Before implementing high-quality hardening, some preparation is required. Some important preparation tasks are: clarifying the required security level, checking the specifications of your system, determining what might need hardening, estimating the cost and the effect of the hardening, and determining what to harden.
Network Hardening
Hardening networks on an SAP system is implementing packet filtering to block unnecessary communications. With this, the goal is to make stacks more difficult by blocking unnecessary communication.
Network Hardening Defined…
Definition: Implementing packet filtering on SAP systems to block unnecessary communications.
Effect: Blocks attacks that use unnecessary communications
Making attacks against vulnerability more difficult by closing unnecessary communications to SAP systems.
Preparations before implementing hardening
Before implementing high-quality hardening, some preparation is required.
1. Clarifying the required security level
Determine how far security should be enhanced.
2. Checking the system specifications
Check the specifications of not only the SAP system but also systems other than SAP.
This includes checking required communication paths, ports, and services.
3. Determining what might need hardening
Determine what should be subjected to network, service, and other hardenings.
4. Estimating the cost and the effect of the hardening
Estimate the effect and the associated cost beforehand to ensure maximum effect with minimum cost.
5. Determining what to harden
Decide which items should be subjected to hardening and how extensively it should be done.
SAP Hardening and Patch Management Guide for Windows Server 8 Network hardening is important on SAP systems for the following reasons: 1) SAP systems only use specific ports that can be easily identified, 2) the ports used on SAP systems are typically less apt to be attacked by computer viruses, and 3) hardening networks to the maximum extent makes attacks more difficult for hackers.
As a first step, determine which servers are critical to deliver SAP services (which servers might be a single point of failure from a network hardening perspective?).
SAP Central Instance
SAP Database Instance
Other non-redundant servers
Such a determination will decrease the time necessary to install the applicable security patches which could lead to downtime for these servers from a standpoint of availability. Therefore, there would be implementation of port and services limits of these specific SAP application and database servers (also effective with SAP Router) while other servers may not have such strict limitations.
Overall, separate SAP servers which potentially have a single point of failure (CI, DB, etc.) from others;
thus creating a “SAP server segment” via firewall, router, etc. So that security patches can be done one by one, other SAP-related servers that are “redundant” are separate (e.g. SAP dialog instance, ITS AGate/WGate, etc.).
Importance of Network Hardening
Reasons why network hardening is important on all SAP systems in your environment.
Reason: SAP systems only use specific ports that can be easily identified.
The ports are further limited when the functions of the SAP J2EE engine are suspended.
Reason: The ports used on SAP systems are that are typically less apt to be attacked by computer viruses.
The ports are also customizable.
Reason: Therefore, hardening networks to the maximum extent makes attacks more difficult.
SAP Hardening and Patch Management Guide for Windows Server 9 Figure 4 – An Example of Network Hardening for a Corporate Network
Ports and Packet Filtering
Packet filtering should be taken into consideration to block all unnecessary network traffic on ports to SAP systems (as well as any 3rd party tools) and IPSec script policy should be leveraged.
Execute IPSec policy scripts on each Windows Server and hardware-based packet filtering to lock down specific ports can be done via a firewall, router, and layer 3 switch among network subnets. (See SAP Note #66687 (“Use of Network Security Products”) concerning SAP certification requirements for some 3rd party network security tools.)
Note that Microsoft ISA Server 2004 can provide advanced firewall protection and includes the following:
One machine can act as both Firewall and SAP Router
Application layer filtering
Can decrypt HTTPS, inspect content and redeliver it internally
Pre-authentication, form based
Attachment control
SAP Hardening and Patch Management Guide for Windows Server 10
Interface blocking
Intrusion detection
By applying the IPSec script policy to your server, you can confine the communication pathway and restrict the TCP and UDP ports used for the communication. For how to use IPSec, refer to:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod111.asp
The following is includes an example of the IPSec script policy:
Example: Create the sample code as a batch file and execute it on SAP R/3 Enterprise server.
1 Default communication blocked.
2 Permit dialog process access from clients (between clients and SAP R/3 Enterprise via destination port TCP 3200).
3 Permit access from SAP R/3 Enterprise to DB instances (between SAP R/3 Enterprise and SQL server via destination port TCP 1433).
:IPSec Policy Definition
netsh ipsec static add policy name="Packet Filters - R3" description="Server Hardening Policy" assign=no
:IPSec Filter List Definitions
netsh ipsec static add filterlist name="ALL" description="Server Hardening"
netsh ipsec static add filterlist name="DIALOG" description="Server Hardening"
netsh ipsec static add filterlist name="MSSQL" description="Server Hardening"
:IPSec Filter Action Definitions
netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass"
action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block
:IPSec Filter Definitions
netsh ipsec static add filter filterlist="ALL" srcaddr=any dstaddr=me description="ALL"
protocol=any srcport=0 dstport=0
netsh ipsec static add filter filterlist="DIALOG" srcaddr=any dstaddr=me description="DIALOG"
protocol=TCP srcport=0 dstport=3200
netsh ipsec static add filter filterlist="MSSQL" srcaddr=me dstaddr=192.168.12.3 description="MSSQL" protocol=TCP srcport=0 dstport=1433
:IPSec Rule Definitions
netsh ipsec static add rule name="ALL" policy="Packet Filters - R3" filterlist="ALL"
kerberos=yes filteraction=Block
netsh ipsec static add rule name="DIALOG" policy="Packet Filters - R3" filterlist="DIALOG"
kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="MSSQL" policy="Packet Filters - R3" filterlist="MSSQL"
kerberos=yes filteraction=SecPermit
netsh ipsec static set policy name="Packet Filters - R3" assign=y
SAP Hardening and Patch Management Guide for Windows Server 11
Necessary Ports for Operating SAP Systems
A list of ports used by:
SAP systems (along with other security-related documentation):
http://service.sap.com/security Æ Security Detail Æ Infrastructure Security.
Windows Server System:
“Service Overview and Network Port Requirements for the Windows Server System”
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017.
SQL Server: over TCP: 1433, UDP: 1434
IIS (World Wide Web Publishing Service): 80, 443
Terminal Services and Remote Desktop: 3389 (default; can be configured):
“How to Change the Listening Port in the Windows Terminal Server Web Client”
http://support.microsoft.com/default.aspx?scid=kb;en-us;326945)
Active Directory (dependent on design):
“How to Configure a Firewall for Domains and Trusts”
http://support.microsoft.com/kb/179442/EN-US/
“Restricting Active Directory Replication Traffic to a Specific Port”
http://support.microsoft.com/default.aspx?scid=kb;en-us;224196
SAP Hardening and Patch Management Guide for Windows Server 12 Table 2 – Necessary (Destination) Ports for Operating SAP Systems
Application Service Name Protocol Destination Port
sapdpNN TCP 32NN
sapgwNN TCP 33NN
SAPlpd TCP 515
HTTP/HTTPS TCP 81NN/444NN
sapmsSID TCP 36NN
HTTP/HTTPS TCP 80NN/443NN
SMTP TCP 25
HTTP/HTTPS TCP 5NN00/5NN01
IIOP Initial context /IIOP over SSL TCP 5NN02/5NN03 P4/P4 over HTTP tunneling /P4 over SSL TCP 5NN04/5NN05/5NN06
IIOP TCP 5NN07
JMS TCP 5NN10
Telnet TCP 5NN08
Multiplexer TCP 4NN00
Portwatcher TCP 4NN01-79
HTTP TCP 4NN80-99
TCP 5NN17/5NN18/5NN19
MessageServer TCP 36NN
HTTP/HTTPS TCP 81NN/444NN
Engue Server TCP 32NN
SAP R/3 Enterprise
Eng. Replication TCP 33NN
sapvw00_<SID> TCP 39NM
sapvwmm_<SID> TCP 39N9
sapvw00_ADM TCP 39NM
SAP ITS Wgate
sapvwmm_ADM TCP 39N9
HTTP/HTTPS TCP 80/443
sapdpNN TCP 32NN
sapgwNN TCP 33NN
SAP ITS Agate
sapmsSID TCP 36NN
HTTP/HTTPS TCP 5NN00/5NN01
IIOP Initial context /IIOP over SSL TCP 5NN02/5NN03 P4/P4 over HTTP tunneling /P4 over SSL TCP 5NN04/5NN05/5NN06
IIOP TCP 5NN07
JMS TCP 5NN10
Telnet TCP 5NN08
SAP Enterprise Portal 6.0
TCP 5NN17/5NN18/5NN19
HTTP/HTTPS TCP 80/443
SAP Enterprise Portal IIS Proxy
HTTP/HTTPS TCP 5NN00/5NN01
Note:
• The port numbers are customizable.
• <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such as 00).
SAP Hardening and Patch Management Guide for Windows Server 13 Table 3 – Necessary (Destination) Ports for Operating SAP Systems (cont’d)
Application Service Name Protocol Destination Port
SAProuter TCP 3299
sapdpNN TCP 32NN
sapgwNN TCP 33NN
SAP Router
sapmsSID TCP 36NN
HTTP/HTTPS TCP 80/443
SAP Web Dispatcher
HTTP/HTTPS TCP 80NN/443NN
Active Directory See Microsoft Knowledge Base Article #179442 – “How to Configure a Firewall for Domains and Trusts" and #224196 – “256986) at support.microsoft.com
SQL Server SQL over TCP TCP 1433
Oracle TCP 1527
DB2/UDB TCP Customize
SAPDB TCP 7200/7210
Informix TCP 3800
HTTP TCP 80
IIS
HTTPS TCP 443
Terminal Services TCP 3389
NetMeeting Remote Desktop Sharing (Used by SAP Support)
TCP 3389 File Sharing (Used in the sharing of SAP
migration files and in the shipping of SQL server logs)
TCP 139 TCP 135 Clustering (Central instance and DB
instance multiplexing) UDP 3343
Windows Server
For details, see Microsoft Knowledge Base Article #832017 – “Port Requirements for the Microsoft Windows Server System".
Note:
• The port numbers are customizable.
• <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such as 00).
SAP Hardening and Patch Management Guide for Windows Server 14 Figure 5 – Ports Used by SAP R/3 Enterprise
Figure 6 – Ports Used by SAP ITS (Wgate and Agate)
SAP Hardening and Patch Management Guide for Windows Server 15 Figure 7 – Ports Used by SAP Enterprise Portal 6.0
Figure 8 – Ports Used by SAP Enterprise IIS Portal Proxy
SAP Hardening and Patch Management Guide for Windows Server 16 Figure 9 – Ports Used by SAP Router
Figure 10 – Ports Used by SAP Web Dispatcher
SAP Hardening and Patch Management Guide for Windows Server 17
Configuration of Ports
For configuration of ports and other steps for network hardening, use the "Microsoft Management Console (MMC)":
Click Start, and then click Run.
1. Type "mmc" in the Name field of the Select File To Run dialog box, and then click OK.
2. The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.
3. From the pull-down menu, select Add/Remove Snap-in.
4. The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.
5. In the Standalone tab, click Add.
6. The Add Standalone Snap-in dialog box is displayed. Select IP Security Policy Management in the Available Standalone Snap-ins dialog box, and then click Add.
7. The Select Computer or Domain dialog box is displayed. Select Local Computer. Click Finish.
8. Click Close on the Add Standalone Snap-in dialog box.
9. Click OK on the Add/Remove Snap-in dialog box.
10. IP Security Policies on Local Machine is added under the Console Root on the Microsoft Management Console.
11. Click the added IP Security Policies on Local Machine to display the registered IP security policy in the right pane.
Figure 11 – IP Security Policy
SAP Hardening and Patch Management Guide for Windows Server 18
12. Double-click the registered Packet Filters - R3.
Figure 12 – Packet Filter IP Security Policy
13. The Packet Filters - R3 Properties dialog box is displayed (see Figure 10). Click the Rules tab.
14. Select an IP filter that you want to verify from the IP Security Rules section on the Rules tab, and then click Edit.
Figure 13 – Edit Rule
SAP Hardening and Patch Management Guide for Windows Server 19
15. Select the IP Filter List tab on the dialog box that is displayed.
16. Select an IP filter that you want to verify from the IP Filter List section in the IP Filter List tab, and then click Edit.
17. The IP Filter List dialog box is displayed and you can verify the configuration of the IP filter.
Figure 14 – IP Filter List
18. When you finish verifying the IP filter, click Cancel to close the dialog box.
19. To verify the configuration of the filter action, select the Filter Action tab in the Edit Rule Properties dialog box.
Figure 15 – Filter Actions
SAP Hardening and Patch Management Guide for Windows Server 20 To un-assign network hardening, select then right-click on Packet Filters - R3 in the Microsoft Management Console. Then select Un-assign from the pop-up menu. To remove the network hardening, select Delete from the same pop-up menu.
Figure 16 – Un-assign IP Security Policy
SAP Hardening and Patch Management Guide for Windows Server 21
Network Communication Paths
Figure 17 – Communication Paths for an SAP R/3 Enterprise Environment
Figure 18 – Communication Paths for an SAP ITS Environment
SAP Hardening and Patch Management Guide for Windows Server 22 Figure 19 – Communication Paths for an SAP Enterprise Portal Environment
Figure 20 - Communication Paths for an
SAP Enterprise Portal + Active Directory Environment
SAP Hardening and Patch Management Guide for Windows Server 23
Active Directory Considerations
As per SAP’s Web AS installation guide, SAP application and database servers should be implemented in either of the following ways:
Extra domain: SAP systems are embedded in their own “SAP”-specific domain and a separate domain is used for user accounts. Both domains must be incorporated in a domain tree with the user account domain as the root domain and the SAP domain as the child.
Single domain: SAP servers and user accounts are in the same domain.
Reference SAP Note #711319 (“Domain Installation using Delegation of Administration in AD”) for information regarding the situation when installation of SAP cannot be performed by a domain administrator as specified in SAP’s installation guides.
Also, for SAP Enterprise Portal, situations may arise where it may be desired to prevent local users from another domain from logging into SAP EP. See SAP Note #710032 (“Restrict Windows Authentication to Domains”) for specific configuration information to meet this need.
Server Hardening
An SAP system is under unnecessary security risks when there are services not applicable to SAP or have ineffective settings. Therefore, administrators should disable unnecessary services and
strengthen security settings for others to the extent that SAP services can run without any issues. Such actions can be efficiently performed to some extent by utilizing security templates provided by Microsoft.
Hardening Using Templates
You can use the Windows Server 2003 Security Guide and the associated templates as a step towards implementation of hardening. There are three types of security templates that are differentiated according to the security environment and nine types of templates that are differentiated according to the server role. You will need to implement a hardening for each server role.
For more information on the Windows Server 2003 Security Guide, visit the Microsoft Download Center.
http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en#filelist
Three types of templates differentiated according to security environment
• Legacy client (security level: low)
• Enterprise client (security level: medium)
• High security (security level: high)
SAP Hardening and Patch Management Guide for Windows Server 24 Nine types of templates differentiated according to server role
• Domain controller
• Member server
• Web server
• Infrastructure server (DHCP, WINS)
• File server
• Print server
• IAS server
• Certificate service server
• Bastion host
Additional Information:
After applying Windows Server 2003 templates, you can make your SAP system more secure by checking and changing the following configurations in accordance with the documents in Table 3.
- Confirm that every partition of the disk is formatted in NTFS.
- Confirm that an invulnerable password is set for the Administrator account.
- Disable or delete unnecessary accounts.
- Make sure that the old security configurations are not changed when you upgrade your system from previous versions.
- Configure the Administrator account.
- Delete all unnecessary file sharing.
- Specify an appropriate ACL for every necessary file sharing.
- Protect your Telnet server.
- Enable IIS logging.
- Unbind NetBIOS from TCP/IP.
- Remove OS/2 and POSIX subsystems.
- Disable the automatic generation of short file names (8.3 format).
- Disable the creation of LM hashes.
- Configure NTLMSSP security.
- Disable automatic execution.
Use Microsoft Management Console to apply security templates. Before you apply a security template, you need to backup the role security policies using an administrative tool called "Local Security Policy."
SAP Hardening and Patch Management Guide for Windows Server 25 Backup Local Security Policy
1. Click Start, and then select All Programs.
2. Select Administrative Tools in the All Programs menu, and then click Local Security Policy.
3. The Local Security Policy dialog box is displayed. Select then right-click Security Settings in the dialog box.
4. Select Export Policy from the pop-up menu.
Figure 21 – Backup Local Security Policy
5. The Export Policy To dialog box is displayed. In the File Name field, type the name of the file that you want to export the policy to.
6. Click Save to export the local security policy to the file.
SAP Hardening and Patch Management Guide for Windows Server 26 Applying the Security Template
1. Click Start, and then click Run.
2. Type "mmc" in the Name field of the Select File To Run dialog box and click OK.
3. The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.
4. From the pull-down menu, select Add/Remove Snap-in.
5. The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.
6. In the Standalone tab, click Add.
7. The Add Standalone Snap-in dialog box is displayed. Select Security Configuration and Analysis in the Available Standalone Snap-ins dialog box, and then click Add.
8. Click Close on the Add Standalone Snap-in dialog box.
9. Click OK on the Add/Remove Snap-in dialog box.
10. Security Configuration and Analysis is added under the Console Root on the Microsoft Management Console.
11. Select then right-click the added Security Configuration and Analysis.
12. Select Open Database from the pop-up menu.
Figure 22 – Security Configuration and Analysis
SAP Hardening and Patch Management Guide for Windows Server 27
13. The Open Database dialog box is displayed. In the File Name field, type the name of the database that you want to open, and then click Open.
14. The Import Template dialog box is displayed. In the File Name field, select the security template file (INF file) downloaded from Internet, and then click Open. You should select a security template file appropriate for your server configuration.
Figure 23 – Importing Templates
15. On the Microsoft Management Console, select then right-click Security Configuration and Analysis.
16. Select Analyze Computer Now from the pop-up menu.
Figure 24 – Security Configuration and Analysis
SAP Hardening and Patch Management Guide for Windows Server 28
17. When you execute analysis of the computer, red X marks appear to indicate the parts where the current settings should be changed.
18. If you want to change the template, double-click the entry.
Figure 25 – Analysis of Computer
19. If you want to change the template, change the entry.
Figure 26 – Property for Password Length
SAP Hardening and Patch Management Guide for Windows Server 29
20. On the Microsoft Management Console, select then right-click Security Configuration and Analysis.
21. Select Configure Computer Now from the pop-up menu.
Figure 27 – Configuration of Computer Note:
• We recommend that the procedure be carried out step by step.
• If you want to provide against the worst case, it is recommended that you perform a system backup using Automatic System Recovery (ASR) or an image backup tool before applying a template.
SAP Hardening and Patch Management Guide for Windows Server 30
Service Hardening
Service hardening is the process of disabling the services that are unnecessary for operating your SAP
Service hardening is the process of disabling the services that are unnecessary for operating your SAP