Sap Hardening and Patch Management Guide for Windows Server

(1)

SAP Hardening and Patch Management Guide

for Windows Server

Microsoft Corporation

November 15, 2005

(2)

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This Whitepaper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may own patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in a written license agreement from Microsoft, the furnishing of this document does not assign any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, SQL Server, Windows, Windows Server, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

(3)

1 Introduction

...

1 2 Hardening

...

5 2.1 What Is Hardening?

...

5 2.2 Multi-layered Hardening

...

6 2.3 Harding Implementation Steps

...

6 2.4 Implementation of Hardening

...

7 Network Hardening

...

7 Server Hardening

...

23 Implement Other Hardening

...

42 2.5 Other Hardening Information

...

45 2.6 Operation Checks

...

46 2.7 Final Security Check

...

48 2.8 Other Methods for Checking Hardening Implementation

...

48 3 Patch Management

...

49 3.1 What Is Patch Management?

...

49 3.2 Collecting Information

...

50 Collecting Information about Security Vulnerability

...

50 3.3 Assessing Risks

...

51 Assessing the Consequences and Urgency of the Vulnerability

...

53 What is a Vulnerability Assessment Matrix?

...

53 Organizing the Information about Security Vulnerability

...

54 Assessing the Pros and Cons of the Risk

...

55 Determining the Degree of Urgency

...

55 Devising a Plan for Responding to the Vulnerability

...

60

(4)

Verifying Behavior in the Test Environment

...

64 Confirming the Steps for Roll-Back in the Test Environment

...

65 Confirming that the Necessary Programs have been Applied

...

65 Appendix: Report on Hardening Verification

...

66 1.1 Verification Scenarios...66

1.2 Contents of Verifications...67

1.3 Verification Results...67

1.4 Network Hardening Settings...68

Network Hardening in SAP R/3 Enterprise...68

Network Hardening in SAP ITS ...70

Network Hardening in SAP Enterprise Portal...73

1.5 Service and Other Hardening Settings...78

Service Hardening Using Templates...78

(5)

1 Introduction

Recently, there has been an increase in reports by newspapers and TV programs about computer virus

damage and information leakages. Computer virus damage and information leakages may cause

suspension of business and consume large amounts of company resources in taking countermeasures.

In serious cases, it may pose a threat to the status and reputation of the company.

SAP systems typically handle mission-critical operations, such as finance and sensitive company

information. For this reason, if information leakage or virus problems occur in an SAP system, the

company may suffer enormous damage. To reduce the risk of unplanned system shutdowns, effective

security measures must be taken.

This whitepaper presents hardening and patch management as security measures against such risks to

Windows Server-based SAP systems.

The purpose of hardening is to achieve a system environment that is less vulnerable to unauthorized

access and virus attacks. In the Hardening chapter, we describe how to define and implement

hardening, as well as verify the implementation.

The purpose of patch management is to assess the specific risks to a company and to apply

appropriately timed security update programs. With patch management, the minimum required security

update programs can be applied to that helps to minimize the risks and costs of system changes. In the

Patch Management chapter, defining patch management and operation is explained in five steps:

"Collecting Information", "Assessing Risks", "Applying the Security Update Programs", and "Monitoring

the Result." Throughout the chapter, risk assessment is emphasized.

Note:

Hardening and patch management are complementary procedures and implementation of one without the

other will be insufficient. Hardening helps to reduce a system from possible attacks (such as from computer

viruses), but may not be able to handle unfamiliar attack methods. To minimize this possibility, risk

assessment (as a part of patch management) should be implemented.

Purpose of This Whitepaper

Secure system environments can be maintained by applying security update programs as soon as they

are released. However, it may be difficult to apply them immediately after release because of issues

such as the costs associated with verifying the effect of a security update program, the interruption of

services when the programs are applied to the operating environment, and the risk of altering the

operating environment. This whitepaper aims at helping to alleviate these problems and attempts to

help you build a more secure SAP system. By applying what is described in this whitepaper to a

Windows Server-based SAP system, help with securing an SAP system (and thus addressing an

aspect of high system availability) is achieved and TCO may be reduced. Note that most of the

configuration-specific guidance in this paper is applicable to Windows Server 2003. Similar procedures

may be found in Windows Server 2000 documentation dependent on the particular topic covered.

(6)

Scope of Security Measures Covered in This Whitepaper

Common security measures are further classified into "technical measures" (such as installation or

configuration of hardware and software) and "institutional measures" (such as creation of policies, or

determination and analyses of vulnerabilities).

Error: Reference source not found

Figure 1 – Security Measures

Among the security measures illustrated in Figure 1, "Building a Secure System (Multi-layer Defense)"

and "Patch Management" can be effective technical measures if implemented properly.

(7)

Figure 2 – Multi-layer Defense

Using a multi-layer approach

Increases risk for attackers to be detected

Reduces the possibility of successful attacks

Data

Application

Host

Internal Network

Boundaries

Equipment Security

Policies, Regulations

and Awareness

ACL, Encryption Enhancing Applications, Virus Protection

Enhancing operation systems, Security Update Management, Authentication, HIDS

Network Segment, IPSec, NIDS

Firewall, VPN isolation

User Education

Security Guard, Lock and Tracking Device

The idea is to protect the system

from unexpected attacks.

It enhances protection by

setting multiple defense lines.

(hardening using templates)

(8)

This whitepaper covers the security measures indicated under the Category column of Error: Reference

source not found. For security issues not listed here, appropriate measures will need to be

implemented as necessary.

It is also important to note that such security measures must be considered on every SAP system in

your environment (regardless of the type of operating system or database used) as no platform is

completely secure.

SAP Hardening and Patch Management Guide for Windows Server

4 Table 1: Common Security Measures

CategoryMeasuresCoverageTechnical measuresSecurity breach inspectionBuilding a secure system (multi-layer defense)DataApplicationHostYesInternal networkYesBoundariesEquipment securityPolicies, regulations, and awarenessPatch ManagementYesMonitoring viruses and unauthorized accessInstitutional

measuresRisk analysisYesOperation guidelinesRisk management proceduresPolicy implementationPolicy creation

(9)

2 Hardening

This chapter defines hardening and how to implement and verify it on a Windows Server-based SAP

system.

Error: Reference source not found

2.1 What Is Hardening?

Hardening an SAP system is configuring your SAP system with only the minimum platform functions

that are necessary for operating the system. In this way, security, availability and reduction of the

operating cost of the system is addressed.

Contents of this Chapter

This chapter defines hardening and how to implement and verify it on a Windows Server-based SAP system.

What is Hardening?

Multi-layered Hardening

Implementation of Hardening

Final Security Check

Summary

Hardening Defined…

Definition: Configuring SAP systems with only the minimum platform functions that are necessary for operating the system.

Effect:

Enhances security

Prevent the SAP system from exposure to unnecessary vulnerability risks and block computer virus attacks to a maximum extent.

Effect:

Ensures availability

Minimize the frequency of applying security update programs that often require systems to be shutdown.

(10)

2.2 Multi-layered Hardening

This whitepaper covers three types of hardening which are especially effective on SAP systems.

2.3 Harding Implementation Steps

Hardening should be implemented in stages. For example, take one item (such as network or service)

at a time, check the behavior, then move on to the next item.

Figure 3 - Hardening Implementation Steps

*1 Use ASR backup of Windows Server 2003 or a third party image backup tool.

*2 Use Microsoft Baseline Security Analyzer or other tools.

Effective hardening methods for SAP systems

This whitepaper covers three types of hardening can be effective on SAP systems, if implemented properly.

Network hardening (internal network layer)

Service hardening (host layer)

Other hardening (host layer)

**Assure there is a means for rollback or backup the system configuration (*1)**

Repeat the procedure for each server and hardening

(rollback when a problem arises)

**Final security check (*2)**

Implement server

hardening

Implement network

hardening

Implement other

hardening

Step-by-step implementation of hardening

(11)

2.4 Implementation of Hardening

Before implementing high-quality hardening, some preparation is required. Some important preparation

tasks are: clarifying the required security level, checking the specifications of your system, determining

what might need hardening, estimating the cost and the effect of the hardening, and determining what

to harden.

Network Hardening

Hardening networks on an SAP system is implementing packet filtering to block unnecessary

communications. With this, the goal is to make stacks more difficult by blocking unnecessary

communication.

Preparations before implementing hardening

Before implementing high-quality hardening, some preparation is required. C

larifying the required security level

D

etermine how far security should be enhanced.

Checking the system specifications

C

heck the specifications of not only the SAP system but also systems other than SAP. This includes checking required communication paths, ports, and services.

Determining what might need hardening

D

etermine what should be subjected to network, service, and other hardenings.

Estimating the cost and the effect of the hardening

E

stimate the effect and the associated cost beforehand to ensure maximum effect with minimum cost.

Determining what to harden

D

ecide which items should be subjected to hardening and how extensively it should be done.

Network Hardening Defined…

Definition: Implementing packet filtering on SAP systems to block unnecessary communications.

(12)

Network hardening is important on SAP systems for the following reasons: 1) SAP systems only use

specific ports that can be easily identified, 2) the ports used on SAP systems are typically less apt to be

attacked by computer viruses, and 3) hardening networks to the maximum extent makes attacks more

difficult for hackers.

As a first step, determine which servers are critical to deliver SAP services (which servers might be a

single point of failure from a network hardening perspective?).



SAP Central Instance



SAP Database Instance



Other non-redundant servers

Such a determination will decrease the time necessary to install the applicable security patches which

could lead to downtime for these servers from a standpoint of availability. Therefore, there would be

implementation of port and services limits of these specific SAP application and database servers (also

effective with SAP Router) while other servers may not have such strict limitations.

Overall, separate SAP servers which potentially have a single point of failure (CI, DB, etc.) from others;

thus creating a “SAP server segment” via firewall, router, etc. So that security patches can be done one

by one, other SAP-related servers that are “redundant” are separate (e.g. SAP dialog instance, ITS

AGate/WGate, etc.).

Importance of Network Hardening

Reasons why network hardening is important on all SAP systems in your environment.

R

eason:

SAP systems only use specific ports that can be easily

identified.

T

he ports are further limited when the functions of the SAP J2EE engine are suspended. R

eason:

The ports used on SAP systems are that are typically

less apt to be attacked by computer viruses.

T

he ports are also customizable.

R

eason:

Therefore, hardening networks to the maximum extent

(13)

Figure 4 – An Example of Network Hardening for a Corporate Network

Ports and Packet Filtering

Packet filtering should be taken into consideration to block all unnecessary network traffic on ports to

SAP systems (as well as any 3

rd

_{party tools) and IPSec script policy should be leveraged.}

Execute IPSec policy scripts on each Windows Server and hardware-based packet filtering to lock

down specific ports can be done via a firewall, router, and layer 3 switch among network subnets. (See

SAP Note #66687 (“Use of Network Security Products”) concerning SAP certification requirements for

some 3

rd

_{party network security tools.)}

Note that Microsoft ISA Server 2004 can provide advanced firewall protection and includes the

following:

(14)



Interface blocking



Intrusion detection

By applying the IPSec script policy to your server, you can confine the communication pathway and

restrict the TCP and UDP ports used for the communication. For how to use IPSec, refer to:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod111.asp

The following is includes an example of the IPSec script policy:

:IPSec Policy Definition

netsh ipsec static add policy name="Packet Filters - R3" description="Server Hardening Policy" assign=no

:IPSec Filter List Definitions

netsh ipsec static add filterlist name="ALL" description="Server Hardening" netsh ipsec static add filterlist name="DIALOG" description="Server Hardening" netsh ipsec static add filterlist name="MSSQL" description="Server Hardening"

:IPSec Filter Action Definitions

netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit

netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block

:IPSec Filter Definitions

netsh ipsec static add filter filterlist="ALL" srcaddr=any dstaddr=me description="ALL" protocol=any srcport=0 dstport=0

netsh ipsec static add filter filterlist="DIALOG" srcaddr=any dstaddr=me description="DIALOG" protocol=TCP srcport=0 dstport=3200

netsh ipsec static add filter filterlist="MSSQL" srcaddr=me dstaddr=192.168.12.3 description="MSSQL" protocol=TCP srcport=0 dstport=1433

:IPSec Rule Definitions

netsh ipsec static add rule name="ALL" policy="Packet Filters - R3" filterlist="ALL" kerberos=yes filteraction=Block

netsh ipsec static add rule name="DIALOG" policy="Packet Filters - R3" filterlist="DIALOG" kerberos=yes filteraction=SecPermit

netsh ipsec static add rule name="MSSQL" policy="Packet Filters - R3" filterlist="MSSQL" kerberos=yes filteraction=SecPermit

netsh ipsec static set policy name="Packet Filters - R3" assign=y

Example: Create the sample code as a batch file and execute it on SAP R/3 Enterprise server.

1 Default communication blocked.

2 Permit dialog process access from clients (between clients and SAP R/3 Enterprise via destination

port TCP 3200).

3 Permit access from SAP R/3 Enterprise to DB instances (between SAP R/3 Enterprise and SQL

server via destination port TCP 1433).

(15)

Necessary Ports for Operating SAP Systems

A list of ports used by:



SAP systems (along with other security-related documentation):

http://service.sap.com/security

 Security Detail  Infrastructure Security.



Windows Server System:

“Service Overview and Network Port Requirements for the Windows Server System”

http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

.



SQL Server: over TCP: 1433, UDP: 1434



IIS (World Wide Web Publishing Service): 80, 443



Terminal Services and Remote Desktop: 3389 (default; can be configured):

“How to Change the Listening Port in the Windows Terminal Server Web Client”

http://support.microsoft.com/default.aspx?scid=kb;en-us;326945

)



Active Directory (dependent on design):

“How to Configure a Firewall for Domains and Trusts”

http://support.microsoft.com/kb/179442/EN-US/

“Restricting Active Directory Replication Traffic to a Specific Port”

http://support.microsoft.com/default.aspx?scid=kb;en-us;224196

(16)

Table 1 – Necessary (Destination) Ports for Operating SAP Systems

Application

Service Name Protocol Destination Port

SAP R/3 Enterprise

sapdpNN TCP 32NN

sapgwNN TCP 33NN SAPlpd TCP 515 HTTP/HTTPS TCP 81NN/444NN sapmsSID TCP 36NN HTTP/HTTPS TCP 80NN/443NN SMTP TCP 25 HTTP/HTTPS TCP 5NN00/5NN01

IIOP Initial context /IIOP over SSL TCP 5NN02/5NN03 P4/P4 over HTTP tunneling /P4 over SSL TCP 5NN04/5NN05/5NN06

IIOP TCP 5NN07 JMS TCP 5NN10 Telnet TCP 5NN08 Multiplexer TCP 4NN00 Portwatcher TCP 4NN01-79 HTTP TCP 4NN80-99 TCP 5NN17/5NN18/5NN19 MessageServer TCP 36NN HTTP/HTTPS TCP 81NN/444NN Engue Server TCP 32NN Eng. Replication TCP 33NN

SAP ITS Wgate

sapvw00_<SID> TCP 39NM

sapvwmm_<SID> TCP 39N9

sapvw00_ADM TCP 39NM

sapvwmm_ADM TCP 39N9

SAP ITS Agate

HTTP/HTTPS TCP 80/443

sapdpNN TCP 32NN

sapgwNN TCP 33NN

sapmsSID TCP 36NN

SAP Enterprise Portal 6.0

HTTP/HTTPS TCP 5NN00/5NN01

IIOP Initial context /IIOP over SSL TCP 5NN02/5NN03 P4/P4 over HTTP tunneling /P4 over SSL TCP 5NN04/5NN05/5NN06

IIOP TCP 5NN07

JMS TCP 5NN10

Telnet TCP 5NN08

TCP 5NN17/5NN18/5NN19

SAP Enterprise Portal IIS Proxy

HTTP/HTTPS TCP 5NN00/5NN01

Note:

• The port numbers are customizable.

(17)

Table 3 – Necessary (Destination) Ports for Operating SAP Systems (cont’d)

Application

Service Name Protocol Destination Port

SAP Router

SAProuter TCP 3299

sapdpNN TCP 32NN

sapgwNN TCP 33NN

sapmsSID TCP 36NN

SAP Web Dispatcher

HTTP/HTTPS TCP 80NN/443NN

Active Directory

See Microsoft Knowledge Base Article #179442 – “How to Configure a Firewall for Domains and Trusts" and #224196 – “256986) at support.microsoft.com

SQL Server

SQL over TCP TCP 1433

Oracle

TCP 1527

DB2/UDB

TCP Customize

SAPDB

TCP 7200/7210

Informix

TCP 3800

IIS

HTTP TCP 80 HTTPS TCP 443

Terminal Services

TCP 3389

Windows Server

NetMeeting Remote Desktop Sharing (Used

by SAP Support) TCP 3389

File Sharing (Used in the sharing of SAP migration files and in the shipping of SQL server logs) TCP 445 UDP 445 TCP 137 UDP 137 UDP 138 TCP 139

Clustering (Central instance and DB

instance multiplexing) TCPUDP 3343135 For details, see Microsoft Knowledge Base Article #832017 – “Port Requirements for the Microsoft Windows Server System".

Note:

• The port numbers are customizable.

(18)

Figure 5 – Ports Used by SAP R/3 Enterprise

(19)

(20)

Figure 9 – Ports Used by SAP Router

(21)

Configuration of Ports

For configuration of ports and other steps for network hardening, use the "Microsoft Management

Console (MMC)":

Click Start, and then click Run.

1.

Type "mmc" in the Name field of the Select File To Run dialog box, and then click OK.

2.

The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.

3.

From the pull-down menu, select Add/Remove Snap-in.

4.

The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.

5.

In the Standalone tab, click Add.

6.

The Add Standalone Snap-in dialog box is displayed. Select IP Security Policy Management in

the Available Standalone Snap-ins dialog box, and then click Add.

7.

The Select Computer or Domain dialog box is displayed. Select Local Computer. Click Finish.

8.

Click Close on the Add Standalone Snap-in dialog box.

9.

Click OK on the Add/Remove Snap-in dialog box.

10.

IP Security Policies on Local Machine is added under the Console Root on the Microsoft

Management Console.

11.

Click the added IP Security Policies on Local Machine to display the registered IP security policy

in the right pane.

(22)

12.

Double-click the registered Packet Filters - R3.

Figure 12 – Packet Filter IP Security Policy

13.

The Packet Filters - R3 Properties dialog box is displayed (see Figure 10). Click the Rules tab.

14.

Select an IP filter that you want to verify from the IP Security Rules section on the Rules tab, and

then click Edit.

(23)

15.

Select the IP Filter List tab on the dialog box that is displayed.

16.

Select an IP filter that you want to verify from the IP Filter List section in the IP Filter List tab, and

then click Edit.

17.

The IP Filter List dialog box is displayed and you can verify the configuration of the IP filter.

Figure 14 – IP Filter List

18.

When you finish verifying the IP filter, click Cancel to close the dialog box.

19.

To verify the configuration of the filter action, select the Filter Action tab in the Edit Rule

Properties dialog box.

(24)

To un-assign network hardening, select then right-click on Packet Filters - R3 in the Microsoft

Management Console. Then select Un-assign from the pop-up menu. To remove the network

hardening, select Delete from the same pop-up menu.

(25)

Network Communication Paths

Figure 17 – Communication Paths for an SAP R/3 Enterprise Environment

(26)

Figure 19 – Communication Paths for an SAP Enterprise Portal Environment

Figure 20 - Communication Paths for an

(27)

Active Directory Considerations

As per SAP’s Web AS installation guide, SAP application and database servers should be implemented

in either of the following ways:



Extra domain: SAP systems are embedded in their own “SAP”-specific domain and a separate

domain is used for user accounts. Both domains must be incorporated in a domain tree with

the user account domain as the root domain and the SAP domain as the child.



Single domain: SAP servers and user accounts are in the same domain.

Reference SAP Note #711319 (“Domain Installation using Delegation of Administration in AD”) for

information regarding the situation when installation of SAP cannot be performed by a domain

administrator as specified in SAP’s installation guides.

Also, for SAP Enterprise Portal, situations may arise where it may be desired to prevent local users

from another domain from logging into SAP EP. See SAP Note #710032 (“Restrict Windows

Authentication to Domains”) for specific configuration information to meet this need.

Server Hardening

An SAP system is under unnecessary security risks when there are services not applicable to SAP or

have ineffective settings. Therefore, administrators should disable unnecessary services and

strengthen security settings for others to the extent that SAP services can run without any issues. Such

actions can be efficiently performed to some extent by utilizing security templates provided by Microsoft.

Hardening Using Templates

You can use the Windows Server 2003 Security Guide and the associated templates as a step towards

implementation of hardening. There are three types of security templates that are differentiated

according to the security environment and nine types of templates that are differentiated according to

the server role. You will need to implement a hardening for each server role.

For more information on the Windows Server 2003 Security Guide, visit the Microsoft Download Center.

http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en#filelist

Three types of templates differentiated according to security environment

• Legacy client (security level: low)

• Enterprise client (security level: medium)

(28)

Nine types of templates differentiated according to server role

• Domain controller

• Member server

• Web server

• Infrastructure server (DHCP, WINS)

• File server

• Print server

• IAS server

• Certificate service server

• Bastion host

Additional Information:

After applying Windows Server 2003 templates, you can make your SAP system more secure by

checking and changing the following configurations in accordance with the documents in Table 3.

- Confirm that every partition of the disk is formatted in NTFS.

- Confirm that an invulnerable password is set for the Administrator account. - Disable or delete unnecessary accounts.

- Make sure that the old security configurations are not changed when you upgrade your system from previous versions.

- Configure the Administrator account. - Delete all unnecessary file sharing.

- Specify an appropriate ACL for every necessary file sharing. - Protect your Telnet server.

- Enable IIS logging.

- Unbind NetBIOS from TCP/IP.

- Remove OS/2 and POSIX subsystems.

- Disable the automatic generation of short file names (8.3 format). - Disable the creation of LM hashes.

- Configure NTLMSSP security. - Disable automatic execution.

Use Microsoft Management Console to apply security templates. Before you apply a security template,

you need to backup the role security policies using an administrative tool called "Local Security Policy."

(29)

Backup Local Security Policy

1.

Click Start, and then select All Programs.

2.

Select Administrative Tools in the All Programs menu, and then click Local Security Policy.

3.

The Local Security Policy dialog box is displayed. Select then right-click Security Settings in the

dialog box.

4.

Select Export Policy from the pop-up menu.

Figure 21 – Backup Local Security Policy

5.

The Export Policy To dialog box is displayed. In the File Name field, type the name of the file that

you want to export the policy to.

(30)

Applying the Security Template

1.

Click Start, and then click Run.

2.

Type "mmc" in the Name field of the Select File To Run dialog box and click OK.

3.

The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.

4.

From the pull-down menu, select Add/Remove Snap-in.

5.

The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.

6.

In the Standalone tab, click Add.

7.

The Add Standalone Snap-in dialog box is displayed. Select Security Configuration and

Analysis in the Available Standalone Snap-ins dialog box, and then click Add.

8.

Click Close on the Add Standalone Snap-in dialog box.

9.

Click OK on the Add/Remove Snap-in dialog box.

10.

Security Configuration and Analysis is added under the Console Root on the Microsoft

Management Console.

11.

Select then right-click the added Security Configuration and Analysis.

12.

Select Open Database from the pop-up menu.

(31)

13.

The Open Database dialog box is displayed. In the File Name field, type the name of the database

that you want to open, and then click Open.

14.

The Import Template dialog box is displayed. In the File Name field, select the security template

file (INF file) downloaded from Internet, and then click Open. You should select a security template

file appropriate for your server configuration.

Figure 23 – Importing Templates

15.

On the Microsoft Management Console, select then right-click Security Configuration and

Analysis.

(32)

(33)

17.

When you execute analysis of the computer, red X marks appear to indicate the parts where the

current settings should be changed.

18.

If you want to change the template, double-click the entry.

Figure 25 – Analysis of Computer

(34)

20.

On the Microsoft Management Console, select then right-click Security Configuration and

Analysis.

21.

Select Configure Computer Now from the pop-up menu.

Figure 27 – Configuration of Computer

Note:

• We recommend that the procedure be carried out step by step.

• If you want to provide against the worst case, it is recommended that you perform a system backup

using Automatic System Recovery (ASR) or an image backup tool before applying a template.

(35)

Service Hardening

Service hardening is the process of disabling the services that are unnecessary for operating your SAP

system. In this way you can block attacks that use unnecessary services and improve the performance

of the system.

Error: Reference source not foundService hardening investigates Windows services that are

unnecessary for the operation of the SAP system and disables their Startup options in order to prevent

any attacks through usage of these unnecessary services.

There are three settings for Startup options: "Auto", "Manual", and "Disable." Set the option in

accordance with the criteria described in the table below.

Service Hardening Defined…

Definition: Disabling services that are unnecessary for operating SAP systems.

E

ffect:

Blocking attacks that use unnecessary services

M

akes attacks against vulnerability more difficult by disabling services unnecessary for SAP systems.

E

ffect:

Improving performance

R

educes the load on the server and improves performance by disabling services unnecessary for SAP systems.

Table 3: Setting the Startup Option

Type of Service

T

Startup Option

S

Services that are obviously unnecessary for operating the

system

s

Disable

D

Services that are obviously necessary for operating the system

S

Auto

A

Other

services

s

Manual

M

Importance of Service Hardening

Reasons why service hardening is important on all SAP systems in your environment.

(36)

Note:

• This table shows Windows services installed during a standard installation. Clustering environments

may have different services.

• <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such

as 00). For SAP R/3 Enterprise, there are two "SAP<SID>_<NN>" services - one is for central

instances and the other is for central service instances.

• SAP J2EE Engine (Dispatcher and Server), SDM, and IGS of SAP R/3 Enterprise are started by

central instance services.

• SAP J2EE Engine Server of SAP Enterprise Portal 6.0 is started by "SAP J2EE Engine Dispatcher"

service.

• When you disable services not listed in this table, you should check the intended purpose of the

services and test it in the appropriate system environment.

Table 4: Services Necessary for SAP Systems

Minimum required services for Windows Server

M

Event Log Logical Disk Manager

Network Connections Plug and Play Protected Storage Remote Procedure Call Security Account Manager

Windows Management Instrumentation

Windows Management Instrumentation Extensions W

W

Additionally required services for SAP R/3 Enterprise E SAPOSCOL SAP<SID>_<NN> SAP<SID>_<NN> S

S

Additionally required services for SAP ITS Agate A

SAP ITS Manager - <SID> SAP ITS Manager - ADM

ITS Watchdog

SAP IACOR Manager S

S

Additionally required services for SAP Enterprise Portal A

SAP J2EE Engine Dispatcher

D

Additionally required services for SQL Server A Workstation Server MSSQLSERVER SQL Server Agent S

S

Additionally required services for clusters A Remote Registry Cluster Service Removal Storage R

R

Additionally required services for IIS A

World Wide Web Publishing Service IIS Admin Service

I

Additionally required services for SAP ITS Wgate A

SAP IACOR Manager S

S

Additionally required services for SAP Enterprise Portal IIS Proxy

r

none n

(37)

The tables below show the services that are not required for operating SAP various systems.

SAP Hardening and Patch Management Guide for Windows Server

33 Table 5: Unnecessary Services for SAP Systems

Services not required by Domain Controller

Alerter

Application Layer Gateway Service Application Management

ClipBook

COM+ System Application DHCP Client

DHCP Server

Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service

Help and Support HTTP SSL

Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service

Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) License Logging

Messenger

NetMeeting Remote Desktop Sharing Network DDE

Network DDE DSDM

Portable Media Serial Number Service P

Print Spooler Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Resultant Set of Policy Provider Routing and Remote Access Secondary Logon

Shell Hardware Detection Smart Card

Special Administration Console Helper Task Scheduler

Telephony Telnet

Terminal Services Session Directory Themes

Uninterruptible Power Supply Upload Manager

Virtual Disk Service WebClient Windows Audio

Windows Image Acquisition (WIA)

WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration

W

Table 6: Unnecessary Services for SAP Systems

Services not required for SAP R/3 Enterprise

Alerter

ClipBook

File Replication Help and Support HTTP SSL

Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Intersite Messaging

Kerberos Key Distribution Center License Logging

Messenger

Network DDE DSDMPortable Media Serial Number Service Print Spooler

Remote Access Auto Connection Manager Remote Access Connection Manager Remote Desktop Help Session Manager Remote Procedure Call (RPC) Locator Resultant Set of Policy Provider Routing and Remote Access Secondary Logon

Telephony

W

(38)

SAP Hardening and Patch Management Guide for Windows Server

34 Table 6: Unnecessary Services for SAP Systems

Services not required for SAP R/3 Enterprise

Alerter

ClipBook

Messenger

Telephony Telnet

W

Table 7: Unnecessary Services for SAP Systems

Services not required for SQL Server (for SAP R/3 Enterprise)

Alerter

ClipBook

Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator Error Reporting Service

Messenger Microsoft Search MSSQLServerADHelper

NetMeeting Remote Desktop Sharing Network DDENetwork DDE DSDM Portable Media Serial Number Service Print Spooler

Telephony Telnet

Virtual Disk Service WebClient

W

(39)

SAP Hardening and Patch Management Guide for Windows Server

35 Table 7: Unnecessary Services for SAP Systems

Services not required for SQL Server (for SAP R/3 Enterprise)

Alerter

ClipBook

Telephony Telnet

W

Table 8: Unnecessary Services for SAP Systems

Services not required for SAP ITS Agate

Alerter

ClipBook

Messenger

Telephony

W

(40)

SAP Hardening and Patch Management Guide for Windows Server

36 Table 8: Unnecessary Services for SAP Systems

Services not required for SAP ITS Agate

Alerter

ClipBook

Messenger

Telephony Telnet

W

Table 9: Unnecessary Services for SAP Systems

Services not required for SAP ITS Wgate

Alerter

ClipBook

File Replication Help and Support

Messenger

Telephony Telnet

W

(41)

SAP Hardening and Patch Management Guide for Windows Server

37 Table 9: Unnecessary Services for SAP Systems

Services not required for SAP ITS Wgate

Alerter

ClipBook

Messenger

Telephony Telnet

W

Table 10: Unnecessary Services for SAP Systems

Services not required for SAP Enterprise Portal

Alerter

ClipBook

Messenger

Telephony

W

(42)

SAP Hardening and Patch Management Guide for Windows Server

38 Table 10: Unnecessary Services for SAP Systems

Services not required for SAP Enterprise Portal

Alerter

ClipBook

Messenger

Telephony Telnet

W

Table 11: Unnecessary Services for SAP Systems

Services not required for SQL Server (SAP Enterprise Portal)

Alerter

ClipBook

Telephony Telnet

W

(43)

SAP Hardening and Patch Management Guide for Windows Server

39 Table 11: Unnecessary Services for SAP Systems

Services not required for SQL Server (SAP Enterprise Portal)

Alerter

ClipBook

Telephony Telnet

W

Table 12: Unnecessary Services for SAP Systems

Services not required for SAP Enterprise Portal IIS Proxy

Alerter

ClipBook

Messenger

Telephony

W

(44)

Table 12: Unnecessary Services for SAP Systems

Services not required for SAP Enterprise Portal IIS Proxy

Alerter

ClipBook

Messenger

Telephony Telnet

(45)

Implementing Service Hardening

Use the administrative tool called "Services" to implement service hardening.

1.

Click Start, and then select All Programs.

2.

Select Administrative Tools in the All Programs menu, and then click Services.

3.

The Services dialog box is displayed. Select then right-click on the service that you want to harden.

4.

Select Properties from the pop-up menu.

(46)

5.

The Properties dialog box is displayed. Set the Startup Type to Disable, and then click OK.

6.

Repeat the above procedure for all services that you want to harden.

Figure 29 – Disabling Services

Implement Other Hardening

Internet Information Server (IIS) Hardening

If using IIS 4.0 (NT 4.0) or 5.0 (Windows 2000) for SAP ITS or SAP Enterprise Portal, use the IIS

Lockdown Tool to lock down services. The tool is available for download at

http://www.microsoft.com/technet/security/tools/locktool.mspx

.

The lockdown tool provides an wizard to change security settings and various templates for various

scenarios are available. URLscan integration is also provided which decreases the possibility of attack

by computer viruses as it analyzes HTTP requests and keeps IIS from accepting unordinary requests.

When using IIS 6.0 however, such toolkit functionality is included with Windows Server 2003. Note that

usage of IIS 6.0 is only available for ITS starting with SAP ITS version 6.20 patch level 3 and IIS 6.0 on

Windows Server 2003 is not installed or setup by default. See SAP Note #585545 for information on

running SAP ITS on IIS 6.0.

For reference, other security-related tools are available at

http://www.microsoft.com/technet/security/tools/default.mspx

.

(47)

SQL Server Hardening

If SQL Server 2000 is used as the database for SAP on Windows Server, refer to

http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.a

sp

for information

on steps to secure SQL Server 2000. Information for SAP running on Windows Server 2003 will be

added to this whitepaper when available.



Install most recent SQL Server Service Pack



Assess your server security with MBSA



Use Windows Authentication Mode



Isolate your server and backup it up regularly



Assign a strong SA password



Limit privilege of SQL Server Service

o

One account per service

o

Simple Domain User right



Disable SQL Server port on Firewall



Use the most secure file system – NTFS



Delete or secure old setup files



Audit connection to SQL Server

Specific SAP Hardening

For specific considerations for SAP applications (Basis level 4.6B and higher), refer to SAP Note

#165485 (“R/3 Security under Windows NT”). In addition:



On servers without transport directory, you can restrict the directories \usr and \usr\sap to the

local administrators: Administrators(Full Control).



On the transport server, generate a further local group "SAP_LocalAdmin". Insert the

SAP_<SID>_GlobalAdmin groups of all SIDs involved in the transport into this group.



Assign the following authorizations to the directories \usr, \usr\sap and \usr\sap\trans:

Administrators(Full Control) SAP_LocalAdmin(Full Control).



The shares "SAPLOC" and "SAPMNT" can also be provided with this authorization list.



Change password on default Users SAP*, DDIC… Client 000 and 066

(48)

Anti-Virus Considerations

Even further protection beyond locking down ports and services, segmenting the SAP servers onto a

separate network, etc. is the protection via anti-virus software. Most Microsoft customers running SAP

on Windows Server have used anti-virus software with shield activated without experiencing

performance issues or problems and the following several best practices can be considered:



Exclude the database file(s)



Exclude SAP temporary files



Scan only incoming traffic or file on write operations



Do not activate self decontamination but warn SAP administrators immediately

Well known viruses can many times be detected and immediately removed without infection as

anti-virus vendors typically have provided the capability to quickly scan a system and update all definition

files immediately in case of critical news of widespread attack. Critical viruses are, on average, typically

only “unknown” for 24 hours. Another option can also include implementation of an anti-virus gateway.

SAP Workstation Hardening

Even if an SAP client is secured through SAP security administration, a workstation (host) could be

compromised through operating system, network, and other application vulnerabilities. As a result, it

may not be able to run applications, it could be used as a “zombie” to run attacks and it could be used

by an attacker to steal data, including usernames and passwords.

Protection of workstations includes the following considerations:



Security Configuration



OS, Application, Browser, E-mail, etc.



Security Patches



Service Packs



Host firewall



Scanning, Analyzing, Remediation



Deployment strategy



Antivirus Software

In addition, evaluate the latest security enhancements in relation to Windows XP SP2:



Windows Firewall



Internet Explorer Security Enhancements



Outlook Express Security Enhancements



OS Security Enhancements

o

Core services reviewed and rewritten

o

Memory protection



Review SAP Notes #66971 and 738927 about Windows XP SP2



Identify, Assess, Test and Deploy latest security patches



Deploy baseline security on new machines

Specifically, the firewall provided with Windows XP SP2 is on by default for all network interfaces,

provides boot-time security and global and per-interface configurations, has an exceptions list (that can

(49)

Sap Hardening and Patch Management Guide for Windows Server

SAP Hardening and Patch Management Guide

for Windows Server

Microsoft Corporation

November 15, 2005

Table of Contents

1 Introduction

...

1

2 Hardening

...

5

2.1 What Is Hardening?

...

5

2.2 Multi-layered Hardening

...

6

2.3 Harding Implementation Steps

...

6

2.4 Implementation of Hardening

...

7

Network Hardening

...

7

Server Hardening

...

23

Implement Other Hardening

...

42

2.5 Other Hardening Information

...

45

2.6 Operation Checks

...

46

2.7 Final Security Check

...

48

2.8 Other Methods for Checking Hardening Implementation

...

48

3 Patch Management

...

49

3.1 What Is Patch Management?

...

49

3.2 Collecting Information

...

50

Collecting Information about Security Vulnerability

...

50

3.3 Assessing Risks

...

51

Assessing the Consequences and Urgency of the Vulnerability

...

53

What is a Vulnerability Assessment Matrix?

...

53

Organizing the Information about Security Vulnerability

...

54

Assessing the Pros and Cons of the Risk

...

55

Determining the Degree of Urgency

...

55

Devising a Plan for Responding to the Vulnerability

...

60

Verifying Behavior in the Test Environment

...