Points to Consider When Applying Security Patches
Apply revision in order of registration
o Applying the Security Patch and service packs causes old program files to be
overwritten with newer versions. Failure to observe the registration order will result in old
modules being in the place of new modules.
Reapply revision if necessary
o
When the system modules of network components and device drivers are added to
Windows NT systems to which the Security Patch and Service Packs have already been
applied, the manager must manually re-apply the Service Packs and Security Patch.
Re-application is also recommended for Windows 2000, XP, and 2003.
Apply only the correct update
o
Security Patch and service packs vary with the version of the corresponding product.
Table 22: Security Patch Considerations
System Upgrade Types
S
Timing of Patch Application to SAP System
T
If SAP System is Halted
after Patch Application
aa
Security Patch (Windows)Problem solving based on SAP Note
#664607 (uninstall, etc.)Security Path
(SQL Server)
(
Immediately after Microsoft releases the Revision Program (SAP Note
#62988)
#
Contact SAP Support
C
Service Packs
(with strict change management process and testing)
(
Once support is offered by SAP (SAP Notes
#30478, 62988 and hardware/management tool manufacturers)
Testing the Security Update Program before Application
There may be rare occasions when a security update program will cause problems to a monitoring tool
or other programs. Therefore, you should test the security update program in a test environment before
applying it to the production environment. The test involves the following steps: "Testing the application
in a test environment", "Verifying the behavior in the test environment", and "Confirming the steps for a
roll-back in the test environment".
Note: Before applying the security update program
Refer to the SAP Notes (especially 30478, 62988, and 664607) and check whether this security update
program has ever caused problems in the SAP environment.
Testing the Application in a Test Environment
The steps for applying the security update program can vary depending on the enterprise. Before
applying the security update program to the production environment, you need to confirm the
application steps in a test environment and verify the system behavior after application.
Updating via Management Tools
The cost involved in applying a security update program increases in proportion to the number of
machines. To help reduce this cost, Microsoft offers the following tools: Software Update Services
(SUS) which is provided free of charge, and Systems Management Server 2003 (SMS) which requires
licenses.
•
Software Update Services (SUS)
SUS automatically provides notification of important updates to Windows computers, and
delivers them to all of the Windows desktop computers and servers in your organization.
For more information about SUS, see the Microsoft Software Update Services Whitepaper
(http://www.microsoft.com/windowsserversystem/sus/susoverview.mspx).
Test Steps
Test the security update program in a test environment before applying it to the production environment.
Testing the application in a test environment
Verifying the behavior in the test environment
•
Systems Management Server 2003 (SMS 2003)
Systems Management Server 2003 (SMS 2003) provides a comprehensive solution for change
and configuration management for the Microsoft platform, enabling you to provide relevant
software and updates quickly.
For more information about Systems Management Server 2003 (SMS 2003), see the Systems
Management Server 2003 Reviewer's Guide
(http://www.microsoft.com/smserver/evaluation/revguide).
Note: Points to observe when applying the security update program
•
Reapply as necessary
If a system module was added after application of the security update program or service pack, check the
security vulnerability information report to confirm the need for reapplying the program. Be sure to reapply
when necessary.
•
Apply the program that corresponds to your software
You should apply the security update program and service pack that precisely corresponds to your software
because the programs and packs are designed for specific products, versions and languages. For
example, do not apply a service pack for English-version products to Japanese-version products.
3.5 Monitoring the Results
Verifying Behavior in the Test Environment
After applying the security update program, you will need to verify proper operation of your SAP system.
You should check your Windows and SAP system behavior. Verification of the SAP system behavior
consists of basic operation verification, as well as operation verification using a checklist and SAP
transactions. To verify your SAP system's operation, you should check the following:
Verification of Your Windows System (OS, RDBMS, IIS)
You will need to verify proper operation of your SAP system by checking your Windows system behavior.
Checking event logs
Checking the logs of various products and functions
Verifying the operation of the necessary services
Verification of Your SAP System
You will need to verify proper operation of your SAP system by checking your SAP system behavior.
Verifying operation using the checklist
Executing test transactions to verify its operation
Confirming the Steps for Roll-Back in the Test Environment
There are steps for confirming a roll-back in the event there are problems caused by the application of
the security update program or by faulty implementation.
If problems are caused by faulty implementation
o
Restore from a backup.
If problems are caused by the application of the security update program
o
Uninstall the security update program.
Restore from a backup.
Confirming that the Necessary Programs have been Applied
After applying the security update program, you need to verify that it has been applied properly and that
possible problems that might have been caused by the vulnerability have been avoided. Microsoft
provides a free tool, the Microsoft Baseline Security Analyzer (MBSA), for checking whether any
computers have failed to apply the security update program. Microsoft also licenses a tool, the
Systems Management Server 2003 (SMS 2003), that comprehensively performs the implementation
process including applying of the security update programs, to checking and managing them.
•
Microsoft Baseline Security Analyzer (MBSA)
For more information, see “Final Security Check”.
•
Systems Management Server 2003 (SMS 2003)
For more information, see "".
Summary
This chapter described how to keep your Windows Server 2003-based SAP system secure by implementing patch management.
Patch management (specifically, risk assessment) minimizes the cost
and risk associated with system changes.
It is important to maintain a well-balanced combination of patch
management and hardening practices.
Appendix: Report on Hardening Verification
This following explains the actual settings used for and the results of hardening verification of a
Windows Server 2003-based SAP system.
In document
Sap Hardening and Patch Management Guide for Windows Server
(Page 66-70)