes
Controller
Communication to Domain Controller
Table 16 – Packet Filtering Settings (6. IIS + SAP ITS WGate) Service
Source
Destination
Port
Port
Address
Address
Any
Any
Any
Any
This computer
Block
Yes
HTTP Server
TCP
Any
80
Any
This computer
Grant
Yes
HTTPS Server
TCP
Any
443
Any
This computer
Grant
Yes
HTTP Server for mgmt
TCP
Any
8080
Any
This computer
Grant
Yes
SAP ITS - Agate
TCP
Any
3900
This
SAP ITS - Agate
Grant
Yes
SAP ITS - Agate
Grant
Yes
SAP ITS - Agate
Grant
Yes
SAP ITS - Agate
Grant
Yes
All
Protocol
Source Destination
Action
Mirroring Remarks
traffic
For administration purposes
Client1 SAP ITS - Agate
computer TCP
Any
3910
Client2 SAP ITS - Agate
TCP
Any
3918
Client1 (for Mgmt) SAP ITS - Agate
This computer
TCP
Any
3928
Client2 (for Mgmt) Domain Member
This computer
This
purposes
computer Any
Any
Any
Appendix: Report on Hardening Verification
For administration For administration purposes
This
Domain Controller
computer
(oa.corp.com)
Grant
Yes
75
Table 17 – Packet Filtering Settings (7. SAP ITS Agate) Service
Protocol
Source Destination
Source
Destination
Port
Port
Address
Address
Action
Mirroring Remarks
All traffic
Any
Any
Any
Any
This computer
Block
Yes
SAP ITS - Agate
TCP
Any
3900
SAP ITS -
This computer
Grant
Yes
This computer
Grant
Yes
This computer
Grant
Yes
Server1 SAP ITS - Agate
Wgate TCP
Any
3910
Server2 SAP ITS - Agate
Wgate TCP
Any
3918
Server1 (for Mgmt) SAP ITS - Agate
SAP RFC Client
SAP ITS Wgate
TCP
Any
3928
Server2 (for Mgmt) SAP DIALOG Client
SAP ITS -
SAP ITS -
purposes This computer
Grant
Yes
This
SAP DIALOG
Grant
Yes
computer
Server
This
SAP RFC Server
Grant
Yes
This
Domain Controller
Grant
Yes
computer
(sap.corp.com)
Wgate TCP TCP
Any Any
3200 3300
For administration For administration purposes
computer Domain Member
Any
Any
Any
Table 18 – Packet Filtering Settings (8. IIS + SAP Enterprise Portal IIS Proxy) Service
Protocol Source Destination
Source
Destination
Port
Port
Address
Address
Action Mirroring Remarks
All traffic
Any
Any
Any
Any
This computer
Block
Yes
All Traffic
HTTP Server
TCP
Any
80
Any
This computer
Grant
Yes
HTTP Server
HTTPS Server
TCP
Any
443
Any
This computer
Grant
Yes
HTTPS Server
SAP Enterprise Portal
TCP
Any
50000
This
SAP Enterprise
Grant
Yes
SAP Enterprise Portal
computer
Portal
Client for HTTP SAP Enterprise Portal
TCP
Any
50001
Client for HTTPS Domain Member
Any
Any
Any
Appendix: Report on Hardening Verification
This
SAP Enterprise
computer
Portal
This
Domain Controller
computer
(oa.corp.com)
Client for HTTP Grant
Yes
SAP Enterprise Portal Client for HTTPS
Grant
Yes
Domain Member
76
1.5 Service and Other Hardening Settings Service Hardening Using Templates Security templates suitable for the respective servers (see below) were applied and services were disabled (see Table 20 to Table 27).
Table 19 – Servers and Applied Security Templates Servers
Role
Applied Security Template*
Domain Controller
Domain controller
High Security - Domain Controller.inf
SAP R/3 Enterprise
Member server
High Security - Member Server Baseline.inf
SQL Server (for R/3)
Member server
High Security - Member Server Baseline.inf
SAP ITS - Agate
Member server
High Security - Member Server Baseline.inf
SAP ITS - Wgate
Web server
High Security - IIS Server.inf
SAP Enterprise Portal
Member server
High Security - Member Server Baseline.inf
SQL Server (for EP)
Member server
High Security - Member Server Baseline.inf
EP IISProxy
Web server
High Security - IIS Server.inf
* The most secure "high security" template was used as the assumed security environment. Download security templates from: http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655521EA6C7B4DB&displaylang=en#filelist
Appendix: Report on Hardening Verification
77
Table 20 – Domain Controller Name Automatic Updates Computer Browser Cryptographic Services Distributed File System DNS Client DNS Server Event Log File Replication Service Intersite Messaging IPSEC Services Kerberos Key Distribution Center Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Procedure Call (RPC) Locator Remote Registry Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client DHCP Server Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local Service Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System
78
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable
Local System
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
79
Table 21 – SAP R/3 Enterprise Name Automatic Updates Computer Browser Cryptographic Services Distributed File System DNS Client Event Log IPSEC Services Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry SAPOSCOL Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage SAPP01_00 SAPP01_05 Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local Service SAPSAPServicePO1 Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System SAPSAPServicePO1 SAPSAPServicePO1 Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System
80
Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
81
Table 22 – SQL Server (for SAP R/3 Enterprise) Name Automatic Updates Computer Browser Cryptographic Services DNS Client Event Log IPSEC Services MSSQLSERVER Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry Security Accounts Manager Server SQLSERVERAGENT System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System
82
Kerberos Key Distribution Center License Logging Messenger Microsoft Search MSSQLServerADHelper NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
83
Table 23 – SAP ITS Agate Name Automatic Updates Computer Browser Cryptographic Services DNS Client Event Log IPSEC Services ITS Watchdog Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry SAP IACOR Manager SAP ITS Manager - ADM SAP ITS Manager - P01 Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System
84
Intersite Messaging Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
85
Table 24 – SAP ITS Wgate Name Automatic Updates Computer Browser Cryptographic Services DNS Client Event Log HTTP SSL IIS Admin Service IPSEC Services Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry SAP IACOR Manager Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation World Wide Web Publishing Service Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System
86
Intersite Messaging Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
87
Table 25 – SAP Enterprise Portal Name Automatic Updates Computer Browser Cryptographic Services DNS Client Event Log IPSEC Services Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging Kerberos Key Distribution Center License Logging
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System
Disable Disable Disable
Local System Local System Network Service
88
Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
89
Table 26 – SQL Server (for SAP Enterprise Portal) Name Automatic Updates Computer Browser Cryptographic Services DNS Client Event Log IPSEC Services MSSQLSERVER Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry Security Accounts Manager Server Symentec Ghost Configuration Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage SQLSERVERAGENT Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Network Service Local System Local System SAPAdministrator Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System SAPAdministrator Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System
90
Intersite Messaging Kerberos Key Distribution Center License Logging Messenger Microsoft Search MSSQLServerADHelper NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
91
Table 27 – SAP Enterprise Portal IIS Proxy Name Automatic Updates Computer Browser Cryptographic Services DNS Client Event Log HTTP SSL IIS Admin Service IPSEC Services Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation World Wide Web Publishing Service Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System
Disable
Local System
92
Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
93
Reconfigurations Made After the Application of Security Templates Impersonate a client after authentication In SAP R/3 Enterprise and SQL Server (for R/3), Administrators, which was deleted for the high security template, was entered again for the reconfiguration to be made after the application of security templates.
Figure 4 – User Rights Assignment Policy
Appendix: Report on Hardening Verification
94
Default Template
Newly Applied Template Settings
After High Security is Applied
After High Security is Applied
RECONFIGURATION
Figure 5 – Settings
Note: An application that is running as if it were a user can be disguised as a client if it is assigned the [Impersonate a client after authentication] privilege. The unauthorized user's attempt to credit a client with an authorized connection with this type of disguise is checked by asking the user for a user authorization. For example, when an unauthorized user is presented as a client after connecting to a service that has been created from a remote procedure call (RPC) or a named pipe, the authority level of unauthorized users is raised to the administrator or system level. The default security group for this user authority is suitable for the legacy client and enterprise client environments. This user authority in a high security environment, however, can only be configured with Local Service and Network Service.
Appendix: Report on Hardening Verification
95
Shutdown: Clear virtual memory page file In SAP R/3 Enterprise, the settings that had been enabled in high security templates were disabled.
Figure 6 – Security Options
Appendix: Report on Hardening Verification
96
Default Template
Newly Applied Template Settings
After High Security is Applied
After High Security is Applied
RECONFIGURATION
Figure 7 – Settings
Note: The [Shutdown: Clear virtual memory page file] security option determines whether the virtual memory page file is to be cleared when the system is shut down. When this option is selected, the system page file is cleared each time the system is shut down. When this security option is activated, the hibernation file (hiberfil.sys) is also zeroed in a portable computer system if the hibernation state is disabled. The sequence of shutting down and restarting the server will then take a long time, which will be noticeable in a server with a large paging file. For this reason, this option is configured as "disabled" in legacy client and enterprise client environments although it is "enabled" in a high security environment. Caution: There is the possibility that an attacker who is physically accessing a server could bypass this setting by disconnecting the server from the power source.
Appendix: Report on Hardening Verification
97
Summary This whitepaper introduces security measures for SAP systems running on Windows Server. Two security measures are described: hardening and patch management. These security measures can help enhance security within your Windows Server-based SAP environment.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This Whitepaper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may own patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in a written license agreement from Microsoft, the furnishing of this document does not assign any license to these patents, trademarks, copyrights, or other intellectual property. © 2005 Microsoft Corporation. All rights reserved. Microsoft, SQL Server, Windows, Windows Server, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents 1 Introduction........................................................................................................................................... 1 2 Hardening .............................................................................................................................................. 5 2.1 What Is Hardening? ......................................................................................................................... 5 2.2 Multi-layered Hardening................................................................................................................... 6 2.3 Harding Implementation Steps......................................................................................................... 6 2.4 Implementation of Hardening........................................................................................................... 7 Network Hardening............................................................................................................................. 7 Server Hardening ............................................................................................................................. 23 Implement Other Hardening ............................................................................................................. 41 2.5 Other Hardening Information ......................................................................................................... 44 2.6 Operation Checks .......................................................................................................................... 45 2.7 Final Security Check ...................................................................................................................... 47 2.8 Other Methods for Checking Hardening Implementation .............................................................. 47 3 Patch Management............................................................................................................................. 48 3.1 What Is Patch Management?......................................................................................................... 48 3.2 Collecting Information .................................................................................................................... 49 Collecting Information about Security Vulnerability.......................................................................... 49 3.3 Assessing Risks............................................................................................................................. 50 Assessing the Consequences and Urgency of the Vulnerability...................................................... 52 What is a Vulnerability Assessment Matrix? .................................................................................... 52 Organizing the Information about Security Vulnerability .................................................................. 53 Assessing the Pros and Cons of the Risk ........................................................................................ 54 Determining the Degree of Urgency................................................................................................. 54 Devising a Plan for Responding to the Vulnerability ........................................................................ 59 3.4 Applying Security Update Program................................................................................................ 61 Points to Consider When Applying Security Patches ...................................................................... 61 Testing the Security Update Program before Application ................................................................ 62 Testing the Application in a Test Environment................................................................................. 62 Updating via Management Tools ..................................................................................................... 62 3.5 Monitoring the Results ................................................................................................................... 63 Verifying Behavior in the Test Environment ..................................................................................... 63
Confirming the Steps for Roll-Back in the Test Environment........................................................... 64 Confirming that the Necessary Programs have been Applied ......................................................... 64 Appendix: Report on Hardening Verification .................................................................................... 65 1.1 Verification Scenarios .................................................................................................................... 65 1.2 Contents of Verifications ................................................................................................................ 66 1.3 Verification Results ........................................................................................................................ 66 1.4 Network Hardening Settings .......................................................................................................... 67 Network Hardening in SAP R/3 Enterprise ...................................................................................... 67 Network Hardening in SAP ITS ........................................................................................................ 69 Network Hardening in SAP Enterprise Portal................................................................................... 72 1.5 Service and Other Hardening Settings .......................................................................................... 77 Service Hardening Using Templates................................................................................................ 77 Reconfigurations Made After the Application of Security Templates ............................................... 94
SAP Hardening and Patch Management Guide for Windows Server
4
1 Introduction Recently, there has been an increase in reports by newspapers and TV programs about computer virus damage and information leakages. Computer virus damage and information leakages may cause suspension of business and consume large amounts of company resources in taking countermeasures. In serious cases, it may pose a threat to the status and reputation of the company. SAP systems typically handle mission-critical operations, such as finance and sensitive company information. For this reason, if information leakage or virus problems occur in an SAP system, the company may suffer enormous damage. To reduce the risk of unplanned system shutdowns, effective security measures must be taken. This whitepaper presents hardening and patch management as security measures against such risks to Windows Server-based SAP systems. The purpose of hardening is to achieve a system environment that is less vulnerable to unauthorized access and virus attacks. In the Hardening chapter, we describe how to define and implement hardening, as well as verify the implementation. The purpose of patch management is to assess the specific risks to a company and to apply appropriately timed security update programs. With patch management, the minimum required security update programs can be applied to that helps to minimize the risks and costs of system changes. In the Patch Management chapter, defining patch management and operation is explained in five steps: "Collecting Information", "Assessing Risks", "Applying the Security Update Programs", and "Monitoring the Result." Throughout the chapter, risk assessment is emphasized.
Note: Hardening and patch management are complementary procedures and implementation of one without the other will be insufficient. Hardening helps to reduce a system from possible attacks (such as from computer viruses), but may not be able to handle unfamiliar attack methods. To minimize this possibility, risk assessment (as a part of patch management) should be implemented.
Purpose of This Whitepaper Secure system environments can be maintained by applying security update programs as soon as they are released. However, it may be difficult to apply them immediately after release because of issues such as the costs associated with verifying the effect of a security update program, the interruption of services when the programs are applied to the operating environment, and the risk of altering the operating environment. This whitepaper aims at helping to alleviate these problems and attempts to help you build a more secure SAP system. By applying what is described in this whitepaper to a Windows Server-based SAP system, help with securing an SAP system (and thus addressing an aspect of high system availability) is achieved and TCO may be reduced. Note that most of the configuration-specific guidance in this paper is applicable to Windows Server 2003. Similar procedures may be found in Windows Server 2000 documentation dependent on the particular topic covered.
SAP Hardening and Patch Management Guide for Windows Server
1
Scope of Security Measures Covered in This Whitepaper Common security measures are further classified into "technical measures" (such as installation or configuration of hardware and software) and "institutional measures" (such as creation of policies, or determination and analyses of vulnerabilities).
Figure 1 – Security Measures
Among the security measures illustrated in Figure 1, "Building a Secure System (Multi-layer Defense)" and "Patch Management" can be effective technical measures if implemented properly.
SAP Hardening and Patch Management Guide for Windows Server
2
Multi-layer Defense Using a multi-layer approach Increases risk for attackers to be detected Reduces the possibility of successful attacks
Data Application Host Internal Network Boundaries Equipment Security Policies, Regulations and Awareness
The idea is to protect the system from unexpected attacks. It enhances protection by setting multiple defense lines. ACL, Encryption Enhancing Applications, Virus Protection Enhancing operation systems, Security Update Management, Authentication, HIDS Network Segment, IPSec, NIDS Firewall, VPN isolation Security Guard, Lock and Tracking Device User Education
Figure 2 – Multi-layer Defense
SAP Hardening and Patch Management Guide for Windows Server
3
This whitepaper covers the security measures indicated under the Category column of Table 1: Common Security Measures. For security issues not listed here, appropriate measures will need to be implemented as necessary.
Table 1: Common Security Measures Category
Measures
Technical measures
Security breach inspection
Coverage
Building a secure system
Data
(multi-layer defense)
Application Host
Yes
Internal network
Yes
Boundaries Equipment security Policies, regulations, and awareness Patch Management
Yes
Monitoring viruses and unauthorized access Institutional measures
Risk analysis
Yes
Operation guidelines Risk management procedures Policy implementation
It is also important to note that such security measures must be considered on every SAP system in your environment (regardless of the type of operating system or database used) as no platform is completely secure.
SAP Hardening and Patch Management Guide for Windows Server
4
2 Hardening This chapter defines hardening and how to implement and verify it on a Windows Server-based SAP system.
Contents of this Chapter This chapter defines hardening and how to implement and verify it on a Windows Server-based SAP system.
1. 2. 3. 4. 5.
What is Hardening? Multi-layered Hardening Implementation of Hardening Final Security Check Summary
2.1 What Is Hardening? Hardening an SAP system is configuring your SAP system with only the minimum platform functions that are necessary for operating the system. In this way, security, availability and reduction of the operating cost of the system is addressed.
Hardening Defined… Definition: Configuring SAP systems with only the minimum platform functions that are necessary for operating the system.
Effect:
Enhances security Prevent the SAP system from exposure to unnecessary vulnerability risks and block computer virus attacks to a maximum extent.
Effect:
Ensures availability Minimize the frequency of applying security update programs that often require systems to be shutdown.
Effect:
Reduces operational cost Minimize the frequency of applying security update programs that may involve userside testing.
SAP Hardening and Patch Management Guide for Windows Server
5
2.2 Multi-layered Hardening This whitepaper covers three types of hardening which are especially effective on SAP systems.
Effective hardening methods for SAP systems This whitepaper covers three types of hardening can be effective on SAP systems, if implemented properly.
1. Network hardening (internal network layer) 2. Service hardening (host layer) 3. Other hardening (host layer)
2.3 Harding Implementation Steps Hardening should be implemented in stages. For example, take one item (such as network or service) at a time, check the behavior, then move on to the next item.
Assure there is a means for rollback or backup the system configuration (*1)
Implement network hardening
Implement server hardening
Implement other hardening
Step-by-step implementation of hardening Repeat the procedure for each server and hardening (rollback when a problem arises) Operation checks
Final security check (*2)
Figure 3 - Hardening Implementation Steps *1 Use ASR backup of Windows Server 2003 or a third party image backup tool. *2 Use Microsoft Baseline Security Analyzer or other tools.
SAP Hardening and Patch Management Guide for Windows Server
6
2.4 Implementation of Hardening Before implementing high-quality hardening, some preparation is required. Some important preparation tasks are: clarifying the required security level, checking the specifications of your system, determining what might need hardening, estimating the cost and the effect of the hardening, and determining what to harden.
Preparations before implementing hardening Before implementing high-quality hardening, some preparation is required.
1. Clarifying the required security level Determine how far security should be enhanced.
2. Checking the system specifications Check the specifications of not only the SAP system but also systems other than SAP. This includes checking required communication paths, ports, and services.
3. Determining what might need hardening Determine what should be subjected to network, service, and other hardenings.
4. Estimating the cost and the effect of the hardening Estimate the effect and the associated cost beforehand to ensure maximum effect with minimum cost.
5. Determining what to harden Decide which items should be subjected to hardening and how extensively it should be done.
Network Hardening Hardening networks on an SAP system is implementing packet filtering to block unnecessary communications. With this, the goal is to make stacks more difficult by blocking unnecessary communication.
Network Hardening Defined… Definition: Implementing packet filtering on SAP systems to block unnecessary communications.
Effect:
Blocks attacks that use unnecessary communications Making attacks against vulnerability more difficult by closing unnecessary communications to SAP systems.
SAP Hardening and Patch Management Guide for Windows Server
7
Network hardening is important on SAP systems for the following reasons: 1) SAP systems only use specific ports that can be easily identified, 2) the ports used on SAP systems are typically less apt to be attacked by computer viruses, and 3) hardening networks to the maximum extent makes attacks more difficult for hackers.
Importance of Network Hardening Reasons why network hardening is important on all SAP systems in your environment.
Reason: SAP systems only use specific ports that can be easily identified. The ports are further limited when the functions of the SAP J2EE engine are suspended.
Reason: The ports used on SAP systems are that are typically less apt to be attacked by computer viruses. The ports are also customizable.
Reason: Therefore, hardening networks to the maximum extent makes attacks more difficult.
As a first step, determine which servers are critical to deliver SAP services (which servers might be a single point of failure from a network hardening perspective?).
SAP Central Instance
SAP Database Instance
Other non-redundant servers
Such a determination will decrease the time necessary to install the applicable security patches which could lead to downtime for these servers from a standpoint of availability. Therefore, there would be implementation of port and services limits of these specific SAP application and database servers (also effective with SAP Router) while other servers may not have such strict limitations. Overall, separate SAP servers which potentially have a single point of failure (CI, DB, etc.) from others; thus creating a “SAP server segment” via firewall, router, etc. So that security patches can be done one by one, other SAP-related servers that are “redundant” are separate (e.g. SAP dialog instance, ITS AGate/WGate, etc.).
SAP Hardening and Patch Management Guide for Windows Server
8
Figure 4 – An Example of Network Hardening for a Corporate Network
Ports and Packet Filtering Packet filtering should be taken into consideration to block all unnecessary network traffic on ports to SAP systems (as well as any 3rd party tools) and IPSec script policy should be leveraged. Execute IPSec policy scripts on each Windows Server and hardware-based packet filtering to lock down specific ports can be done via a firewall, router, and layer 3 switch among network subnets. (See SAP Note #66687 (“Use of Network Security Products”) concerning SAP certification requirements for some 3rd party network security tools.) Note that Microsoft ISA Server 2004 can provide advanced firewall protection and includes the following:
One machine can act as both Firewall and SAP Router
Application layer filtering
Can decrypt HTTPS, inspect content and redeliver it internally
Pre-authentication, form based
Attachment control
SAP Hardening and Patch Management Guide for Windows Server
9
Interface blocking
Intrusion detection
By applying the IPSec script policy to your server, you can confine the communication pathway and restrict the TCP and UDP ports used for the communication. For how to use IPSec, refer to: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod111.asp
The following is includes an example of the IPSec script policy: :IPSec Policy Definition netsh ipsec static add policy name="Packet Filters - R3" description="Server Hardening Policy" assign=no :IPSec Filter List Definitions netsh ipsec static add filterlist name="ALL" description="Server Hardening" netsh ipsec static add filterlist name="DIALOG" description="Server Hardening" netsh ipsec static add filterlist name="MSSQL" description="Server Hardening" :IPSec Filter Action Definitions netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block :IPSec Filter Definitions netsh ipsec static add filter filterlist="ALL" srcaddr=any dstaddr=me description="ALL" protocol=any srcport=0 dstport=0 netsh ipsec static add filter filterlist="DIALOG" srcaddr=any dstaddr=me description="DIALOG" protocol=TCP srcport=0 dstport=3200 netsh ipsec static add filter filterlist="MSSQL" srcaddr=me dstaddr=192.168.12.3 description="MSSQL" protocol=TCP srcport=0 dstport=1433 :IPSec Rule Definitions netsh ipsec static add rule name="ALL" policy="Packet Filters - R3" filterlist="ALL" kerberos=yes filteraction=Block netsh ipsec static add rule name="DIALOG" policy="Packet Filters - R3" filterlist="DIALOG" kerberos=yes filteraction=SecPermit netsh ipsec static add rule name="MSSQL" policy="Packet Filters - R3" filterlist="MSSQL" kerberos=yes filteraction=SecPermit
netsh ipsec static set policy name="Packet Filters - R3" assign=y
Example: Create the sample code as a batch file and execute it on SAP R/3 Enterprise server. 1 Default communication blocked. 2 Permit dialog process access from clients (between clients and SAP R/3 Enterprise via destination port TCP 3200). 3 Permit access from SAP R/3 Enterprise to DB instances (between SAP R/3 Enterprise and SQL server via destination port TCP 1433).
SAP Hardening and Patch Management Guide for Windows Server
10
Necessary Ports for Operating SAP Systems A list of ports used by:
SAP systems (along with other security-related documentation): http://service.sap.com/security Æ Security Detail Æ Infrastructure Security.
Windows Server System: “Service Overview and Network Port Requirements for the Windows Server System” http://support.microsoft.com/default.aspx?scid=kb;en-us;832017.
SQL Server: over TCP: 1433, UDP: 1434
IIS (World Wide Web Publishing Service): 80, 443
Terminal Services and Remote Desktop: 3389 (default; can be configured): “How to Change the Listening Port in the Windows Terminal Server Web Client” http://support.microsoft.com/default.aspx?scid=kb;en-us;326945)
Active Directory (dependent on design): “How to Configure a Firewall for Domains and Trusts” http://support.microsoft.com/kb/179442/EN-US/ “Restricting Active Directory Replication Traffic to a Specific Port” http://support.microsoft.com/default.aspx?scid=kb;en-us;224196
SAP Hardening and Patch Management Guide for Windows Server
11
Table 2 – Necessary (Destination) Ports for Operating SAP Systems Application SAP R/3 Enterprise
SAP ITS Wgate
SAP ITS Agate
SAP Enterprise Portal 6.0
SAP Enterprise Portal IIS Proxy
Service Name sapdpNN sapgwNN SAPlpd HTTP/HTTPS sapmsSID HTTP/HTTPS SMTP HTTP/HTTPS IIOP Initial context /IIOP over SSL P4/P4 over HTTP tunneling /P4 over SSL IIOP JMS Telnet Multiplexer Portwatcher HTTP MessageServer HTTP/HTTPS Engue Server Eng. Replication sapvw00_<SID> sapvwmm_<SID> sapvw00_ADM sapvwmm_ADM HTTP/HTTPS sapdpNN sapgwNN sapmsSID HTTP/HTTPS IIOP Initial context /IIOP over SSL P4/P4 over HTTP tunneling /P4 over SSL IIOP JMS Telnet HTTP/HTTPS HTTP/HTTPS
Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
Destination Port 32NN 33NN 515 81NN/444NN 36NN 80NN/443NN 25 5NN00/5NN01 5NN02/5NN03 5NN04/5NN05/5NN06 5NN07 5NN10 5NN08 4NN00 4NN01-79 4NN80-99 5NN17/5NN18/5NN19 36NN 81NN/444NN 32NN 33NN 39NM 39N9 39NM 39N9 80/443 32NN 33NN 36NN 5NN00/5NN01 5NN02/5NN03 5NN04/5NN05/5NN06 5NN07 5NN10 5NN08 5NN17/5NN18/5NN19 80/443 5NN00/5NN01
Note: • The port numbers are customizable. • <SID> represents an SAP system ID (such as P01) and
SAP Hardening and Patch Management Guide for Windows Server
12
Table 3 – Necessary (Destination) Ports for Operating SAP Systems (cont’d) Application SAP Router
SAP Web Dispatcher Active Directory SQL Server Oracle DB2/UDB SAPDB Informix IIS Terminal Services Windows Server
Service Name Protocol Destination Port SAProuter TCP 3299 sapdpNN TCP 32NN sapgwNN TCP 33NN sapmsSID TCP 36NN HTTP/HTTPS TCP 80/443 HTTP/HTTPS TCP 80NN/443NN See Microsoft Knowledge Base Article #179442 – “How to Configure a Firewall for Domains and Trusts" and #224196 – “256986) at support.microsoft.com SQL over TCP TCP 1433 TCP 1527 TCP Customize TCP 7200/7210 TCP 3800 HTTP TCP 80 HTTPS TCP 443 TCP 3389 NetMeeting Remote Desktop Sharing (Used TCP 3389 by SAP Support) File Sharing (Used in the sharing of SAP TCP 445 migration files and in the shipping of UDP 445 SQL server logs) TCP 137 UDP 137 UDP 138 TCP 139 Clustering (Central instance and DB TCP 135 instance multiplexing) UDP 3343 For details, see Microsoft Knowledge Base Article #832017 – “Port Requirements for the Microsoft Windows Server System".
Note: • The port numbers are customizable. • <SID> represents an SAP system ID (such as P01) and
SAP Hardening and Patch Management Guide for Windows Server
13
Figure 5 – Ports Used by SAP R/3 Enterprise
Figure 6 – Ports Used by SAP ITS (Wgate and Agate)
SAP Hardening and Patch Management Guide for Windows Server
14
Figure 7 – Ports Used by SAP Enterprise Portal 6.0
Figure 8 – Ports Used by SAP Enterprise IIS Portal Proxy
SAP Hardening and Patch Management Guide for Windows Server
15
Figure 9 – Ports Used by SAP Router
Figure 10 – Ports Used by SAP Web Dispatcher
SAP Hardening and Patch Management Guide for Windows Server
16
Configuration of Ports For configuration of ports and other steps for network hardening, use the "Microsoft Management Console (MMC)": Click Start, and then click Run. 1.
Type "mmc" in the Name field of the Select File To Run dialog box, and then click OK.
2.
The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.
3.
From the pull-down menu, select Add/Remove Snap-in.
4.
The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.
5.
In the Standalone tab, click Add.
6.
The Add Standalone Snap-in dialog box is displayed. Select IP Security Policy Management in the Available Standalone Snap-ins dialog box, and then click Add.
7.
The Select Computer or Domain dialog box is displayed. Select Local Computer. Click Finish.
8.
Click Close on the Add Standalone Snap-in dialog box.
9.
Click OK on the Add/Remove Snap-in dialog box.
10.
IP Security Policies on Local Machine is added under the Console Root on the Microsoft Management Console.
11.
Click the added IP Security Policies on Local Machine to display the registered IP security policy in the right pane.
Figure 11 – IP Security Policy
SAP Hardening and Patch Management Guide for Windows Server
17
12.
Double-click the registered Packet Filters - R3.
Figure 12 – Packet Filter IP Security Policy 13.
The Packet Filters - R3 Properties dialog box is displayed (see Figure 10). Click the Rules tab.
14.
Select an IP filter that you want to verify from the IP Security Rules section on the Rules tab, and then click Edit.
Figure 13 – Edit Rule
SAP Hardening and Patch Management Guide for Windows Server
18
15.
Select the IP Filter List tab on the dialog box that is displayed.
16.
Select an IP filter that you want to verify from the IP Filter List section in the IP Filter List tab, and then click Edit.
17.
The IP Filter List dialog box is displayed and you can verify the configuration of the IP filter.
Figure 14 – IP Filter List 18.
When you finish verifying the IP filter, click Cancel to close the dialog box.
19.
To verify the configuration of the filter action, select the Filter Action tab in the Edit Rule Properties dialog box.
Figure 15 – Filter Actions
SAP Hardening and Patch Management Guide for Windows Server
19
To un-assign network hardening, select then right-click on Packet Filters - R3 in the Microsoft Management Console. Then select Un-assign from the pop-up menu. To remove the network hardening, select Delete from the same pop-up menu.
Figure 16 – Un-assign IP Security Policy
SAP Hardening and Patch Management Guide for Windows Server
20
Network Communication Paths
Figure 17 – Communication Paths for an SAP R/3 Enterprise Environment
Figure 18 – Communication Paths for an SAP ITS Environment
SAP Hardening and Patch Management Guide for Windows Server
21
Figure 19 – Communication Paths for an SAP Enterprise Portal Environment
Figure 20 - Communication Paths for an SAP Enterprise Portal + Active Directory Environment
SAP Hardening and Patch Management Guide for Windows Server
22
Active Directory Considerations As per SAP’s Web AS installation guide, SAP application and database servers should be implemented in either of the following ways:
Extra domain: SAP systems are embedded in their own “SAP”-specific domain and a separate domain is used for user accounts. Both domains must be incorporated in a domain tree with the user account domain as the root domain and the SAP domain as the child.
Single domain: SAP servers and user accounts are in the same domain.
Reference SAP Note #711319 (“Domain Installation using Delegation of Administration in AD”) for information regarding the situation when installation of SAP cannot be performed by a domain administrator as specified in SAP’s installation guides. Also, for SAP Enterprise Portal, situations may arise where it may be desired to prevent local users from another domain from logging into SAP EP. See SAP Note #710032 (“Restrict Windows Authentication to Domains”) for specific configuration information to meet this need.
Server Hardening An SAP system is under unnecessary security risks when there are services not applicable to SAP or have ineffective settings. Therefore, administrators should disable unnecessary services and strengthen security settings for others to the extent that SAP services can run without any issues. Such actions can be efficiently performed to some extent by utilizing security templates provided by Microsoft.
Hardening Using Templates You can use the Windows Server 2003 Security Guide and the associated templates as a step towards implementation of hardening. There are three types of security templates that are differentiated according to the security environment and nine types of templates that are differentiated according to the server role. You will need to implement a hardening for each server role. For more information on the Windows Server 2003 Security Guide, visit the Microsoft Download Center. http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655521EA6C7B4DB&displaylang=en#filelist
Three types of templates differentiated according to security environment •
Legacy client (security level: low)
•
Enterprise client (security level: medium)
•
High security (security level: high)
SAP Hardening and Patch Management Guide for Windows Server
23
Nine types of templates differentiated according to server role •
Domain controller
•
Member server
•
Web server
•
Infrastructure server (DHCP, WINS)
•
File server
•
Print server
•
IAS server
•
Certificate service server
•
Bastion host
Additional Information: After applying Windows Server 2003 templates, you can make your SAP system more secure by checking and changing the following configurations in accordance with the documents in Table 3. - Confirm that every partition of the disk is formatted in NTFS. - Confirm that an invulnerable password is set for the Administrator account. - Disable or delete unnecessary accounts. - Make sure that the old security configurations are not changed when you upgrade your system from previous versions. - Configure the Administrator account. - Delete all unnecessary file sharing. - Specify an appropriate ACL for every necessary file sharing. - Protect your Telnet server. - Enable IIS logging. - Unbind NetBIOS from TCP/IP. - Remove OS/2 and POSIX subsystems. - Disable the automatic generation of short file names (8.3 format). - Disable the creation of LM hashes. - Configure NTLMSSP security. - Disable automatic execution.
Use Microsoft Management Console to apply security templates. Before you apply a security template, you need to backup the role security policies using an administrative tool called "Local Security Policy."
SAP Hardening and Patch Management Guide for Windows Server
24
Backup Local Security Policy 1.
Click Start, and then select All Programs.
2.
Select Administrative Tools in the All Programs menu, and then click Local Security Policy.
3.
The Local Security Policy dialog box is displayed. Select then right-click Security Settings in the dialog box.
4.
Select Export Policy from the pop-up menu.
Figure 21 – Backup Local Security Policy
5.
The Export Policy To dialog box is displayed. In the File Name field, type the name of the file that you want to export the policy to.
6.
Click Save to export the local security policy to the file.
SAP Hardening and Patch Management Guide for Windows Server
25
Applying the Security Template 1.
Click Start, and then click Run.
2.
Type "mmc" in the Name field of the Select File To Run dialog box and click OK.
3.
The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.
4.
From the pull-down menu, select Add/Remove Snap-in.
5.
The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.
6.
In the Standalone tab, click Add.
7.
The Add Standalone Snap-in dialog box is displayed. Select Security Configuration and Analysis in the Available Standalone Snap-ins dialog box, and then click Add.
8.
Click Close on the Add Standalone Snap-in dialog box.
9.
Click OK on the Add/Remove Snap-in dialog box.
10.
Security Configuration and Analysis is added under the Console Root on the Microsoft Management Console.
11.
Select then right-click the added Security Configuration and Analysis.
12.
Select Open Database from the pop-up menu.
Figure 22 – Security Configuration and Analysis
SAP Hardening and Patch Management Guide for Windows Server
26
13.
The Open Database dialog box is displayed. In the File Name field, type the name of the database that you want to open, and then click Open.
14.
The Import Template dialog box is displayed. In the File Name field, select the security template file (INF file) downloaded from Internet, and then click Open. You should select a security template file appropriate for your server configuration.
Figure 23 – Importing Templates 15.
On the Microsoft Management Console, select then right-click Security Configuration and Analysis.
16.
Select Analyze Computer Now from the pop-up menu.
Figure 24 – Security Configuration and Analysis SAP Hardening and Patch Management Guide for Windows Server
27
17.
When you execute analysis of the computer, red X marks appear to indicate the parts where the current settings should be changed.
18.
If you want to change the template, double-click the entry.
Figure 25 – Analysis of Computer 19.
If you want to change the template, change the entry.
Figure 26 – Property for Password Length
SAP Hardening and Patch Management Guide for Windows Server
28
20.
On the Microsoft Management Console, select then right-click Security Configuration and Analysis.
21.
Select Configure Computer Now from the pop-up menu.
Figure 27 – Configuration of Computer Note: • We recommend that the procedure be carried out step by step. • If you want to provide against the worst case, it is recommended that you perform a system backup using Automatic System Recovery (ASR) or an image backup tool before applying a template.
SAP Hardening and Patch Management Guide for Windows Server
29
Service Hardening Service hardening is the process of disabling the services that are unnecessary for operating your SAP system. In this way you can block attacks that use unnecessary services and improve the performance of the system.
Service Hardening Defined… Definition: Disabling services that are unnecessary for operating SAP systems.
Effect:
Blocking attacks that use unnecessary services Makes attacks against vulnerability more difficult by disabling services unnecessary for SAP systems.
Effect:
Improving performance Reduces the load on the server and improves performance by disabling services unnecessary for SAP systems.
Service hardening investigates Windows services that are unnecessary for the operation of the SAP system and disables their Startup options in order to prevent any attacks through usage of these unnecessary services. There are three settings for Startup options: "Auto", "Manual", and "Disable." Set the option in accordance with the criteria described in the table below.
Table 3: Setting the Startup Option Type of Service Services that are obviously unnecessary for operating the system Services that are obviously necessary for operating the system Other services
Startup Option Disable Auto Manual
Importance of Service Hardening Reasons why service hardening is important on all SAP systems in your environment.
Reason: SAP systems only use specific Windows services that can be easily identified. Reason: As long as you are willing to give up some functionality, many of the services can be disabled and the SAP system will still function adequately.
SAP Hardening and Patch Management Guide for Windows Server
30
Table 4: Services Necessary for SAP Systems Minimum required services for Windows Server
Additionally required services for SAP R/3 Enterprise
Additionally required services for SAP ITS Agate
Additionally required services for SAP Enterprise Portal Additionally required services for SQL Server
Additionally required services for clusters
Additionally required services for IIS Additionally required services for SAP ITS Wgate Additionally required services for SAP Enterprise Portal IIS Proxy
Event Log Logical Disk Manager Network Connections Plug and Play Protected Storage Remote Procedure Call Security Account Manager Windows Management Instrumentation Windows Management Instrumentation Extensions SAPOSCOL SAP<SID>_
Note: • This table shows Windows services installed during a standard installation. Clustering environments may have different services. • <SID> represents an SAP system ID (such as P01) and
SAP Hardening and Patch Management Guide for Windows Server
31
The tables below show the services that are not required for operating SAP various systems.
Table 5: Unnecessary Services for SAP Systems
Services not required by Domain Controller Alerter
Print Spooler
Application Layer Gateway Service
Remote Access Auto Connection Manager
Application Management
Remote Access Connection Manager
ClipBook
Remote Desktop Help Session Manager
COM+ System Application
Resultant Set of Policy Provider
DHCP Client
Routing and Remote Access
DHCP Server
Secondary Logon
Distributed Link Tracking Client
Shell Hardware Detection
Distributed Link Tracking Server
Smart Card
Distributed Transaction Coordinator
Special Administration Console Helper
Error Reporting Service
Task Scheduler
Help and Support
Telephony
HTTP SSL
Telnet
Human Interface Device Access
Terminal Services Session Directory
IMAPI CD-Burning COM Service
Themes
Indexing Service
Uninterruptible Power Supply
Internet Connection Firewall (ICF) / Internet Connection
Upload Manager
Sharing (ICS)
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
NetMeeting Remote Desktop Sharing
Windows Image Acquisition (WIA)
Network DDE
WinHTTP Web Proxy Auto-Discovery Service
Network DDE DSDM
Wireless Configuration
Portable Media Serial Number Service
SAP Hardening and Patch Management Guide for Windows Server
32
Table 6: Unnecessary Services for SAP Systems
Services not required for SAP R/3 Enterprise Alerter
Portable Media Serial Number Service
Application Layer Gateway Service
Print Spooler
Application Management
Remote Access Auto Connection Manager
ClipBook
Remote Access Connection Manager
COM+ System Application
Remote Desktop Help Session Manager
DHCP Client
Remote Procedure Call (RPC) Locator
Distributed Link Tracking Client
Resultant Set of Policy Provider
Distributed Link Tracking Server
Routing and Remote Access
Distributed Transaction Coordinator
Secondary Logon
Error Reporting Service
Shell Hardware Detection
File Replication
Smart Card
Help and Support
Special Administration Console Helper
HTTP SSL
Task Scheduler
Human Interface Device Access
Telephony
IMAPI CD-Burning COM Service
Telnet
Indexing Service
Terminal Services Session Directory
Internet Connection Firewall (ICF) / Internet Connection
Themes
Sharing (ICS)
Uninterruptible Power Supply
Intersite Messaging
Upload Manager
Kerberos Key Distribution Center
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
NetMeeting Remote Desktop Sharing
Windows Image Acquisition (WIA)
Network DDE
WinHTTP Web Proxy Auto-Discovery Service
Network DDE DSDM
Wireless Configuration
SAP Hardening and Patch Management Guide for Windows Server
33
Table 7: Unnecessary Services for SAP Systems
Services not required for SQL Server (for SAP R/3 Enterprise) Alerter
Network DDE DSDM
Application Layer Gateway Service
Portable Media Serial Number Service
Application Management
Print Spooler
ClipBook
Remote Access Auto Connection Manager
COM+ System Application
Remote Access Connection Manager
DHCP Client
Remote Desktop Help Session Manager
Distributed File System
Remote Procedure Call (RPC) Locator
Distributed Link Tracking Client
Resultant Set of Policy Provider
Distributed Link Tracking Server
Routing and Remote Access
Distributed Transaction Coordinator
Secondary Logon
Error Reporting Service
Shell Hardware Detection
File Replication
Smart Card
Help and Support
Special Administration Console Helper
HTTP SSL
Task Scheduler
Human Interface Device Access
Telephony
IMAPI CD-Burning COM Service
Telnet
Indexing Service
Terminal Services Session Directory
Internet Connection Firewall (ICF) / Internet Connection
Themes
Sharing (ICS)
Uninterruptible Power Supply
Intersite Messaging
Upload Manager
Kerberos Key Distribution Center
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
Microsoft Search
Windows Image Acquisition (WIA)
MSSQLServerADHelper
WinHTTP Web Proxy Auto-Discovery Service
NetMeeting Remote Desktop Sharing
Wireless Configuration
Network DDE
SAP Hardening and Patch Management Guide for Windows Server
34
Table 8: Unnecessary Services for SAP Systems
Services not required for SAP ITS Agate Alerter
Portable Media Serial Number Service
Application Layer Gateway Service
Print Spooler
Application Management
Remote Access Auto Connection Manager
ClipBook
Remote Access Connection Manager
COM+ System Application
Remote Desktop Help Session Manager
DHCP Client
Remote Procedure Call (RPC) Locator
Distributed File System
Resultant Set of Policy Provider
Distributed Link Tracking Client
Routing and Remote Access
Distributed Link Tracking Server
Secondary Logon
Distributed Transaction Coordinator
Shell Hardware Detection
Error Reporting Service
Smart Card
File Replication
Special Administration Console Helper
Help and Support
Task Scheduler
HTTP SSL
Telephony
Human Interface Device Access
Telnet
IMAPI CD-Burning COM Service
Terminal Services Session Directory
Indexing Service
Themes
Internet Connection Firewall (ICF) / Internet Connection
Uninterruptible Power Supply
Sharing (ICS)
Upload Manager
Intersite Messaging
Virtual Disk Service
Kerberos Key Distribution Center
WebClient
License Logging
Windows Audio
Messenger
Windows Image Acquisition (WIA)
NetMeeting Remote Desktop Sharing
WinHTTP Web Proxy Auto-Discovery Service
Network DDE
Wireless Configuration
Network DDE DSDM
SAP Hardening and Patch Management Guide for Windows Server
35
Table 9: Unnecessary Services for SAP Systems
Services not required for SAP ITS Wgate Alerter
Portable Media Serial Number Service
Application Layer Gateway Service
Print Spooler
Application Management
Remote Access Auto Connection Manager
ClipBook
Remote Access Connection Manager
COM+ System Application
Remote Desktop Help Session Manager
DHCP Client
Remote Procedure Call (RPC) Locator
Distributed File System
Resultant Set of Policy Provider
Distributed Link Tracking Client
Routing and Remote Access
Distributed Link Tracking Server
Secondary Logon
Distributed Transaction Coordinator
Shell Hardware Detection
Error Reporting Service
Smart Card
File Replication
Special Administration Console Helper
Help and Support
Task Scheduler
Human Interface Device Access
Telephony
IMAPI CD-Burning COM Service
Telnet
Indexing Service
Terminal Services Session Directory
Internet Connection Firewall (ICF) / Internet Connection
Themes
Sharing (ICS)
Uninterruptible Power Supply
Intersite Messaging
Upload Manager
Kerberos Key Distribution Center
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
NetMeeting Remote Desktop Sharing
Windows Image Acquisition (WIA)
Network DDE
WinHTTP Web Proxy Auto-Discovery Service
Network DDE DSDM
Wireless Configuration
SAP Hardening and Patch Management Guide for Windows Server
36
Table 10: Unnecessary Services for SAP Systems
Services not required for SAP Enterprise Portal Alerter
Portable Media Serial Number Service
Application Layer Gateway Service
Print Spooler
Application Management
Remote Access Auto Connection Manager
ClipBook
Remote Access Connection Manager
COM+ System Application
Remote Desktop Help Session Manager
DHCP Client
Remote Procedure Call (RPC) Locator
Distributed File System
Resultant Set of Policy Provider
Distributed Link Tracking Client
Routing and Remote Access
Distributed Link Tracking Server
Secondary Logon
Distributed Transaction Coordinator
Shell Hardware Detection
Error Reporting Service
Smart Card
File Replication
Special Administration Console Helper
Help and Support
Task Scheduler
HTTP SSL
Telephony
Human Interface Device Access
Telnet
IMAPI CD-Burning COM Service
Terminal Services Session Directory
Indexing Service
Themes
Internet Connection Firewall (ICF) / Internet Connection
Uninterruptible Power Supply
Sharing (ICS)
Upload Manager
Intersite Messaging
Virtual Disk Service
Kerberos Key Distribution Center
WebClient
License Logging
Windows Audio
Messenger
Windows Image Acquisition (WIA)
NetMeeting Remote Desktop Sharing
WinHTTP Web Proxy Auto-Discovery Service
Network DDE
Wireless Configuration
Network DDE DSDM
SAP Hardening and Patch Management Guide for Windows Server
37
Table 11: Unnecessary Services for SAP Systems
Services not required for SQL Server (SAP Enterprise Portal) Alerter
Network DDE DSDM
Application Layer Gateway Service
Portable Media Serial Number Service
Application Management
Print Spooler
ClipBook
Remote Access Auto Connection Manager
COM+ System Application
Remote Access Connection Manager
DHCP Client
Remote Desktop Help Session Manager
Distributed File System
Remote Procedure Call (RPC) Locator
Distributed Link Tracking Client
Resultant Set of Policy Provider
Distributed Link Tracking Server
Routing and Remote Access
Distributed Transaction Coordinator
Secondary Logon
Error Reporting Service
Shell Hardware Detection
File Replication
Smart Card
Help and Support
Special Administration Console Helper
HTTP SSL
Task Scheduler
Human Interface Device Access
Telephony
IMAPI CD-Burning COM Service
Telnet
Indexing Service
Terminal Services Session Directory
Internet Connection Firewall (ICF) / Internet Connection
Themes
Sharing (ICS)
Uninterruptible Power Supply
Intersite Messaging
Upload Manager
Kerberos Key Distribution Center
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
Microsoft Search
Windows Image Acquisition (WIA)
MSSQLServerADHelper
WinHTTP Web Proxy Auto-Discovery Service
NetMeeting Remote Desktop Sharing
Wireless Configuration
Network DDE
SAP Hardening and Patch Management Guide for Windows Server
38
Table 12: Unnecessary Services for SAP Systems
Services not required for SAP Enterprise Portal IIS Proxy Alerter
Portable Media Serial Number Service
Application Layer Gateway Service
Print Spooler
Application Management
Remote Access Auto Connection Manager
ClipBook
Remote Access Connection Manager
COM+ System Application
Remote Desktop Help Session Manager
DHCP Client
Remote Procedure Call (RPC) Locator
Distributed File System
Resultant Set of Policy Provider
Distributed Link Tracking Client
Routing and Remote Access
Distributed Link Tracking Server
Secondary Logon
Distributed Transaction Coordinator
Shell Hardware Detection
Error Reporting Service
Smart Card
File Replication
Special Administration Console Helper
Help and Support
Task Scheduler
Human Interface Device Access
Telephony
IMAPI CD-Burning COM Service
Telnet
Indexing Service
Terminal Services Session Directory
Internet Connection Firewall (ICF) / Internet Connection
Themes
Sharing (ICS)
Uninterruptible Power Supply
Intersite Messaging
Upload Manager
Kerberos Key Distribution Center
Virtual Disk Service
License Logging
WebClient
Messenger
Windows Audio
NetMeeting Remote Desktop Sharing
Windows Image Acquisition (WIA)
Network DDE
WinHTTP Web Proxy Auto-Discovery Service
Network DDE DSDM
Wireless Configuration
SAP Hardening and Patch Management Guide for Windows Server
39
Implementing Service Hardening Use the administrative tool called "Services" to implement service hardening. 1.
Click Start, and then select All Programs.
2.
Select Administrative Tools in the All Programs menu, and then click Services.
3.
The Services dialog box is displayed. Select then right-click on the service that you want to harden.
4.
Select Properties from the pop-up menu.
Figure 28 – Service Hardening
SAP Hardening and Patch Management Guide for Windows Server
40
5.
The Properties dialog box is displayed. Set the Startup Type to Disable, and then click OK.
6.
Repeat the above procedure for all services that you want to harden.
Figure 29 – Disabling Services
Implement Other Hardening Internet Information Server (IIS) Hardening If using IIS 4.0 (NT 4.0) or 5.0 (Windows 2000) for SAP ITS or SAP Enterprise Portal, use the IIS Lockdown Tool to lock down services. The tool is available for download at http://www.microsoft.com/technet/security/tools/locktool.mspx. The lockdown tool provides an wizard to change security settings and various templates for various scenarios are available. URLscan integration is also provided which decreases the possibility of attack by computer viruses as it analyzes HTTP requests and keeps IIS from accepting unordinary requests. When using IIS 6.0 however, such toolkit functionality is included with Windows Server 2003. Note that usage of IIS 6.0 is only available for ITS starting with SAP ITS version 6.20 patch level 3 and IIS 6.0 on Windows Server 2003 is not installed or setup by default. See SAP Note #585545 for information on running SAP ITS on IIS 6.0. For reference, other security-related tools are available at http://www.microsoft.com/technet/security/tools/default.mspx.
SAP Hardening and Patch Management Guide for Windows Server
41
SQL Server Hardening If SQL Server 2000 is used as the database for SAP on Windows Server, refer to http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp for information on steps to secure SQL Server 2000. Information for SAP running on Windows Server 2003 will be added to this whitepaper when available.
Install most recent SQL Server Service Pack
Assess your server security with MBSA
Use Windows Authentication Mode
Isolate your server and backup it up regularly
Assign a strong SA password
Limit privilege of SQL Server Service o
One account per service
o
Simple Domain User right
Disable SQL Server port on Firewall
Use the most secure file system – NTFS
Delete or secure old setup files
Audit connection to SQL Server
Specific SAP Hardening For specific considerations for SAP applications (Basis level 4.6B and higher), refer to SAP Note #165485 (“R/3 Security under Windows NT”). In addition:
On servers without transport directory, you can restrict the directories \usr and \usr\sap to the local administrators: Administrators(Full Control).
On the transport server, generate a further local group "SAP_LocalAdmin". Insert the SAP_<SID>_GlobalAdmin groups of all SIDs involved in the transport into this group.
Assign the following authorizations to the directories \usr, \usr\sap and \usr\sap\trans: Administrators(Full Control) SAP_LocalAdmin(Full Control).
The shares "SAPLOC" and "SAPMNT" can also be provided with this authorization list.
Change password on default Users SAP*, DDIC… Client 000 and 066
SAP Hardening and Patch Management Guide for Windows Server
42
Anti-Virus Considerations Even further protection beyond locking down ports and services, segmenting the SAP servers onto a separate network, etc. is the protection via anti-virus software. Most Microsoft customers running SAP on Windows Server have used anti-virus software with shield activated without experiencing performance issues or problems and the following several best practices can be considered:
Exclude the database file(s)
Exclude SAP temporary files
Scan only incoming traffic or file on write operations
Do not activate self decontamination but warn SAP administrators immediately
Well known viruses can many times be detected and immediately removed without infection as antivirus vendors typically have provided the capability to quickly scan a system and update all definition files immediately in case of critical news of widespread attack. Critical viruses are, on average, typically only “unknown” for 24 hours. Another option can also include implementation of an anti-virus gateway.
SAP Workstation Hardening Even if an SAP client is secured through SAP security administration, a workstation (host) could be compromised through operating system, network, and other application vulnerabilities. As a result, it may not be able to run applications, it could be used as a “zombie” to run attacks and it could be used by an attacker to steal data, including usernames and passwords. Protection of workstations includes the following considerations:
Security Configuration OS, Application, Browser, E-mail, etc. Security Patches Service Packs Host firewall Scanning, Analyzing, Remediation Deployment strategy Antivirus Software
In addition, evaluate the latest security enhancements in relation to Windows XP SP2:
Windows Firewall Internet Explorer Security Enhancements Outlook Express Security Enhancements OS Security Enhancements o Core services reviewed and rewritten o Memory protection Review SAP Notes #66971 and 738927 about Windows XP SP2 Identify, Assess, Test and Deploy latest security patches Deploy baseline security on new machines
Specifically, the firewall provided with Windows XP SP2 is on by default for all network interfaces, provides boot-time security and global and per-interface configurations, has an exceptions list (that can be disallowed), accounts for local subnet restrictions, supports multiple profiles and RPC, can be configured via command-line and has better group policy management.
SAP Hardening and Patch Management Guide for Windows Server
43
The firewall’s feature of “on by default” is:
Installed with new installations and upgrades Enabled when new interfaces are added Has default configuration that provides good protection against worms (e.g., Blaster) Can account for certain applications that might require special settings Manageable through Group Policy Administrative Templates, Network, Network Connections, Windows Firewall, profile, "Windows Firewall: protect all network connections“
The firewall’s “boot time security” features:
Provides a new, static filtering policy at boot time Permits DNS, DHCP, Netlogon WF policy that is applied after logon (policy then stays in effect until after IP stack is shut down) Closes hole that existed after boot, but before policy application
The firewall’s “perimeter protection”:
Could be a distributed environment Application layer inspection Pre-authentication Protocol filtering o HTTP content, URL, and other filtering Port blocking Intrusion detection Logging
2.5 Other Hardening Information Other considerations that impact overall total cost of ownership (TCO) for hardening that need to be considered are aspects such as the use of Active Directory with proper Organizational Unit (OU) architecture and Group Policy Objects that can help with securing the overall computing environment. As well, management tools such as Microsoft Operations Manager (MOM), Terminal Services, HP OpenView, etc. can be used for centralized, proactive security monitoring and administration.
SAP Hardening and Patch Management Guide for Windows Server
44
Other Reference Information Microsoft TechNet Security Center http://www.microsoft.com/technet/security/default.mspx Windows Server 2003 Security Guide http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.mspx Windows Server 2000 Security Hardening Guide http://www.microsoft.com/technet/security/prodtech/Windows2000/win2khg/default.mspx Windows XP Security Guide http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx From Blueprint to Fortress: A Guide to Securing IIS 5.0 http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/dep ovg/securiis.mspx SAP Network and Layer Transport Security http://service.sap.com/security Æ Security in Detail Æ Infrastructure Security Æ Network and Layer Transport Security (SAP NW ’04) SAP Security Guides http://service.sap.com/security Æ Security in Detail Æ SAP Security Guides Æ SAP Basis / Web AS Security Guides or SAP NetWeaver ’04 Security Guide (Complete)
2.6 Operation Checks You can perform an operation check of your SAP system by performing a basic operation check in accordance with the table below.
Table 13: Basic Operation Check Environment
Operations to be checked
SAP R/3 Enterprise environment
Are the services of SAP R/3 Enterprise started? Any errors in the log? Are the services of RDBMS started? Any errors in the log? Can you log on to SAP R/3 Enterprise?
SAP ITS environment
Are the services of ITS Wgate started? Any errors in the log? Are the services of ITS Agate started? Any errors in the log? Can you log on using a Web browser?
SAP Enterprise Portal environment
Are the services of SAP Enterprise Portal started? Any errors in the log? Are the services of RDBMS started? Any errors in the log? Can you log on using a Web browser?
SAP Hardening and Patch Management Guide for Windows Server
45
You can also check your system using the checklist and the transactions described in the table below. Checking these items verifies that there are no problems at the SAP basis level (note that problems in the application level are not checked).
Table 14: Operation Checklist Task
Transaction
Method
Check that every AP server is started.
SM51-SAP Servers
Verify the work processes.
SM50-Process Overview
Check that every work process is in either "running" or "waiting" status.
Check if any updates have failed.
SM13-Update Records
Use "*" as the user ID and check if any "Err." have occurred for all updates in the past year.
Verify the system log.
SM21-System Log
Investigate peculiar events such as "Errors", "Warnings", "Security", "messages", "Abends Database" and "problems".
Check for cancelled jobs.
SM37-Select Background jobs
Use "*" as user ID and check that every critical job has been successful.
Check that no locks have continued for long periods of time.
SM12-Lock entry list.
Use "*" as user ID.
Verify the user sessions.
SM04-Users AL08 - Users
Check for unknown or suspicious user IDs.
Verify that there are no problems with spooling.
SP01-Spool: Request Screen
Investigate any processes with "in process" status lasting more than an hour.
Verify the job logs.
SM35-Batch input: Initial Screen
Investigate "New jobs" and "Incorrect jobs."
Analyze the dump.
ST22-ABAP Dump Analysis
Analyze the workload statistics.
ST03N-Workload:Analysis of <SID>
Analyze the buffer statistics.
ST02-Tune Summary
Investigate the error log.
ST04-DB Performance Analysis
Check usage of the table area.
DB12
Verify the system log.
OS06-OS Monitor
Investigate the swaps.
Investigate the OS log.
SAP Hardening and Patch Management Guide for Windows Server
46
2.7 Final Security Check After completing the hardening implementation, you need to check whether it has been implemented without omission. Use Microsoft Baseline Security Analyzer (MBSA) to check the security of your Microsoft products. With this tool, you can make a simple security check of Windows Server 2003, IIS and SQL Server. For the details about Microsoft Baseline Security Analyzer (MBSA), see •
Whitepaper: Microsoft Baseline Security Analyzer V1.2 www.microsoft.com/technet/security/tools/mbsawp.mspx
2.8 Other Methods for Checking Hardening Implementation You can also check your hardening implementation by using tools such as Ping, Event Viewer and group policy resultant sets.
Summary This chapter has explained how to implement hardening to improve your Windows Serverbased SAP systems.
1. Hardening is a solution that brings significant benefits to SAP system administrators. Hardening enables you to enhance security, ensure availability, and reduce the operating cost of the system.
2. Hardening is not a sufficient security measure in and of itself. To keep an SAP system secure, you should also include patch management in the implementation.
SAP Hardening and Patch Management Guide for Windows Server
47
3 Patch Management This chapter describes how to implement patch management for your Windows Server-based SAP system, from collecting information about security vulnerability to monitoring the results of security update programs. In this whitepaper, the focus is on the risk assessment used to determine whether you should apply a security update program depending on the system.
Contents of this Chapter This chapter describes how to implement patch management for your Windows Server-based SAP system.
1. 2. 3. 4. 5. 6.
What Is Patch Management? Collecting Information Assessing Risks Applying the Security Update Program Monitoring the result Summary
Microsoft and SAP work closely during the release cycle for service packs as Microsoft provides SAP all pending services packs prior to their release. Thorough testing occurs by SAP before Microsoft releases a particular service pack to ensure that installation will not cause a disruption of a running SAP system. See SAP Note #663621 (“Supporting Microsoft Hot Fixes with Windows Update”) for more information on SAP support of service packs. Specific SAP support statements for Microsoft Windows Server service packs can be found at SAP Note #30478 (“Support Packs on Windows”).
3.1 What Is Patch Management? Patch management is comprehensively controlling the application of released security update programs from the perspective of the processes involved and of your team (organization). This whitepaper concentrates on the security update programs. In an environment in which you have appropriately implemented hardening as described in Chapter 2 "Hardening", you may often find after implementing a risk assessment (which is one of the patch management steps), that it is not urgent to apply the patch immediately to protect against both known and new security vulnerabilities. Patch management can be divided into four major processes: 1) "Collecting Information", where you periodically check announcements about security vulnerability; 2) "Assessing Risks", where you analyze risks identified through the collected security vulnerability information; 3) "Applying the Security Update Program", where you test and apply the security update program; and 4) "Monitoring the Result", where you check that all the necessary security update programs have been applied. The following sections describe patch management based on these four processes.
SAP Hardening and Patch Management Guide for Windows Server
48
Collecting Information 3.2
Announcement about Security Vulnerability
Risk Analysis
Yes No
Have all update programs been applied? No
Monitoring the Result Check that the necessary update programs have all been applied
No Any problems after update?
Security update programs need to be applied? Assessing Risks 3.3
Restore system through a roll-back process Yes
Applying the security update program 0
Yes
Devise a plan to respond to the vulnerability
Test the security update program before application
Apply the security update program
Figure 30 – Example of the Patch Management Processes
3.2 Collecting Information Before implementing patch management, you must collect information about security vulnerability. There is a lot of information about security available from the Microsoft Web site. To effectively gather information, you should predetermine what information you are looking for and organize the latest information for easy checking and analysis.
Collecting Information about Security Vulnerability Since October of 2003 when it revised its policy concerning the publication of security vulnerability information, Microsoft releases information about security vulnerability on the "Microsoft Security Bulletin Summaries" site the second Tuesday of every month. By using the free "Microsoft Security Notification Service", you can be notified of the latest updated information by e-mail, eliminating the need for you to periodically check the site yourself. The "Microsoft Security Bulletin Summaries" describe in detail the nature of the vulnerability at issue, any affected software, the maximum severity rating, countermeasures, workarounds, etc. In addition, you can download any available security update programs as a countermeasure against the security vulnerability.
SAP Hardening and Patch Management Guide for Windows Server
49
Additional information: In an urgent situation (for example, the threat of infection by a computer virus or worm), Microsoft may release information about the security vulnerability anytime other than during the second week of the month in order to publish it as soon as possible. But by also subscribing to the "Microsoft Security Notification Service" (http://www.microsoft.com/technet/security/bulletin/notify.mspx), you can receive these urgent unscheduled release notifications by e-mail. We highly recommend use of this service.
Table 15: Sites Providing Information on Security Vulnerability Site Name Microsoft Security Bulletin Summaries Microsoft TechNet Security Center Microsoft Security Notification Service
Address http://www.microsoft.com/technet/security/bulletin/summary.mspx http://www.microsoft.com/technet/security/default.mspx http://www.microsoft.com/technet/security/bulletin/notify.mspx
3.3 Assessing Risks Risk Assessment means that, according to the system environment for each enterprise, you comprehensively determine your degree of urgency based on the information gathered in "3.2 Collecting Information"). In the environment for which you have properly implemented hardening as described in Chapter 2 "Hardening", you will often find that an "urgent application" is unnecessary because the degree of urgency is lower than that in the environment for which hardening has not been implemented. Microsoft applies the severity rating system to each Microsoft report on security vulnerability to help you determine the urgency of applying the security update program. The following table lists the ratings and their definitions. However, this rating information is based on the assumption that you have not implemented hardening for your system. You should determine the degree of urgency for your enterprise by comprehensively assessing such aspects as the importance of your system and the state of your hardening implementation. In the environment for which you have properly implemented hardening as described in Chapter 2 "Hardening", the degree of urgency is less critical than in the environment for which hardening has not been implemented.
SAP Hardening and Patch Management Guide for Windows Server
50
Table 16: Definitions of the Severity Ratings Rating Critical Important
Moderate
Low
Definition Describes vulnerability that, if exploited, could allow propagation of an Internet worm without user action. Describes vulnerability that, if exploited, could compromise user data confidentiality, integrity, or availability, as well as compromise the integrity or availability of processing resources. Describes vulnerability for which the possibility of exploitation is significantly lessened by the existing configuration, or by the difficulty of infiltration or exploitation. Describes vulnerability that is extremely difficult to exploit or the exploitation of which has minimal impact.
For more information, see the Microsoft Security Response Center Security Bulletin Severity Rating System (http://www.microsoft.com/technet/security/bulletin/rating.mspx). This whitepaper uses four categories to describe the urgency of applying the security update program: "Urgent application", "Applying during regular operation", "Applying with the service pack", and "No application". Determine the appropriate emergency assessment category to suit your operation depending on your system environment and security policies.
Example of the Emergency Assessment Categories Determine the appropriate emergency assessment category to suit your operation depending on your system environment and security policies.
1. Urgent application Apply within 1 month.
2. Applying during the regular course of operation At least once every 3 to 6 months.
3. Applying with the service pack When installing the next service pack.
4. No application OS, functionality, product not affected.
SAP Hardening and Patch Management Guide for Windows Server
51
Additional information: You can also obtain general emergency assessment from http://www.microsoft.com/technet/itsolutions/techguide/msm/default.mspx. However, this example of the emergency assessment categories was written based on actual SAPrelated consulting cases provided by Microsoft Consulting Services with some changes added. You should consider the trade-offs among various assessment factors, such as your hardening circumstances, risks, costs, time necessary to assess the security update program, and other practicalities, when deciding your emergency assessment category.
Assessing the Consequences and Urgency of the Vulnerability As described above, Microsoft releases information about security vulnerability once a month. But taking measures against all security vulnerabilities would increase costs and shutdown times for your system resulting in decreased availability. Since the consequences of the vulnerability vary depending on the environment, it is important to determine the degree of urgency for your particular situation. Even if the maximum severity rating of the security vulnerability is "Critical", if you do not use that particular vulnerable service, in many cases you can respond to the vulnerability by application during the regular course of operation (once every 3 to 6 months) or by application with the next service pack (when installing the next service pack). To reduce the operational cost involved in applying the security update program and to maintain high availability, you can create a matrix as one method for determining the consequences of the vulnerability and the degree of urgency. It will be referred to as the vulnerability assessment matrix in this whitepaper.
Example of a Method for Determining the Degree of Urgency Determine the appropriate emergency assessment category to suit your operation depending on your system environment and security policies.
- Vulnerability Assessment Matrix
What is a Vulnerability Assessment Matrix? The vulnerability assessment matrix is a matrix that can help you to determine the consequences of the vulnerability on your system and the countermeasures to take against it, even if your system environment is complex. You can create the matrix based on the information provided by Microsoft about the security vulnerability.
SAP Hardening and Patch Management Guide for Windows Server
52
Creating the Vulnerability Assessment Matrix The vulnerability assessment matrix consists of three major parts: "Organizing the information about the security vulnerability", "Assessing the pros and cons of the risk", and "Determining the degree of urgency for applying the security update program for each enterprise" (see Table 18: Vulnerability Assessment Matrix. Once you organize the information about the security vulnerability, you can create the steps "Organizing the information about the security vulnerability" and "Assessing the pros and cons of the risk". The portion "Organizing the information about the security vulnerability" is taken from the monthly Security Bulletin described in section 0, “Collecting Information about Security Vulnerability" (summarized from http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx, for example), available from the Microsoft Security Bulletin Summaries at http://www.microsoft.com/technet/security/bulletin/summary.mspx. For the contents of the excerpt, see the following section, "Organizing the Information about the Security Vulnerability". The part "Assessing the pros and cons of the risk" is created based on the information organized in the "Organizing the Information about the Security Vulnerability" along with your system configuration, and provides the criteria for determining the degree of urgency. By this determination, you can decide when to apply the security update program. To create the vulnerability assessment matrix, you must perform the following steps.
Step 1: Organizing Information about Security Vulnerability
Step 2: Assessing Pros and Cons of Risks
Step 3: Determining Urgency for Each Enterprise
Figure 31 – Process for Creating the Vulnerability Assessment Matrix
Organizing the Information about Security Vulnerability In this step, you organize the following information about the security vulnerability.
Consequences of the vulnerability Maximum severity rating Affected software Technical details o Technical description o Mitigating factors Workarounds Information about the security update program o Restart requirement o Information about uninstalling the program SAP Hardening and Patch Management Guide for Windows Server
53
Assessing the Pros and Cons of the Risk Assess each criterion based on the information from the step "Organizing the Information about Security Vulnerability". Are there consequences of the vulnerability? o Is there an affected OS? o Are there affected products or functionality? Is it possible for someone to attack anonymously? (simply an open port makes such an attack possible) Is it possible for someone to obtain or upgrade privileges? There is no effective workaround. Is it possible that the hardening implemented by each enterprise is not effective?
Determining the Degree of Urgency The degree of urgency for each enterprise is determined by the result of the step "Assessing the Pros and Cons of the Risk". See below for examples. In the first example, the determination is "Urgent application" because all the criteria in "Assessing the Pros and Cons of the Risk" apply to the system. In the second example, the determination is "Applying during regular operation" because the criterion "Your system is affected by the vulnerability" applies to the system and the maximum severity rating is "Important". The determination will vary depending on system configurations and environments.
Table 17: Determining Whether to Apply the Security Update Program Determination Urgent application Applying during regular operation
Applying with the service pack
No application
Criteria All the criteria in the "Assessing the Pros and Cons of the Risk" apply to your system. The criterion "Are there consequences of the vulnerability?" applies to your system and the maximum severity rating is "Critical" or "Important". The criterion "Are there consequences of the vulnerability?" applies to your system and the maximum severity rating is other than "Critical" or "Important". Your system is not affected.
SAP Hardening and Patch Management Guide for Windows Server
54
To help in the determination of whether to apply the security update program, you may want to create a flowchart. Note that the flowchart will vary according to system configurations and environments. Start
Affected by the Pros/Cons of the Risk
NO
YES
Pros and Cons of the Risk: All criteria apply to the system.
YES
NO
Maximum severity is "Critical" or "Important"
NO
YES Urgent application
Apply during the regular course of operation
Apply with the service pack
No application
Figure 32 – Sample Flowchart for Determining Whether to Apply the Security Update Program
SAP Hardening and Patch Management Guide for Windows Server
55
Table 18: Vulnerability Assessment Matrix
Determination Sample 1 - Hardening has not been Implemented Step 1: Organizing the Information about Security Vulnerability Security Bulletin No.
MS03-026
URL for information about the vulnerability
http://www.microsoft.com/technet/security/bulletin/MS03026.mspx July 17, 2003
Original release date of the vulnerability information report Time elapsed between information release and occurrence of computer virus Affected software
Maximum Severity Rating Nature of the vulnerability Characteristics
Mitigating factors
Restart required This security update program can be uninstalled
Microsoft Windows NT Server 4.0 Microsoft Windows NT Server 4.0 Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Critical Buffer overruns in RPC interface could allow code execution (823980) (MS03-026) There is vulnerability in a part of RPC that handles message exchange over TCP/IP. The issue stems from incorrect handling of illegal messages. In order to exploit this vulnerability, the attacker would need to have specially altered or sent a request to port 135, 139, 445 on the remote machine, or to another port configured for RPC. Yes Yes
Pros and Cons of the Risk
Step 2: Assessing the Pros and Cons of the Risk Are there consequences of the vulnerability? Is there an affected OS? Are there affected products or functionality?
Yes Yes
Is it possible for someone to attack anonymously? Is it possible for someone to obtain privileges?
Yes
There is no effective workaround. Is it possible that the hardening implemented by each enterprise is not effective?
Yes Yes
Yes
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise Determination
Urgent application. (After hardening is implemented, the degree of urgency will be lessened.)
SAP Hardening and Patch Management Guide for Windows Server
56
Table 19: Vulnerability Assessment Matrix
Determination Sample 2 - Hardening has not been Implemented Step 1: Organizing the Information about Security Vulnerability Security Bulletin No.
MS04-003
URL for information about the vulnerability
http://www.microsoft.com/technet/security/bulletin/MS04003.mspx
Original release date of the vulnerability information report Time elapsed between information release and occurrence of computer virus Affected software
January 14, 2004
Maximum Severity Rating
Important
Nature of the vulnerability
Buffer overrun in MDAC function could allow code execution (832483)
Characteristics
Microsoft Data Access Components (MDAC) is a collection of components that provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client.
Mitigating factors
For an attack to be successful, an attacker would have to simulate an SQL server that is on the same IP subnet as the target system.
Restart required
Yes
This security update program can be uninstalled
No
Microsoft Windows
Pros and Cons of the Risk
Step 2: Assessing the Pros and Cons of the Risk Are there consequences of the vulnerability? Is there an affected OS? Are there affected products or functionality?
Yes Yes -
Is it possible for someone to attack anonymously? Is it possible for someone to obtain privileges?
No Yes
There is no effective workaround. Is it possible that the hardening implemented by each enterprise is not effective?
No Yes
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise Determination
Apply during the regular course of operation. (After implementing hardening, the degree of urgency will be lessened.)
SAP Hardening and Patch Management Guide for Windows Server
57
Table 20: Vulnerability Assessment Matrix
Determination Sample 3 - Hardening has not been Implemented Step 1: Organizing the Information about Security Vulnerability Security Bulletin No.
MS04-006
URL for information about the vulnerability
http://www.microsoft.com/technet/security/bulletin/MS04006.mspx
Original release date of the vulnerability information report Time elapsed between information release and occurrence of computer virus Affected software
February 11, 2004
Maximum Severity Rating
Microsoft Windows 2000 Server
Nature of the vulnerability
Microsoft Windows Server 2003
Characteristics
Important
Mitigating factors
Vulnerability in the Windows Internet Naming Service (WINS) could allow code execution (830352)
Restart required
A security vulnerability exists in the Windows Internet Naming Service (WINS). This vulnerability exists because of the method that WINS uses to validate the length of specially-crafted packets.
This security update program can be uninstalled
The WINS service is not installed by default.
Microsoft Windows NT Server
Pros and Cons of the Risk
Step 2: Assessing the Pros and Cons of the Risk Are there consequences of the vulnerability? Is there an affected OS? Are there affected products or functionality?
No No No
Is it possible for someone to attack anonymously? Is it possible for someone to obtain privileges?
No
There is no effective workaround. Is it possible that the hardening implemented by each enterprise is not effective?
No Yes
No
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise Determination
Only needs to be applied to the WINS server. Application to the WINS server during regular operation. (After hardening is implemented, the degree of urgency will be lessened.)
SAP Hardening and Patch Management Guide for Windows Server
58
Applying the Security Update Program After you determine that the security update program needs to be applied through the result of risk assessment of the vulnerability, you should apply it to your system. Applying the security update program is performed according to the following steps: "Devising a plan for responding to the vulnerability", "Testing the security update program before applying", "Applying the security update program", "Verifying the behavior after application", and if problems occur from the application, then "Restoring through the roll-back process".
Step 1: Devising a plan for responding to the vulnerability
Step 2: Testing the security update program before application
Step 3: Applying the security update program
Step 4: Verifying the behavior after application
Step 5: Restoring through the roll-back process
Figure 33 – Process Flow of Applying the Security Update Program
For the details on applying security update programs, see the document listed below.
Table 21: Reference Information How To Implement Patch Management http://msdn.microsoft.com/library/en-us/secmod/html/secmod108.asp
Devising a Plan for Responding to the Vulnerability To apply the security update program, you should first devise a plan for responding to the vulnerability. It is important to clarify the required security level since it varies depending on the system environment. Before applying the security update program, you may want to create a flowchart for managing the modification. By creating the flowchart, you can implement a better quality application. When devising the plan, you should refer to SAP Notes 30478, 62988 and 664607 to check whether this security update program has ever caused problems in the SAP environment.
SAP Hardening and Patch Management Guide for Windows Server
59
Start
Emergency? NO
YES
Normal process
Emergency process
Plan the steps for rapid change and restoration
Plan the steps for change and restoration
NO
Test the steps for change and restoration
Testing required? YES
Successful?
NO
Test quickly
YES Successful?
Adjust before applying to the production environment
Apply to the production environment
NO
YES Adjust before applying, then apply to the production environment
Finish
Finish
Figure 34 – Sample Flowchart for Managing Changes
SAP Hardening and Patch Management Guide for Windows Server
60
3.4 Applying Security Update Program Points to Consider When Applying Security Patches
Apply revision in order of registration o
Applying the Security Patch and service packs causes old program files to be overwritten with newer versions. Failure to observe the registration order will result in old modules being in the place of new modules.
Reapply revision if necessary o
When the system modules of network components and device drivers are added to Windows NT systems to which the Security Patch and Service Packs have already been applied, the manager must manually re-apply the Service Packs and Security Patch.
Re-application is also recommended for Windows 2000, XP, and 2003.
Apply only the correct update o
Security Patch and service packs vary with the version of the corresponding product.
Table 22: Security Patch Considerations System Upgrade Types
Timing of Patch Application to SAP System
If SAP System is Halted after Patch Application Problem solving based on SAP
Security Patch (Windows)
Note #664607 (uninstall, etc.)
Security Path (SQL Server)
Immediately after Microsoft releases the Revision Program (SAP Note #62988)
Service Packs (with strict change management process and testing)
Once support is offered by SAP (SAP Notes #30478, 62988 and hardware/management tool manufacturers)
SAP Hardening and Patch Management Guide for Windows Server
Contact SAP Support
61
Testing the Security Update Program before Application There may be rare occasions when a security update program will cause problems to a monitoring tool or other programs. Therefore, you should test the security update program in a test environment before applying it to the production environment. The test involves the following steps: "Testing the application in a test environment", "Verifying the behavior in the test environment", and "Confirming the steps for a roll-back in the test environment".
Test Steps Test the security update program in a test environment before applying it to the production environment.
1. Testing the application in a test environment 2. Verifying the behavior in the test environment 3. Confirming the steps for a roll-back in the test environment
Note: Before applying the security update program Refer to the SAP Notes (especially 30478, 62988, and 664607) and check whether this security update program has ever caused problems in the SAP environment.
Testing the Application in a Test Environment The steps for applying the security update program can vary depending on the enterprise. Before applying the security update program to the production environment, you need to confirm the application steps in a test environment and verify the system behavior after application.
Updating via Management Tools The cost involved in applying a security update program increases in proportion to the number of machines. To help reduce this cost, Microsoft offers the following tools: Software Update Services (SUS) which is provided free of charge, and Systems Management Server 2003 (SMS) which requires licenses. •
Software Update Services (SUS) SUS automatically provides notification of important updates to Windows computers, and delivers them to all of the Windows desktop computers and servers in your organization. For more information about SUS, see the Microsoft Software Update Services Whitepaper (http://www.microsoft.com/windowsserversystem/sus/susoverview.mspx).
SAP Hardening and Patch Management Guide for Windows Server
62
•
Systems Management Server 2003 (SMS 2003) Systems Management Server 2003 (SMS 2003) provides a comprehensive solution for change and configuration management for the Microsoft platform, enabling you to provide relevant software and updates quickly. For more information about Systems Management Server 2003 (SMS 2003), see the Systems Management Server 2003 Reviewer's Guide (http://www.microsoft.com/smserver/evaluation/revguide).
Note: Points to observe when applying the security update program • Reapply as necessary If a system module was added after application of the security update program or service pack, check the security vulnerability information report to confirm the need for reapplying the program. Be sure to reapply when necessary. • Apply the program that corresponds to your software You should apply the security update program and service pack that precisely corresponds to your software because the programs and packs are designed for specific products, versions and languages. For example, do not apply a service pack for English-version products to Japanese-version products.
3.5 Monitoring the Results Verifying Behavior in the Test Environment After applying the security update program, you will need to verify proper operation of your SAP system. You should check your Windows and SAP system behavior. Verification of the SAP system behavior consists of basic operation verification, as well as operation verification using a checklist and SAP transactions. To verify your SAP system's operation, you should check the following:
Verification of Your Windows System (OS, RDBMS, IIS) You will need to verify proper operation of your SAP system by checking your Windows system behavior.
1. Checking event logs 2. Checking the logs of various products and functions 3. Verifying the operation of the necessary services
Verification of Your SAP System You will need to verify proper operation of your SAP system by checking your SAP system behavior.
1. Verifying operation using the checklist 2. Executing test transactions to verify its operation 3. Verifying the operation of extracted business applications
SAP Hardening and Patch Management Guide for Windows Server
63
Confirming the Steps for Roll-Back in the Test Environment There are steps for confirming a roll-back in the event there are problems caused by the application of the security update program or by faulty implementation.
If problems are caused by faulty implementation o Restore from a backup. If problems are caused by the application of the security update program o Uninstall the security update program. Restore from a backup.
Confirming that the Necessary Programs have been Applied After applying the security update program, you need to verify that it has been applied properly and that possible problems that might have been caused by the vulnerability have been avoided. Microsoft provides a free tool, the Microsoft Baseline Security Analyzer (MBSA), for checking whether any computers have failed to apply the security update program. Microsoft also licenses a tool, the Systems Management Server 2003 (SMS 2003), that comprehensively performs the implementation process including applying of the security update programs, to checking and managing them. •
Microsoft Baseline Security Analyzer (MBSA) For more information, see “Final Security Check”.
•
Systems Management Server 2003 (SMS 2003) For more information, see "Applying the Security Update Program".
Summary This chapter described how to keep your Windows Server 2003-based SAP system secure by implementing patch management.
1. Patch management (specifically, risk assessment) minimizes the cost and risk associated with system changes. 2. It is important to maintain a well-balanced combination of patch management and hardening practices.
SAP Hardening and Patch Management Guide for Windows Server
64
Appendix: Report on Hardening Verification This following explains the actual settings used for and the results of hardening verification of a Windows Server 2003-based SAP system.
1.1 Verification Scenarios Verification environments were constructed for three common SAP configuration patterns: SAP R/3 Enterprise, SAP ITS, and SAP Enterprise Portal.
Verification Scenarios Verification environments were constructed for three common SAP configuration patterns.
1. SAP R/3 Enterprise 2. SAP ITS 3. SAP Enterprise Portal
The versions of software systems used for the verification of these configurations are summarized below.
Table 1 – Software Versions Category
Microsoft Products
SAP Products
Directory
Windows Server 2003 (Active Directory)
-
SAP R/3 Enterprise
Windows Server 2003
R/3 Enterprise 4.70 SR1 Ext.2.00, J2EE
RDBMS (for R/3)
Windows Server 2003, SQL Server 2000
Engine 6.30 SP2 (JDK1.3.1_10) -
(SP3+Hotfix 844 + new collation) SAP ITS – Agate
Windows Server 2003
ITS 6.20 SP8
SAP ITS – Wgate
Windows Server 2003, IIS 6.0
ITS 6.20 SP8
SAP Enterprise Portal
Windows Server 2003
Enterprise Portal 6.0 SP2 Patch3 + hotfix 2,J2EE Engine 6.20 SP20 (JDK1.3.1_10)
RDBMS (for EP)
Windows Server 2003, SQL Server 2000
-
(SP3+Hotfix 844 + new collation) EP IISProxy
Windows Server 2003, IIS 6.0
IIS Proxy 1.5.0.0
Note: The latest security update programs as of March 1, 2004 had been applied to the respective versions of Windows Server 2003 and SQL Server 2000.
Appendix: Report on Hardening Verification
65
1.2 Contents of Verifications Two types of verification were conducted: network hardening (packet filtering using the IPSec script policy)" and "service and other hardening (disabling and reconfiguring services using security templates).
Contents of Verifications Two types of verification were conducted.
1. Network hardening (packet filtering using the IPSec script policy) 2. Service and other hardening (disabling and reconfiguring services using security templates)
Table 2 – Contents of Hardening Verifications Category
Description
Network hardening
Configurations were implemented such that default communications
(packet filtering using the IPSec script policy)
were blocked and communication was granted only for necessary "communication routes" and "(destination) ports."
Service and other hardening (disabling and
Unnecessary services were disabled and proper security configurations
reconfiguring services using security templates)
were implemented for each server role.
1.3 Verification Results For each verification scenario, configurations were set according to the verification contents and confirmation was made that the SAP system ran without problems. Verification notes: • Hardening was carried out after the target system was disconnected from the network and all setup procedures were completed. • Tests were carried out on R/3 Enterprise, ITS, and Enterprise Portal in that order. • For each scenario, single sign-on to an Active Directory was assumed. Reasons - "Single sign-on to an Active Directory" is expected to become a mainstream configuration in the future. - Scenarios without single sign-on can be included. • Network hardening was carried out after configuration/rollback scripts were prepared. • A backup copy of the pre-hardening settings was taken whenever a security template was applied. • For operation verification, hardening checks were made using SAP security checklists, MBSA, and simple ping commands.
Appendix: Report on Hardening Verification
66
1.4 Network Hardening Settings
Network Hardening in SAP R/3 Enterprise Packet filtering was implemented using the IPSec script policy in the environment shown below and as summarized in Table 3 to Table 5.
Figure 1 – SAP R/3 Enterprise Environment
Appendix: Report on Hardening Verification
67
Table 2 – Packet Filtering Settings (1. Domain Controller) Service
All
Protocol
Any
Source Destination
Source
Port
Port
Address
Any
Any
Any
traffic SAP R/3
Any
Any
Any
Any
Any
Any
R/3) Other Domain
Mirroring
Remarks
Address This
Block
Yes
All blocked by default.
Grant
Yes
All communications from SAP
computer
Enterprise SQL Server (for
Destination Action
Any
Any
Any
Controller
SAP R/3
This
Enterprise
computer
SQL Server
This
(for R/3)
computer
Other
This
Domain
computer
R/3 Enterprise granted. Grant
Yes
Grant
Yes
All communications from SQL Server (for R/3) granted. All communications from other domain controllers granted.
Controller ICMP ICMP
ICMP ICMP
Any Any
Any Any
This
SAP R/3
computer
Enterprise
This
SQL Server
computer
(for R/3)
Grant
Yes
Grant
Yes
Communication to SAP R/3 Enterprise Communication to SQL Server (for R/3)
Table 3 – Packet Filtering Settings (2. SAP R/3 Enterprise) Service
All
Protocol
Any
Source Destination
Source
Port
Port
Address
Any
Any
Any
traffic SAP DIALOG
TCP
Any
3200
This
Remarks
Block
Yes
All blocked by default.
Any
This
Grant
Yes
Communication from SAP
computer TCP
Any
1433
R/3) Client Domain Member
Mirroring
Address
computer
Server SQL Server (for
Destination Action
Any
Any
Any
This
SQL Server
computer
(for R/3)
This
Domain
computer
Controller
GUI Grant
Yes
Grant
Yes
Communication to SQL Server (for R/3) Communication to Domain Controller
Table 4 – Packet Filtering Settings (3. SQL Server (for R/3)) Service
All
Protocol
Any
Source Destination
Source
Port
Port
Address
Any
Any
Any
traffic SQL Server (for
Member
Mirroring
Remarks
Address This
Block
Yes
All blocked by default.
Grant
Yes
Communication from SAP R/3
Grant
Yes
computer TCP
Any
1433
R/3) Domain
Destination Action
Any
Any
Any
SAP R/3
This
Enterprise
computer
This
Domain
computer
Controller
Appendix: Report on Hardening Verification
Enterprise Communication to Domain Controller
68
Network Hardening in SAP ITS Packet filtering was implemented using the IPSec script policy in the environment shown below and as summarized in the Table 6to Table 10.
Figure 2 – SAP ITS Environment
Appendix: Report on Hardening Verification
69
Table 6 – Packet Filtering Settings (1. Domain Controller) Service
All
Protocol
Any
Source Destination
Source
Port
Port
Address
Any
Any
Any
traffic SAP R/3
Any
Any
Any
Any
Any
Any
R/3) SAP ITS - Agate ICMP ICMP ICMP
Mirroring
Remarks
Address This
Block
Yes
All blocked by default.
Grant
Yes
All communications from SAP
computer
Enterprise SQL Server (for
Destination Action
Any ICMP ICMP ICMP
Any Any Any Any
Any Any Any Any
SAP R/3
This
Enterprise
computer
SQL Server
This
(for R/3)
computer
SAP ITS -
This
Agate
computer
This
SAP R/3
computer
Enterprise
This
SQL Server
computer
(for R/3)
This
SAP ITS -
computer
Agate
R/3 Enterprise granted. Grant
Yes
Grant
Yes
All communications from SQL Server (for R/3) granted. All communications from SAP ITS - Agate granted
Grant
Yes
Grant
Yes
Communication to SAP R/3 Enterprise Communication to SQL Server (for R/3)
Grant
Yes
Communication to SAP ITS Agate
Table 7 – Packet Filtering Settings (2. SAP R/3 Enterprise) Service
All
Protocol
Any
Source Destination
Source
Port
Port
Address
Any
Any
Any
traffic SAP DIALOG
TCP
Any
3200
TCP
Any
3300
Server HTTP Server
Mirroring
This
Block
Yes
All blocked by default.
TCP
Any
8000
SAP ITS -
This
Agate
computer
Grant
Yes
Communication from SAP ITS
SAP ITS -
This
Grant
Yes
Agate
computer
Any
This
- Agate
TCP
Any
44300
Any
This
Grant
Yes
Grant
Yes
TCP
Any
1433
R/3) Client Domain
Any
Any
Any
Member
This
SQL Server
computer
(for R/3)
This
Domain
computer
Controller
Communication from Web browser
computer SQL Server (for
Communication from SAP RFC/BAPI program
computer HTTPS Server
Remarks
Address
computer
Server SAP RFC
Destination Action
Communication from Web browser
Grant
Yes
Communication to SQL Server (for R/3)
Grant
Yes
Communication to Domain Controller
Table 8 – Packet Filtering Settings (3. SQL Server) Service
All
Protocol
Any
Source Destination
Source
Port
Port
Address
Any
Any
Any
traffic SQL Server (for
Member
Mirroring
Remarks
Address This
Block
Yes
All blocked by default.
Grant
Yes
Communication from SAP R/3
computer TCP
Any
1433
R/3) Domain
Destination Action
Any
Any
Any
SAP R/3
This
Enterprise
computer
This
Domain
computer
Controller
Appendix: Report on Hardening Verification
Enterprise Grant
Yes
Communication to Domain Controller
70
Table 9 – Packet Filtering Settings (4. IIS + SAP ITS WGate) Service
Protocol
Source Destination
Source
Destination
Port
Port
Address
Address
Action
Mirroring
All traffic
Any
Any
Any
Any
This computer
Block
Yes
HTTP Server
TCP
Any
80
Any
This computer
Grant
Yes
HTTPS Server
TCP
Any
443
Any
This computer
Grant
Yes
HTTP Server for mgmt
TCP
Any
8080
Any
This computer
Grant
Yes
SAP ITS - Agate Client1
TCP
Any
3900
This
SAP ITS - Agate
Grant
Yes
SAP ITS - Agate
Grant
Yes
SAP ITS - Agate
Grant
Yes
SAP ITS - Agate
Grant
Yes
Remarks
For administration purposes
computer SAP ITS - Agate Client2
TCP
Any
3910
This computer
SAP ITS - Agate Client1
TCP
Any
3918
(for Mgmt) SAP ITS - Agate Client2
TCP
Any
3928
(for Mgmt) Domain Member
This computer This
purposes
computer Any
Any
Any
For administration For administration purposes
This
Domain
computer
Controller
Grant
Yes
(oa.corp.com)
Table 10 – Packet Filtering Settings (5. SAP ITS Agate) Service
Protocol
Source Destination
Source
Destination
Port
Port
Address
Address
Action
Mirroring Remarks
All traffic
Any
Any
Any
Any
This computer
Block
Yes
SAP ITS - Agate Server1
TCP
Any
3900
SAP ITS -
This computer
Grant
Yes
This computer
Grant
Yes
This computer
Grant
Yes
Wgate SAP ITS - Agate Server2
TCP
Any
3910
SAP ITS Wgate
SAP ITS - Agate Server1
TCP
Any
3918
(for Mgmt) SAP ITS - Agate Server2
Wgate TCP
Any
3928
(for Mgmt) SAP DIALOG Client SAP RFC Client Domain Member
SAP ITS SAP ITS -
purposes This computer
Grant
Yes
This
SAP DIALOG
Grant
Yes
computer
Server
This
SAP RFC
Grant
Yes
computer
Server Grant
Yes
Wgate TCP TCP Any
Any Any Any
3200 3300 Any
For administration For administration purposes
This
Domain
computer
Controller (sap.corp.com)
Appendix: Report on Hardening Verification
71
Network Hardening in SAP Enterprise Portal Packet filtering was conducted using the IPSec script policy in the environment shown below and as summarized in the Table 11 to Table 18.
Figure 3 - SAP Enterprise Portal Environment
Appendix: Report on Hardening Verification
72
Table 11 – Packet Filtering Settings (1. Domain Controller) Service
All
Protocol Source
Any
Destination
Source
Port
Port
Address
Any
Any
Any
traffic SAP R/3
Any
Any
Any
Any
Any
Any
Any
Any
Any
SAP R/3
This
Enterprise
computer This
R/3)
computer
SAP ITS - Agate
This
Agate SAP
This
SQL Server (for
(for R/3) SAP ITS -
Address Block
Yes
All blocked by default.
Grant
Yes
All communications from SAP
computer
Enterprise SQL Server
Destination Action Mirroring Remarks
R/3 Enterprise granted. Grant
Yes
Grant
Yes
Server (for R/3) granted.
computer Any
Any
Any
Enterprise
SAP Enterprise
This
Portal
computer
All communications from SQL All communications from SAP ITS - Agate granted.
Grant
Yes
All communications from SAP Enterprise Portal granted.
Portal SQL Server
Any
Any
Any
(for EP) ICMP
ICMP
Any
Any
SQL Server
This
(for EP)
computer
This computer
SAP R/3
Grant
Yes
Server (for EP) granted. Grant
Yes
Enterprise ICMP
ICMP
Any
Any
This computer
SQL Server
ICMP
Any
Any
This computer
SAP ITS -
Grant
Yes
Grant
Yes
ICMP
Any
Any
This computer
SAP
Communication to SQL Server (for R/3)
Agate ICMP
Communication to SAP R/3 Enterprise
(for R/3) ICMP
All communications from SQL
Communication to SAP ITS Agate
Grant
Yes
Enterprise
Communication to SAP Enterprise Portal
Portal ICMP
ICMP
Any
Any
This computer
SQL Server
Grant
Yes
(for EP)
Communication to SQL Server (for EP)
Table 12 – Packet Filtering Settings (2. SAP R/3 Enterprise) Service
All
Protocol
Any
Source
Destination
Source
Port
Port
Address
Any
Any
Any
traffic SAP DIALOG
TCP
Any
3200
TCP
Any
3300
Server SAP RFC
TCP
Any
3300
Server HTTP Server
Mirroring Remarks
Address This
Block
Yes
All blocked by default.
Grant
Yes
Communication from SAP
computer
Server SAP RFC
Destination Action
TCP
Any
8000
SAP ITS -
This
Agate
computer
SAP ITS -
This
Agate
computer
SAP Enterprise
This
Portal
computer
Any
This
ITS - Agate Grant
Yes
Grant
Yes
RFC/BAPI program
TCP
Any
44300
Any
This
Grant
Yes
TCP
Any
1433
This computer
(for R/3) Client Domain
SQL Server
Grant
Yes
Grant
Yes
Any
Any
Any
This computer
Appendix: Report on Hardening Verification
Domain Controller
Communication from Web browser
(for R/3)
Member
Communication from Web browser
computer SQL Server
Communication from SAP Enterprise Portal
computer HTTPS Server
Communication from SAP
Communication to SQL Server (for R/3)
Grant
Yes
Communication to Domain Controller
73
Table 13 – Packet Filtering Settings (3. SQL Server) Service
All
Protocol
Any
Source
Destination
Source
Port
Port
Address
Destination Action
Any
Any
Any
This
traffic SQL Server
Block
Yes
All blocked by default.
Grant
Yes
Communication from
computer TCP
Any
1433
(for R/3) Domain
Mirroring Remarks
Address
Any
Any
Any
SAP R/3
This
Enterprise
computer
This computer
Member
Domain
SAP R/3 Enterprise Grant
Yes
Controller
Communication to Domain Controller
Table 14 – Packet Filtering Settings (4. SAP Enterprise Portal 6.0) Service
All traffic
Protocol
Any
Source
Destination
Source
Port
Port
Address
Any
Any
Any
Destination Action
Mirroring Remarks
Address This
Block
Yes
computer SAP J2EE Dispatcher
TCP
Any
50000
Server (HTTP) SAP J2EE Dispatcher
TCP
Any
50001
Server (HTTPS) HTTP Client
TCP
Any
80
Any (EP
This
IISPROXY)
computer
Any (EP
This
IISPROXY)
computer
This computer
SAP ITS -
All blocked by default.
Grant
Yes
Grant
Yes
Grant
Yes
Grant
Yes
Grant
Yes
Grant
Yes
Grant
Yes
Grant
Yes
SAP ITS - Wgate
Wgate HTTPS Client
TCP
Any
443
This computer
SAP ITS Wgate
HTTP Client
TCP
Any
8000
This computer
SAP R/3
SAP R/3 Enterprise
Enterprise HTTPS Client
TCP
Any
44300
This computer
SAP R/3 Enterprise
RFC Client
TCP
Any
3300
This computer
SAP R/3 Enterprise
SQL Server (for EP)
TCP
Any
1433
This computer
Client Domain Member
SQL Server (for R/3)
Any
Any
Any
This computer
Domain Controller
Appendix: Report on Hardening Verification
Communication to SQL Server (for R/3)
Grant
Yes
Communication to Domain Controller
74
Table 15 – Packet Filtering Settings (5. SQL Server) Service
Protocol
All
Any
Source
Destination
Source
Port
Port
Address
Any
Any
Any
Destination Action
This
traffic SQL Server
Block
Yes
All blocked by default.
Grant
Yes
Communication from SAP
computer TCP
Any
1433
SAP Enterprise
This
Portal
computer
(for EP) Domain
Mirroring Remarks
Address
Any
Any
Any
This computer
Member
Domain
Enterprise Portal Grant
Yes
Controller
Communication to Domain Controller
Table 16 – Packet Filtering Settings (6. IIS + SAP ITS WGate) Service
Source
Destination
Port
Port
Address
Address
Any
Any
Any
Any
This computer
Block
Yes
HTTP Server
TCP
Any
80
Any
This computer
Grant
Yes
HTTPS Server
TCP
Any
443
Any
This computer
Grant
Yes
HTTP Server for mgmt
TCP
Any
8080
Any
This computer
Grant
Yes
SAP ITS - Agate
TCP
Any
3900
This
SAP ITS - Agate
Grant
Yes
SAP ITS - Agate
Grant
Yes
SAP ITS - Agate
Grant
Yes
SAP ITS - Agate
Grant
Yes
All
Protocol
Source Destination
Action
Mirroring Remarks
traffic
For administration purposes
Client1 SAP ITS - Agate
computer TCP
Any
3910
Client2 SAP ITS - Agate
TCP
Any
3918
Client1 (for Mgmt) SAP ITS - Agate
This computer
TCP
Any
3928
Client2 (for Mgmt) Domain Member
This computer
This
purposes
computer Any
Any
Any
Appendix: Report on Hardening Verification
For administration For administration purposes
This
Domain Controller
computer
(oa.corp.com)
Grant
Yes
75
Table 17 – Packet Filtering Settings (7. SAP ITS Agate) Service
Protocol
Source Destination
Source
Destination
Port
Port
Address
Address
Action
Mirroring Remarks
All traffic
Any
Any
Any
Any
This computer
Block
Yes
SAP ITS - Agate
TCP
Any
3900
SAP ITS -
This computer
Grant
Yes
This computer
Grant
Yes
This computer
Grant
Yes
Server1 SAP ITS - Agate
Wgate TCP
Any
3910
Server2 SAP ITS - Agate
Wgate TCP
Any
3918
Server1 (for Mgmt) SAP ITS - Agate
SAP RFC Client
SAP ITS Wgate
TCP
Any
3928
Server2 (for Mgmt) SAP DIALOG Client
SAP ITS -
SAP ITS -
purposes This computer
Grant
Yes
This
SAP DIALOG
Grant
Yes
computer
Server
This
SAP RFC Server
Grant
Yes
This
Domain Controller
Grant
Yes
computer
(sap.corp.com)
Wgate TCP TCP
Any Any
3200 3300
For administration For administration purposes
computer Domain Member
Any
Any
Any
Table 18 – Packet Filtering Settings (8. IIS + SAP Enterprise Portal IIS Proxy) Service
Protocol Source Destination
Source
Destination
Port
Port
Address
Address
Action Mirroring Remarks
All traffic
Any
Any
Any
Any
This computer
Block
Yes
All Traffic
HTTP Server
TCP
Any
80
Any
This computer
Grant
Yes
HTTP Server
HTTPS Server
TCP
Any
443
Any
This computer
Grant
Yes
HTTPS Server
SAP Enterprise Portal
TCP
Any
50000
This
SAP Enterprise
Grant
Yes
SAP Enterprise Portal
computer
Portal
Client for HTTP SAP Enterprise Portal
TCP
Any
50001
Client for HTTPS Domain Member
Any
Any
Any
Appendix: Report on Hardening Verification
This
SAP Enterprise
computer
Portal
This
Domain Controller
computer
(oa.corp.com)
Client for HTTP Grant
Yes
SAP Enterprise Portal Client for HTTPS
Grant
Yes
Domain Member
76
1.5 Service and Other Hardening Settings Service Hardening Using Templates Security templates suitable for the respective servers (see below) were applied and services were disabled (see Table 20 to Table 27).
Table 19 – Servers and Applied Security Templates Servers
Role
Applied Security Template*
Domain Controller
Domain controller
High Security - Domain Controller.inf
SAP R/3 Enterprise
Member server
High Security - Member Server Baseline.inf
SQL Server (for R/3)
Member server
High Security - Member Server Baseline.inf
SAP ITS - Agate
Member server
High Security - Member Server Baseline.inf
SAP ITS - Wgate
Web server
High Security - IIS Server.inf
SAP Enterprise Portal
Member server
High Security - Member Server Baseline.inf
SQL Server (for EP)
Member server
High Security - Member Server Baseline.inf
EP IISProxy
Web server
High Security - IIS Server.inf
* The most secure "high security" template was used as the assumed security environment. Download security templates from: http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655521EA6C7B4DB&displaylang=en#filelist
Appendix: Report on Hardening Verification
77
Table 20 – Domain Controller Name Automatic Updates Computer Browser Cryptographic Services Distributed File System DNS Client DNS Server Event Log File Replication Service Intersite Messaging IPSEC Services Kerberos Key Distribution Center Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Procedure Call (RPC) Locator Remote Registry Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client DHCP Server Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local Service Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System
78
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable
Local System
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
79
Table 21 – SAP R/3 Enterprise Name Automatic Updates Computer Browser Cryptographic Services Distributed File System DNS Client Event Log IPSEC Services Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry SAPOSCOL Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage SAPP01_00 SAPP01_05 Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local Service SAPSAPServicePO1 Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System SAPSAPServicePO1 SAPSAPServicePO1 Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System
80
Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
81
Table 22 – SQL Server (for SAP R/3 Enterprise) Name Automatic Updates Computer Browser Cryptographic Services DNS Client Event Log IPSEC Services MSSQLSERVER Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry Security Accounts Manager Server SQLSERVERAGENT System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System
82
Kerberos Key Distribution Center License Logging Messenger Microsoft Search MSSQLServerADHelper NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
83
Table 23 – SAP ITS Agate Name Automatic Updates Computer Browser Cryptographic Services DNS Client Event Log IPSEC Services ITS Watchdog Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry SAP IACOR Manager SAP ITS Manager - ADM SAP ITS Manager - P01 Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System
84
Intersite Messaging Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
85
Table 24 – SAP ITS Wgate Name Automatic Updates Computer Browser Cryptographic Services DNS Client Event Log HTTP SSL IIS Admin Service IPSEC Services Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry SAP IACOR Manager Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation World Wide Web Publishing Service Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System
86
Intersite Messaging Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
87
Table 25 – SAP Enterprise Portal Name Automatic Updates Computer Browser Cryptographic Services DNS Client Event Log IPSEC Services Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging Kerberos Key Distribution Center License Logging
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System
Disable Disable Disable
Local System Local System Network Service
88
Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
89
Table 26 – SQL Server (for SAP Enterprise Portal) Name Automatic Updates Computer Browser Cryptographic Services DNS Client Event Log IPSEC Services MSSQLSERVER Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry Security Accounts Manager Server Symentec Ghost Configuration Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage SQLSERVERAGENT Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Network Service Local System Local System SAPAdministrator Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System SAPAdministrator Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System
90
Intersite Messaging Kerberos Key Distribution Center License Logging Messenger Microsoft Search MSSQLServerADHelper NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
91
Table 27 – SAP Enterprise Portal IIS Proxy Name Automatic Updates Computer Browser Cryptographic Services DNS Client Event Log HTTP SSL IIS Admin Service IPSEC Services Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Terminal Services Windows Installer Windows Management Instrumentation Windows Time Workstation World Wide Web Publishing Service Background Intelligent Transfer Service COM+ Event System Logical Disk Manager Logical Disk Manager Administrative Service Microsoft Software Shadow Copy Provider Network Connections Network Location Awareness (NLA) Performance Logs and Alerts Removable Storage Volume Shadow Copy Windows Management Instrumentation Driver Extensions WMI Performance Adapter Alerter Application Layer Gateway Service Application Management ClipBook COM+ System Application DHCP Client Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service File Replication Help and Support Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging
Appendix: Report on Hardening Verification
Status Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start Start
Start Start
Startup options Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Log on Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Network Service Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System Local System
Disable
Local System
92
Kerberos Key Distribution Center License Logging Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Portable Media Serial Number Service Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon Shell Hardware Detection Smart Card Special Administration Console Helper Task Scheduler Telephony Telnet Terminal Services Session Directory Themes Uninterruptible Power Supply Upload Manager Virtual Disk Service WebClient Windows Audio Windows Image Acquisition (WIA) WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration
Appendix: Report on Hardening Verification
Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable Disable
Local System Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System Local Service Local System Local System Local Service Local System Local Service Local Service Local System
93
Reconfigurations Made After the Application of Security Templates Impersonate a client after authentication In SAP R/3 Enterprise and SQL Server (for R/3), Administrators, which was deleted for the high security template, was entered again for the reconfiguration to be made after the application of security templates.
Figure 4 – User Rights Assignment Policy
Appendix: Report on Hardening Verification
94
Default Template
Newly Applied Template Settings
After High Security is Applied
After High Security is Applied
RECONFIGURATION
Figure 5 – Settings
Note: An application that is running as if it were a user can be disguised as a client if it is assigned the [Impersonate a client after authentication] privilege. The unauthorized user's attempt to credit a client with an authorized connection with this type of disguise is checked by asking the user for a user authorization. For example, when an unauthorized user is presented as a client after connecting to a service that has been created from a remote procedure call (RPC) or a named pipe, the authority level of unauthorized users is raised to the administrator or system level. The default security group for this user authority is suitable for the legacy client and enterprise client environments. This user authority in a high security environment, however, can only be configured with Local Service and Network Service.
Appendix: Report on Hardening Verification
95
Shutdown: Clear virtual memory page file In SAP R/3 Enterprise, the settings that had been enabled in high security templates were disabled.
Figure 6 – Security Options
Appendix: Report on Hardening Verification
96
Default Template
Newly Applied Template Settings
After High Security is Applied
After High Security is Applied
RECONFIGURATION
Figure 7 – Settings
Note: The [Shutdown: Clear virtual memory page file] security option determines whether the virtual memory page file is to be cleared when the system is shut down. When this option is selected, the system page file is cleared each time the system is shut down. When this security option is activated, the hibernation file (hiberfil.sys) is also zeroed in a portable computer system if the hibernation state is disabled. The sequence of shutting down and restarting the server will then take a long time, which will be noticeable in a server with a large paging file. For this reason, this option is configured as "disabled" in legacy client and enterprise client environments although it is "enabled" in a high security environment. Caution: There is the possibility that an attacker who is physically accessing a server could bypass this setting by disconnecting the server from the power source.
Appendix: Report on Hardening Verification
97
Related Documents
Sap Hardering For Windows Server
May 2020 12
Print Server Win2k3 - Sap
May 2020 3
Sap Netweaver Application Server
May 2020 5
Windows Server 2012.docx
July 2020 2
Windows Server 2003
July 2020 5More Documents from "Mauricio Ha"
Noika Mobile Kit
August 2019 59
Sql Tutorial
December 2019 53
Oracle 9i Notes
May 2020 48
File Server Aplication
December 2019 34
Instgd
May 2020 23