SAP Hardening and Patch Management Guide for Windows Server

(1)

SAP Hardening and Patch Management Guide

for Windows Server

Microsoft Corporation November 15, 2005

Summary

This whitepaper introduces security measures for SAP systems running on Windows Server. Two security measures are described: hardening and patch management. These security measures can help enhance security within your Windows Server-based SAP environment.

(2)

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This Whitepaper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may own patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in a written license agreement from Microsoft, the furnishing of this document does not assign any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, SQL Server, Windows, Windows Server, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

(3)

1 Introduction

Recently, there has been an increase in reports by newspapers and TV programs about computer virus damage and information leakages. Computer virus damage and information leakages may cause suspension of business and consume large amounts of company resources in taking countermeasures. In serious cases, it may pose a threat to the status and reputation of the company.

SAP systems typically handle mission-critical operations, such as finance and sensitive company information. For this reason, if information leakage or virus problems occur in an SAP system, the company may suffer enormous damage. To reduce the risk of unplanned system shutdowns, effective security measures must be taken.

This whitepaper presents hardening and patch management as security measures against such risks to Windows Server-based SAP systems.

The purpose of hardening is to achieve a system environment that is less vulnerable to unauthorized access and virus attacks. In the Hardening chapter, we describe how to define and implement hardening, as well as verify the implementation.

The purpose of patch management is to assess the specific risks to a company and to apply

appropriately timed security update programs. With patch management, the minimum required security update programs can be applied to that helps to minimize the risks and costs of system changes. In the Patch Management chapter, defining patch management and operation is explained in five steps: "Collecting Information", "Assessing Risks", "Applying the Security Update Programs", and "Monitoring the Result." Throughout the chapter, risk assessment is emphasized.

Note:

Hardening and patch management are complementary procedures and implementation of one without the other will be insufficient. Hardening helps to reduce a system from possible attacks (such as from computer viruses), but may not be able to handle unfamiliar attack methods. To minimize this possibility, risk

assessment (as a part of patch management) should be implemented.

Purpose of This Whitepaper

Secure system environments can be maintained by applying security update programs as soon as they are released. However, it may be difficult to apply them immediately after release because of issues such as the costs associated with verifying the effect of a security update program, the interruption of services when the programs are applied to the operating environment, and the risk of altering the operating environment. This whitepaper aims at helping to alleviate these problems and attempts to help you build a more secure SAP system. By applying what is described in this whitepaper to a Windows Server-based SAP system, help with securing an SAP system (and thus addressing an aspect of high system availability) is achieved and TCO may be reduced. Note that most of the configuration-specific guidance in this paper is applicable to Windows Server 2003. Similar procedures may be found in Windows Server 2000 documentation dependent on the particular topic covered.

(6)

SAP Hardening and Patch Management Guide for Windows Server 2 Scope of Security Measures Covered in This Whitepaper

Common security measures are further classified into "technical measures" (such as installation or configuration of hardware and software) and "institutional measures" (such as creation of policies, or determination and analyses of vulnerabilities).

Figure 1 – Security Measures

Among the security measures illustrated in Figure 1, "Building a Secure System (Multi-layer Defense)" and "Patch Management" can be effective technical measures if implemented properly.

(7)

SAP Hardening and Patch Management Guide for Windows Server 3 Figure 2 – Multi-layer Defense

Using a multi-layer approach

Increases risk for attackers to be detected Reduces the possibility of successful attacks

Data Application Host Internal Network Boundaries Equipment Security Policies, Regulations and Awareness ACL, Encryption Enhancing Applications, Virus Protection

Enhancing operation systems, Security Update Management, Authentication, HIDS

Network Segment, IPSec, NIDS

Firewall, VPN isolation

User Education

Security Guard, Lock and Tracking Device

The idea is to protect the system

from unexpected attacks.

It enhances protection by

setting multiple defense lines.

Multi-layer Defense

(8)

SAP Hardening and Patch Management Guide for Windows Server 4 This whitepaper covers the security measures indicated under the Category column of Table 1:

Common Security Measures. For security issues not listed here, appropriate measures will need to

be implemented as necessary.

It is also important to note that such security measures must be considered on every SAP system in your environment (regardless of the type of operating system or database used) as no platform is completely secure.

Table 1: Common Security Measures

Category Measures Coverage

Security breach inspection

Data Application

Host Yes

Internal network Yes Boundaries

Equipment security Building a secure system

(multi-layer defense)

Policies, regulations, and awareness

Patch Management Yes

Technical measures

Monitoring viruses and unauthorized access

Risk analysis Yes

Operation guidelines

Risk management procedures Policy implementation Institutional measures

(9)

2 Hardening

This chapter defines hardening and how to implement and verify it on a Windows Server-based SAP system.

2.1 What Is Hardening?

Hardening an SAP system is configuring your SAP system with only the minimum platform functions that are necessary for operating the system. In this way, security, availability and reduction of the operating cost of the system is addressed.

Hardening Defined…

Definition: Configuring SAP systems with only the minimum platform functions that are necessary for operating the system.

Effect: Enhances security

Prevent the SAP system from exposure to unnecessary vulnerability risks and block computer virus attacks to a maximum extent.

Effect: Ensures availability

Minimize the frequency of applying security update programs that often require systems to be shutdown.

Effect: Reduces operational cost

Minimize the frequency of applying security update programs that may involve user-side testing.

Contents of this Chapter

This chapter defines hardening and how to implement and verify it on a Windows Server-based SAP system.

1. What is Hardening? 2. Multi-layered Hardening 3. Implementation of Hardening 4. Final Security Check

(10)

2.2 Multi-layered Hardening

This whitepaper covers three types of hardening which are especially effective on SAP systems.

2.3 Harding Implementation Steps

Hardening should be implemented in stages. For example, take one item (such as network or service) at a time, check the behavior, then move on to the next item.

*1 Use ASR backup of Windows Server 2003 or a third party image backup tool. *2 Use Microsoft Baseline Security Analyzer or other tools.

Effective hardening methods for SAP systems

This whitepaper covers three types of hardening can be effective on SAP systems, if implemented properly.

1. Network hardening (internal network layer) 2. Service hardening (host layer)

3. Other hardening (host layer)

Assure there is a means for rollback or backup the system configuration (*1)

Repeat the procedure for each server and hardening (rollback when a problem arises)

Final security check (*2)

Implement server

hardening

Implement network

hardening

Implement other

hardening

Step-by-step implementation of hardening

Operation checks

(11)

2.4 Implementation of Hardening

Before implementing high-quality hardening, some preparation is required. Some important preparation tasks are: clarifying the required security level, checking the specifications of your system, determining what might need hardening, estimating the cost and the effect of the hardening, and determining what to harden.

Network Hardening

Hardening networks on an SAP system is implementing packet filtering to block unnecessary communications. With this, the goal is to make stacks more difficult by blocking unnecessary communication.

Network Hardening Defined…

Definition: Implementing packet filtering on SAP systems to block unnecessary communications.

Effect: Blocks attacks that use unnecessary communications

Making attacks against vulnerability more difficult by closing unnecessary communications to SAP systems.

Preparations before implementing hardening

Before implementing high-quality hardening, some preparation is required.

1. Clarifying the required security level

Determine how far security should be enhanced.

2. Checking the system specifications

Check the specifications of not only the SAP system but also systems other than SAP. This includes checking required communication paths, ports, and services.

3. Determining what might need hardening

Determine what should be subjected to network, service, and other hardenings.

4. Estimating the cost and the effect of the hardening

Estimate the effect and the associated cost beforehand to ensure maximum effect with minimum cost.

5. Determining what to harden

Decide which items should be subjected to hardening and how extensively it should be done.

(12)

SAP Hardening and Patch Management Guide for Windows Server 8 Network hardening is important on SAP systems for the following reasons: 1) SAP systems only use specific ports that can be easily identified, 2) the ports used on SAP systems are typically less apt to be attacked by computer viruses, and 3) hardening networks to the maximum extent makes attacks more difficult for hackers.

As a first step, determine which servers are critical to deliver SAP services (which servers might be a single point of failure from a network hardening perspective?).

SAP Central Instance SAP Database Instance Other non-redundant servers

Such a determination will decrease the time necessary to install the applicable security patches which could lead to downtime for these servers from a standpoint of availability. Therefore, there would be implementation of port and services limits of these specific SAP application and database servers (also effective with SAP Router) while other servers may not have such strict limitations.

Overall, separate SAP servers which potentially have a single point of failure (CI, DB, etc.) from others; thus creating a “SAP server segment” via firewall, router, etc. So that security patches can be done one by one, other SAP-related servers that are “redundant” are separate (e.g. SAP dialog instance, ITS AGate/WGate, etc.).

Importance of Network Hardening

Reasons why network hardening is important on all SAP systems in your environment.

Reason: SAP systems only use specific ports that can be easily identified.

The ports are further limited when the functions of the SAP J2EE engine are suspended.

Reason: The ports used on SAP systems are that are typically less apt to be attacked by computer viruses.

The ports are also customizable.

Reason: Therefore, hardening networks to the maximum extent makes attacks more difficult.

(13)

SAP Hardening and Patch Management Guide for Windows Server 9 Figure 4 – An Example of Network Hardening for a Corporate Network

Ports and Packet Filtering

Packet filtering should be taken into consideration to block all unnecessary network traffic on ports to SAP systems (as well as any 3rd party tools) and IPSec script policy should be leveraged.

Execute IPSec policy scripts on each Windows Server and hardware-based packet filtering to lock down specific ports can be done via a firewall, router, and layer 3 switch among network subnets. (See SAP Note #66687 (“Use of Network Security Products”) concerning SAP certification requirements for some 3rd party network security tools.)

Note that Microsoft ISA Server 2004 can provide advanced firewall protection and includes the following:

One machine can act as both Firewall and SAP Router Application layer filtering

Can decrypt HTTPS, inspect content and redeliver it internally Pre-authentication, form based

(14)

SAP Hardening and Patch Management Guide for Windows Server 10 Interface blocking

Intrusion detection

By applying the IPSec script policy to your server, you can confine the communication pathway and restrict the TCP and UDP ports used for the communication. For how to use IPSec, refer to: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod111.asp

The following is includes an example of the IPSec script policy:

Example: Create the sample code as a batch file and execute it on SAP R/3 Enterprise server.

1 Default communication blocked.

2 Permit dialog process access from clients (between clients and SAP R/3 Enterprise via destination port TCP 3200).

3 Permit access from SAP R/3 Enterprise to DB instances (between SAP R/3 Enterprise and SQL server via destination port TCP 1433).

:IPSec Policy Definition

netsh ipsec static add policy name="Packet Filters - R3" description="Server Hardening Policy" assign=no

:IPSec Filter List Definitions

netsh ipsec static add filterlist name="ALL" description="Server Hardening" netsh ipsec static add filterlist name="DIALOG" description="Server Hardening" netsh ipsec static add filterlist name="MSSQL" description="Server Hardening"

:IPSec Filter Action Definitions

netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit

netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block

:IPSec Filter Definitions

netsh ipsec static add filter filterlist="ALL" srcaddr=any dstaddr=me description="ALL" protocol=any srcport=0 dstport=0

netsh ipsec static add filter filterlist="DIALOG" srcaddr=any dstaddr=me description="DIALOG" protocol=TCP srcport=0 dstport=3200

netsh ipsec static add filter filterlist="MSSQL" srcaddr=me dstaddr=192.168.12.3 description="MSSQL" protocol=TCP srcport=0 dstport=1433

:IPSec Rule Definitions

netsh ipsec static add rule name="ALL" policy="Packet Filters - R3" filterlist="ALL" kerberos=yes filteraction=Block

netsh ipsec static add rule name="DIALOG" policy="Packet Filters - R3" filterlist="DIALOG" kerberos=yes filteraction=SecPermit

netsh ipsec static add rule name="MSSQL" policy="Packet Filters - R3" filterlist="MSSQL" kerberos=yes filteraction=SecPermit

(15)

Necessary Ports for Operating SAP Systems

A list of ports used by:

SAP systems (along with other security-related documentation):

http://service.sap.com/security Æ Security Detail Æ Infrastructure Security. Windows Server System:

“Service Overview and Network Port Requirements for the Windows Server System” http://support.microsoft.com/default.aspx?scid=kb;en-us;832017.

SQL Server: over TCP: 1433, UDP: 1434

IIS (World Wide Web Publishing Service): 80, 443

Terminal Services and Remote Desktop: 3389 (default; can be configured):

“How to Change the Listening Port in the Windows Terminal Server Web Client”

http://support.microsoft.com/default.aspx?scid=kb;en-us;326945) Active Directory (dependent on design):

“How to Configure a Firewall for Domains and Trusts”

http://support.microsoft.com/kb/179442/EN-US/

“Restricting Active Directory Replication Traffic to a Specific Port”

(16)

Table 2 – Necessary (Destination) Ports for Operating SAP Systems

Application Service Name Protocol Destination Port

sapdpNN TCP 32NN sapgwNN TCP 33NN SAPlpd TCP 515 HTTP/HTTPS TCP 81NN/444NN sapmsSID TCP 36NN HTTP/HTTPS TCP 80NN/443NN SMTP TCP 25 HTTP/HTTPS TCP 5NN00/5NN01

IIOP Initial context /IIOP over SSL TCP 5NN02/5NN03 P4/P4 over HTTP tunneling /P4 over SSL TCP 5NN04/5NN05/5NN06

IIOP TCP 5NN07 JMS TCP 5NN10 Telnet TCP 5NN08 Multiplexer TCP 4NN00 Portwatcher TCP 4NN01-79 HTTP TCP 4NN80-99 TCP 5NN17/5NN18/5NN19 MessageServer TCP 36NN HTTP/HTTPS TCP 81NN/444NN Engue Server TCP 32NN SAP R/3 Enterprise Eng. Replication TCP 33NN sapvw00_<SID> TCP 39NM sapvwmm_<SID> TCP 39N9 sapvw00_ADM TCP 39NM

SAP ITS Wgate

sapvwmm_ADM TCP 39N9

HTTP/HTTPS TCP 80/443

sapdpNN TCP 32NN

sapgwNN TCP 33NN

SAP ITS Agate

sapmsSID TCP 36NN

HTTP/HTTPS TCP 5NN00/5NN01

IIOP Initial context /IIOP over SSL TCP 5NN02/5NN03 P4/P4 over HTTP tunneling /P4 over SSL TCP 5NN04/5NN05/5NN06

IIOP TCP 5NN07

JMS TCP 5NN10

Telnet TCP 5NN08

SAP Enterprise Portal 6.0

TCP 5NN17/5NN18/5NN19

HTTP/HTTPS TCP 80/443

SAP Enterprise Portal IIS Proxy

HTTP/HTTPS TCP 5NN00/5NN01

Note:

• The port numbers are customizable.

(17)

Table 3 – Necessary (Destination) Ports for Operating SAP Systems (cont’d)

Application Service Name Protocol Destination Port

SAProuter TCP 3299 sapdpNN TCP 32NN sapgwNN TCP 33NN SAP Router sapmsSID TCP 36NN HTTP/HTTPS TCP 80/443

SAP Web Dispatcher

HTTP/HTTPS TCP 80NN/443NN

Active Directory See Microsoft Knowledge Base Article #179442 – “How to Configure a Firewall for Domains and Trusts" and #224196 – “256986) at support.microsoft.com

SQL Server SQL over TCP TCP 1433 Oracle TCP 1527 DB2/UDB TCP Customize SAPDB TCP 7200/7210 Informix TCP 3800 HTTP TCP 80 IIS HTTPS TCP 443 Terminal Services TCP 3389

NetMeeting Remote Desktop Sharing (Used by SAP Support) TCP 3389 TCP 445 UDP 445 TCP 137 UDP 137 UDP 138 File Sharing (Used in the sharing of SAP

migration files and in the shipping of SQL server logs)

TCP 139 TCP 135 Clustering (Central instance and DB

instance multiplexing) UDP 3343

Windows Server

For details, see Microsoft Knowledge Base Article #832017 – “Port Requirements for the Microsoft Windows Server System".

Note:

• The port numbers are customizable.

• <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such as 00).

(18)

SAP Hardening and Patch Management Guide for Windows Server 14 Figure 5 – Ports Used by SAP R/3 Enterprise

(19)

SAP Hardening and Patch Management Guide for Windows Server 15 Figure 7 – Ports Used by SAP Enterprise Portal 6.0

(20)

SAP Hardening and Patch Management Guide for Windows Server 16 Figure 9 – Ports Used by SAP Router

(21)

Configuration of Ports

For configuration of ports and other steps for network hardening, use the "Microsoft Management Console (MMC)":

Click Start, and then click Run.

1. Type "mmc" in the Name field of the Select File To Run dialog box, and then click OK.

2. The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.

3. From the pull-down menu, select Add/Remove Snap-in.

4. The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.

5. In the Standalone tab, click Add.

6. The Add Standalone Snap-in dialog box is displayed. Select IP Security Policy Management in the Available Standalone Snap-ins dialog box, and then click Add.

7. The Select Computer or Domain dialog box is displayed. Select Local Computer. Click Finish.

8. Click Close on the Add Standalone Snap-in dialog box.

9. Click OK on the Add/Remove Snap-in dialog box.

10. IP Security Policies on Local Machine is added under the Console Root on the Microsoft Management Console.

11. Click the added IP Security Policies on Local Machine to display the registered IP security policy in the right pane.

(22)

12. Double-click the registered Packet Filters - R3.

Figure 12 – Packet Filter IP Security Policy

13. The Packet Filters - R3 Properties dialog box is displayed (see Figure 10). Click the Rules tab.

14. Select an IP filter that you want to verify from the IP Security Rules section on the Rules tab, and then click Edit.

(23)

15. Select the IP Filter List tab on the dialog box that is displayed.

16. Select an IP filter that you want to verify from the IP Filter List section in the IP Filter List tab, and then click Edit.

17. The IP Filter List dialog box is displayed and you can verify the configuration of the IP filter.

Figure 14 – IP Filter List

18. When you finish verifying the IP filter, click Cancel to close the dialog box.

19. To verify the configuration of the filter action, select the Filter Action tab in the Edit Rule

Properties dialog box.

(24)

SAP Hardening and Patch Management Guide for Windows Server 20 To un-assign network hardening, select then right-click on Packet Filters - R3 in the Microsoft

Management Console. Then select Un-assign from the pop-up menu. To remove the network

hardening, select Delete from the same pop-up menu.

(25)

Network Communication Paths

Figure 17 – Communication Paths for an SAP R/3 Enterprise Environment

(26)

SAP Hardening and Patch Management Guide for Windows Server 22 Figure 19 – Communication Paths for an SAP Enterprise Portal Environment

Figure 20 - Communication Paths for an

(27)

Active Directory Considerations

As per SAP’s Web AS installation guide, SAP application and database servers should be implemented in either of the following ways:

Extra domain: SAP systems are embedded in their own “SAP”-specific domain and a separate domain is used for user accounts. Both domains must be incorporated in a domain tree with the user account domain as the root domain and the SAP domain as the child.

Single domain: SAP servers and user accounts are in the same domain.

Reference SAP Note #711319 (“Domain Installation using Delegation of Administration in AD”) for information regarding the situation when installation of SAP cannot be performed by a domain administrator as specified in SAP’s installation guides.

Also, for SAP Enterprise Portal, situations may arise where it may be desired to prevent local users from another domain from logging into SAP EP. See SAP Note #710032 (“Restrict Windows Authentication to Domains”) for specific configuration information to meet this need.

Server Hardening

An SAP system is under unnecessary security risks when there are services not applicable to SAP or have ineffective settings. Therefore, administrators should disable unnecessary services and

strengthen security settings for others to the extent that SAP services can run without any issues. Such actions can be efficiently performed to some extent by utilizing security templates provided by Microsoft.

Hardening Using Templates

You can use the Windows Server 2003 Security Guide and the associated templates as a step towards implementation of hardening. There are three types of security templates that are differentiated according to the security environment and nine types of templates that are differentiated according to the server role. You will need to implement a hardening for each server role.

For more information on the Windows Server 2003 Security Guide, visit the Microsoft Download Center.

http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en#filelist

Three types of templates differentiated according to security environment • Legacy client (security level: low)

• Enterprise client (security level: medium) • High security (security level: high)

(28)

SAP Hardening and Patch Management Guide for Windows Server 24 Nine types of templates differentiated according to server role

• Domain controller • Member server • Web server

• Infrastructure server (DHCP, WINS) • File server

• Print server • IAS server

• Certificate service server • Bastion host

Additional Information:

After applying Windows Server 2003 templates, you can make your SAP system more secure by checking and changing the following configurations in accordance with the documents in Table 3.

- Confirm that every partition of the disk is formatted in NTFS.

- Confirm that an invulnerable password is set for the Administrator account. - Disable or delete unnecessary accounts.

- Make sure that the old security configurations are not changed when you upgrade your system from previous versions.

- Configure the Administrator account. - Delete all unnecessary file sharing.

- Specify an appropriate ACL for every necessary file sharing. - Protect your Telnet server.

- Enable IIS logging.

- Unbind NetBIOS from TCP/IP.

- Remove OS/2 and POSIX subsystems.

- Disable the automatic generation of short file names (8.3 format). - Disable the creation of LM hashes.

- Configure NTLMSSP security. - Disable automatic execution.

Use Microsoft Management Console to apply security templates. Before you apply a security template, you need to backup the role security policies using an administrative tool called "Local Security Policy."

(29)

SAP Hardening and Patch Management Guide for Windows Server 25 Backup Local Security Policy

1. Click Start, and then select All Programs.

2. Select Administrative Tools in the All Programs menu, and then click Local Security Policy.

3. The Local Security Policy dialog box is displayed. Select then right-click Security Settings in the dialog box.

4. Select Export Policy from the pop-up menu.

Figure 21 – Backup Local Security Policy

5. The Export Policy To dialog box is displayed. In the File Name field, type the name of the file that

you want to export the policy to.

(30)

Applying the Security Template 1. Click Start, and then click Run.

2. Type "mmc" in the Name field of the Select File To Run dialog box and click OK.

3. The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.

4. From the pull-down menu, select Add/Remove Snap-in.

5. The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.

6. In the Standalone tab, click Add.

7. The Add Standalone Snap-in dialog box is displayed. Select Security Configuration and

Analysis in the Available Standalone Snap-ins dialog box, and then click Add. 8. Click Close on the Add Standalone Snap-in dialog box.

9. Click OK on the Add/Remove Snap-in dialog box.

10. Security Configuration and Analysis is added under the Console Root on the Microsoft

Management Console.

11. Select then right-click the added Security Configuration and Analysis.

12. Select Open Database from the pop-up menu.

(31)

13. The Open Database dialog box is displayed. In the File Name field, type the name of the database that you want to open, and then click Open.

14. The Import Template dialog box is displayed. In the File Name field, select the security template file (INF file) downloaded from Internet, and then click Open. You should select a security template file appropriate for your server configuration.

Figure 23 – Importing Templates

15. On the Microsoft Management Console, select then right-click Security Configuration and Analysis. 16. Select Analyze Computer Now from the pop-up menu.

(32)

17. When you execute analysis of the computer, red X marks appear to indicate the parts where the current settings should be changed.

18. If you want to change the template, double-click the entry.

Figure 25 – Analysis of Computer

19. If you want to change the template, change the entry.

(33)

20. On the Microsoft Management Console, select then right-click Security Configuration and

Analysis.

21. Select Configure Computer Now from the pop-up menu.

Figure 27 – Configuration of Computer

Note:

• We recommend that the procedure be carried out step by step.

• If you want to provide against the worst case, it is recommended that you perform a system backup using Automatic System Recovery (ASR) or an image backup tool before applying a template.

(34)

Service Hardening

Service hardening is the process of disabling the services that are unnecessary for operating your SAP system. In this way you can block attacks that use unnecessary services and improve the performance of the system.

Service hardening investigates Windows services that are unnecessary for the operation of the SAP system and disables their Startup options in order to prevent any attacks through usage of these unnecessary services.

There are three settings for Startup options: "Auto", "Manual", and "Disable." Set the option in accordance with the criteria described in the table below.

Service Hardening Defined…

Definition: Disabling services that are unnecessary for operating SAP systems.

Effect: Blocking attacks that use unnecessary services

Makes attacks against vulnerability more difficult by disabling services unnecessary for SAP systems.

Effect: Improving performance

Reduces the load on the server and improves performance by disabling services unnecessary for SAP systems.

Importance of Service Hardening

Reasons why service hardening is important on all SAP systems in your environment.

Reason: SAP systems only use specific Windows services that can be easily identified.

Reason: As long as you are willing to give up some functionality, many of the services can be disabled and the SAP system will still function adequately.

Table 3: Setting the Startup Option

Type of Service Startup Option

Services that are obviously unnecessary for operating the system Disable Services that are obviously necessary for operating the system Auto

(35)

Note:

• This table shows Windows services installed during a standard installation. Clustering environments may have different services.

• <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such as 00). For SAP R/3 Enterprise, there are two "SAP<SID>_<NN>" services - one is for central instances and the other is for central service instances.

• SAP J2EE Engine (Dispatcher and Server), SDM, and IGS of SAP R/3 Enterprise are started by central instance services.

• SAP J2EE Engine Server of SAP Enterprise Portal 6.0 is started by "SAP J2EE Engine Dispatcher" service.

• When you disable services not listed in this table, you should check the intended purpose of the services and test it in the appropriate system environment.

Table 4: Services Necessary for SAP Systems

Minimum required services for Windows Server Event Log

Logical Disk Manager Network Connections Plug and Play Protected Storage Remote Procedure Call Security Account Manager

Windows Management Instrumentation Windows Management Instrumentation Extensions

Additionally required services for SAP R/3 Enterprise SAPOSCOL SAP<SID>_<NN> SAP<SID>_<NN>

Additionally required services for SAP ITS Agate SAP ITS Manager - <SID> SAP ITS Manager - ADM ITS Watchdog

SAP IACOR Manager Additionally required services for SAP Enterprise Portal SAP J2EE Engine Dispatcher

Additionally required services for SQL Server Workstation Server

MSSQLSERVER SQL Server Agent Additionally required services for clusters Remote Registry

Cluster Service Removal Storage

Additionally required services for IIS World Wide Web Publishing Service IIS Admin Service

Additionally required services for SAP ITS Wgate SAP IACOR Manager Additionally required services for SAP Enterprise Portal

IIS Proxy

(36)

SAP Hardening and Patch Management Guide for Windows Server 32 The tables below show the services that are not required for operating SAP various systems.

Table 5: Unnecessary Services for SAP Systems

Services not required by Domain Controller

Alerter

Application Layer Gateway Service Application Management

ClipBook

COM+ System Application DHCP Client

DHCP Server

Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service

Help and Support HTTP SSL

Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service

Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)

License Logging Messenger

NetMeeting Remote Desktop Sharing Network DDE

Network DDE DSDM

Portable Media Serial Number Service

Print Spooler

Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Resultant Set of Policy Provider Routing and Remote Access Secondary Logon

Shell Hardware Detection Smart Card

Special Administration Console Helper Task Scheduler

Telephony Telnet

Terminal Services Session Directory Themes

Uninterruptible Power Supply Upload Manager

Virtual Disk Service WebClient Windows Audio

Windows Image Acquisition (WIA)

WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration

(37)

Table 6: Unnecessary Services for SAP Systems

Services not required for SAP R/3 Enterprise

Alerter

ClipBook

Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service

File Replication Help and Support HTTP SSL

Intersite Messaging

Kerberos Key Distribution Center License Logging

Messenger

Network DDE DSDM

Portable Media Serial Number Service Print Spooler

Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon

Telephony Telnet

(38)

Table 7: Unnecessary Services for SAP Systems

Services not required for SQL Server (for SAP R/3 Enterprise)

Alerter

ClipBook

Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service

Intersite Messaging

Messenger Microsoft Search MSSQLServerADHelper

Network DDE DSDM

Telephony Telnet

(39)

Table 8: Unnecessary Services for SAP Systems

Services not required for SAP ITS Agate

Alerter

ClipBook

Intersite Messaging

Messenger

Network DDE DSDM

Telephony Telnet

(40)

Table 9: Unnecessary Services for SAP Systems

Services not required for SAP ITS Wgate

Alerter

ClipBook

File Replication Help and Support

Intersite Messaging

Messenger

Network DDE DSDM

Telephony Telnet

(41)

Table 10: Unnecessary Services for SAP Systems

Services not required for SAP Enterprise Portal

Alerter

ClipBook

Intersite Messaging

Messenger

Network DDE DSDM

Telephony Telnet

(42)

Table 11: Unnecessary Services for SAP Systems

Services not required for SQL Server (SAP Enterprise Portal)

Alerter

ClipBook

Intersite Messaging

Messenger Microsoft Search MSSQLServerADHelper

Network DDE DSDM

Telephony Telnet

(43)

Table 12: Unnecessary Services for SAP Systems

Services not required for SAP Enterprise Portal IIS Proxy

Alerter

ClipBook

File Replication Help and Support

Intersite Messaging

Messenger

Network DDE DSDM

Telephony Telnet

(44)

Implementing Service Hardening

Use the administrative tool called "Services" to implement service hardening.

1. Click Start, and then select All Programs.

2. Select Administrative Tools in the All Programs menu, and then click Services.

3. The Services dialog box is displayed. Select then right-click on the service that you want to harden.

4. Select Properties from the pop-up menu.

(45)

5. The Properties dialog box is displayed. Set the Startup Type to Disable, and then click OK.

6. Repeat the above procedure for all services that you want to harden.

Figure 29 – Disabling Services

Implement Other Hardening

Internet Information Server (IIS) Hardening

If using IIS 4.0 (NT 4.0) or 5.0 (Windows 2000) for SAP ITS or SAP Enterprise Portal, use the IIS Lockdown Tool to lock down services. The tool is available for download at

http://www.microsoft.com/technet/security/tools/locktool.mspx.

The lockdown tool provides an wizard to change security settings and various templates for various scenarios are available. URLscan integration is also provided which decreases the possibility of attack by computer viruses as it analyzes HTTP requests and keeps IIS from accepting unordinary requests.

When using IIS 6.0 however, such toolkit functionality is included with Windows Server 2003. Note that usage of IIS 6.0 is only available for ITS starting with SAP ITS version 6.20 patch level 3 and IIS 6.0 on Windows Server 2003 is not installed or setup by default. See SAP Note #585545 for information on running SAP ITS on IIS 6.0.

For reference, other security-related tools are available at http://www.microsoft.com/technet/security/tools/default.mspx.

(46)

SQL Server Hardening

If SQL Server 2000 is used as the database for SAP on Windows Server, refer to

http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp for information on steps to secure SQL Server 2000. Information for SAP running on Windows Server 2003 will be added to this whitepaper when available.

Install most recent SQL Server Service Pack Assess your server security with MBSA Use Windows Authentication Mode

Isolate your server and backup it up regularly Assign a strong SA password

Limit privilege of SQL Server Service o One account per service o Simple Domain User right Disable SQL Server port on Firewall Use the most secure file system – NTFS Delete or secure old setup files

Audit connection to SQL Server

Specific SAP Hardening

For specific considerations for SAP applications (Basis level 4.6B and higher), refer to SAP Note #165485 (“R/3 Security under Windows NT”). In addition:

On servers without transport directory, you can restrict the directories \usr and \usr\sap to the local administrators: Administrators(Full Control).

On the transport server, generate a further local group "SAP_LocalAdmin". Insert the SAP_<SID>_GlobalAdmin groups of all SIDs involved in the transport into this group. Assign the following authorizations to the directories \usr, \usr\sap and \usr\sap\trans:

Administrators(Full Control) SAP_LocalAdmin(Full Control).

The shares "SAPLOC" and "SAPMNT" can also be provided with this authorization list. Change password on default Users SAP*, DDIC… Client 000 and 066

(47)

Anti-Virus Considerations

Even further protection beyond locking down ports and services, segmenting the SAP servers onto a separate network, etc. is the protection via anti-virus software. Most Microsoft customers running SAP on Windows Server have used anti-virus software with shield activated without experiencing

performance issues or problems and the following several best practices can be considered: Exclude the database file(s)

Exclude SAP temporary files

Scan only incoming traffic or file on write operations

Do not activate self decontamination but warn SAP administrators immediately

Well known viruses can many times be detected and immediately removed without infection as anti-virus vendors typically have provided the capability to quickly scan a system and update all definition files immediately in case of critical news of widespread attack. Critical viruses are, on average, typically only “unknown” for 24 hours. Another option can also include implementation of an anti-virus gateway.

SAP Workstation Hardening

Even if an SAP client is secured through SAP security administration, a workstation (host) could be compromised through operating system, network, and other application vulnerabilities. As a result, it may not be able to run applications, it could be used as a “zombie” to run attacks and it could be used by an attacker to steal data, including usernames and passwords.

Protection of workstations includes the following considerations: Security Configuration

OS, Application, Browser, E-mail, etc. Security Patches

Service Packs Host firewall

Scanning, Analyzing, Remediation Deployment strategy

Antivirus Software

In addition, evaluate the latest security enhancements in relation to Windows XP SP2: Windows Firewall

Internet Explorer Security Enhancements Outlook Express Security Enhancements OS Security Enhancements

o Core services reviewed and rewritten o Memory protection

Review SAP Notes #66971 and 738927 about Windows XP SP2 Identify, Assess, Test and Deploy latest security patches

Deploy baseline security on new machines

Specifically, the firewall provided with Windows XP SP2 is on by default for all network interfaces, provides boot-time security and global and per-interface configurations, has an exceptions list (that can be disallowed), accounts for local subnet restrictions, supports multiple profiles and RPC, can be configured via command-line and has better group policy management.

(48)

SAP Hardening and Patch Management Guide for Windows Server 44 The firewall’s feature of “on by default” is:

Installed with new installations and upgrades Enabled when new interfaces are added

Has default configuration that provides good protection against worms (e.g., Blaster) Can account for certain applications that might require special settings

Manageable through Group Policy Administrative Templates, Network, Network Connections, Windows Firewall, profile, "Windows Firewall: protect all network connections“

The firewall’s “boot time security” features:

Provides a new, static filtering policy at boot time Permits DNS, DHCP, Netlogon

WF policy that is applied after logon (policy then stays in effect until after IP stack is shut down) Closes hole that existed after boot, but before policy application

The firewall’s “perimeter protection”: Could be a distributed environment Application layer inspection

Pre-authentication Protocol filtering

o HTTP content, URL, and other filtering Port blocking

Intrusion detection Logging

2.5 Other Hardening Information

Other considerations that impact overall total cost of ownership (TCO) for hardening that need to be considered are aspects such as the use of Active Directory with proper Organizational Unit (OU) architecture and Group Policy Objects that can help with securing the overall computing environment. As well, management tools such as Microsoft Operations Manager (MOM), Terminal Services, HP OpenView, etc. can be used for centralized, proactive security monitoring and administration.

(49)

2.6 Operation Checks

You can perform an operation check of your SAP system by performing a basic operation check in accordance with the table below.

Table 13: Basic Operation Check

Environment Operations to be checked

SAP R/3 Enterprise environment

Are the services of SAP R/3 Enterprise started? Any errors in the log? Are the services of RDBMS started? Any errors in the log?

Can you log on to SAP R/3 Enterprise?

SAP ITS environment Are the services of ITS Wgate started? Any errors in the log? Are the services of ITS Agate started? Any errors in the log? Can you log on using a Web browser?

SAP Enterprise Portal environment

Are the services of SAP Enterprise Portal started? Any errors in the log? Are the services of RDBMS started? Any errors in the log?

Can you log on using a Web browser?

Other Reference Information

Microsoft TechNet Security Center

http://www.microsoft.com/technet/security/default.mspx Windows Server 2003 Security Guide

http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.mspx Windows Server 2000 Security Hardening Guide

http://www.microsoft.com/technet/security/prodtech/Windows2000/win2khg/default.mspx Windows XP Security Guide

http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx From Blueprint to Fortress: A Guide to Securing IIS 5.0

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/dep ovg/securiis.mspx

SAP Network and Layer Transport Security

http://service.sap.com/security Æ Security in Detail Æ Infrastructure Security Æ Network and Layer Transport Security (SAP NW ’04)

SAP Security Guides

http://service.sap.com/security Æ Security in Detail Æ SAP Security Guides Æ SAP Basis / Web AS Security Guides or SAP NetWeaver ’04 Security Guide (Complete)

(50)

SAP Hardening and Patch Management Guide for Windows Server 46 You can also check your system using the checklist and the transactions described in the table below. Checking these items verifies that there are no problems at the SAP basis level (note that problems in the application level are not checked).

Table 14: Operation Checklist

Task Transaction Method

Check that every AP server is started.

SM51-SAP Servers

Verify the work processes. SM50-Process Overview Check that every work process is in either "running" or "waiting" status. Check if any updates have

failed. SM13-Update Records

Use "*" as the user ID and check if any "Err." have occurred for all updates in the past year.

Verify the system log. SM21-System Log Investigate peculiar events such as "Errors", "Warnings", "Security", "messages", "Abends Database" and "problems".

Check for cancelled jobs. SM37-Select Background jobs Use "*" as user ID and check that every critical job has been successful.

Check that no locks have continued for long periods of time.

SM12-Lock entry list. Use "*" as user ID. Verify the user sessions. SM04-Users

AL08 - Users

Check for unknown or suspicious user IDs.

Verify that there are no problems with spooling.

SP01-Spool: Request Screen

Investigate any processes with "in process" status lasting more than an hour.

Verify the job logs. SM35-Batch input: Initial Screen

Investigate "New jobs" and "Incorrect jobs."

Analyze the dump. ST22-ABAP Dump Analysis

Analyze the workload statistics. ST03N-Workload:Analysis of <SID>

Analyze the buffer statistics. ST02-Tune Summary Investigate the swaps. Investigate the error log. ST04-DB Performance

Analysis Check usage of the table area. DB12

(51)

2.7 Final Security Check

After completing the hardening implementation, you need to check whether it has been implemented without omission. Use Microsoft Baseline Security Analyzer (MBSA) to check the security of your Microsoft products. With this tool, you can make a simple security check of Windows Server 2003, IIS and SQL Server.

For the details about Microsoft Baseline Security Analyzer (MBSA), see • Whitepaper: Microsoft Baseline Security Analyzer V1.2

www.microsoft.com/technet/security/tools/mbsawp.mspx

2.8 Other Methods for Checking Hardening Implementation

You can also check your hardening implementation by using tools such as Ping, Event Viewer and group policy resultant sets.

Summary

This chapter has explained how to implement hardening to improve your Windows Server-based SAP systems.

1. Hardening is a solution that brings significant benefits to SAP system administrators.

Hardening enables you to enhance security, ensure availability, and reduce the operating cost of the system.

2. Hardening is not a sufficient security measure in and of itself.

To keep an SAP system secure, you should also include patch management in the implementation.

(52)

3 Patch Management

This chapter describes how to implement patch management for your Windows Server-based SAP system, from collecting information about security vulnerability to monitoring the results of security update programs. In this whitepaper, the focus is on the risk assessment used to determine whether you should apply a security update program depending on the system.

Microsoft and SAP work closely during the release cycle for service packs as Microsoft provides SAP all pending services packs prior to their release. Thorough testing occurs by SAP before Microsoft releases a particular service pack to ensure that installation will not cause a disruption of a running SAP system. See SAP Note #663621 (“Supporting Microsoft Hot Fixes with Windows Update”) for more information on SAP support of service packs.

Specific SAP support statements for Microsoft Windows Server service packs can be found at SAP Note #30478 (“Support Packs on Windows”).

3.1 What Is Patch Management?

Patch management is comprehensively controlling the application of released security update programs from the perspective of the processes involved and of your team (organization). This whitepaper concentrates on the security update programs. In an environment in which you have appropriately implemented hardening as described in Chapter 2 "Hardening", you may often find after implementing a risk assessment (which is one of the patch management steps), that it is not urgent to apply the patch immediately to protect against both known and new security vulnerabilities.

Patch management can be divided into four major processes: 1) "Collecting Information", where you periodically check announcements about security vulnerability; 2) "Assessing Risks", where you

analyze risks identified through the collected security vulnerability information; 3) "Applying the Security Update Program", where you test and apply the security update program; and 4) "Monitoring the Result", where you check that all the necessary security update programs have been applied. The following sections describe patch management based on these four processes.

Contents of this Chapter

This chapter describes how to implement patch management for your Windows Server-based SAP system.

1. What Is Patch Management? 2. Collecting Information 3. Assessing Risks

4. Applying the Security Update Program 5. Monitoring the result

SAP Hardening and Patch Management Guide for Windows Server