S 4.256 Secure installation of SAP systems
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
The aspects described in the following must be taken into consideration for the installation of an SAP system, because the main factors relating to the security of the system are already configured during the installation phase.
Securing the operating systems used
The components of an SAP system are installed as programs on an IT system and are executed in the form of processes. This means the security of the operating system used is also important to the security of the SAP system (see also S 4.257 Protection of the SAP installation directory on operating system level). The modules of the IT-Grundschutz Catalogues relevant to the IT systems used must therefore be included and used in the modelling process. In addition, the IT systems should be hardened so that unneeded services and programs are disabled or, preferably, uninstalled.
References to additional information can be found in S 2.346 Use of the SAP documentation.
Only install the components needed
An SAP system may potentially consist of numerous components of all different kinds. Unused components of all kinds pose security risks, though, since they are often forgotten and their default configurations left unmodified.
For an SAP system, it is particularly important to decide whether just one or both stacks will be needed, provided that the version of the system used supports separate installation of the stacks. If this is not the case, the unneeded stack must be secured in such a way that its functions cannot be used without authorisation.
Selection of secure passwords
During installation, it is already necessary to enter important authentication data. For example, this includes passwords for the technical users used by the SAP system components (e.g. the components implementing the connection between the Java stack and the ABAP stack) for authentication purposes when establishing internal communication connections.
It must be ensured that secure passwords are selected for these users. The passwords should be selected based on the internal password policies. A new password should be entered even if the installation routine assigns a default password.
Within the framework of the risk analysis for the SAP system, it must be considered that the administrator who installs the SAP system and defines the passwords has the ability to undermine the security mechanisms of the SAP system this way. The technical users the administrator specifies passwords for generally possess high privileges. For this reason, the passwords must be changed after installation by trustworthy administrators. Alternatively, the password can be entered according to the two-person rule, with each of the two administrators entering one half of the password. This applies especially to outsourcing scenarios.
In terms of the length of the password, it must be noted that the ABAP stack and the Java stack have different restrictions: Passwords for the ABAP stack may consist of a maximum of 8 characters. These passwords are not case-sensitive. These restrictions do not apply to the Java stack, though. When specifying the password, it is therefore necessary to know if the corresponding technical user will be created in the ABAP stack or in the Java stack.
The passwords specified must be documented and safe-kept according to the requirements of the currently valid password policy. Information on selecting passwords can also be found in S 2.11 Provisions governing the use of passwords.
Securing installation sources
As a rule, SAP systems are not installed directly from a CD or DVD. Instead, a directory structure created locally or in the network is used to provide the data needed for the installation. The data on the CD or DVD media is then copied to this directory structure. It is not recommended to store the data locally on the computer on which the SAP system will be installed, but to store it on a separate computer instead. The data can then be accessed using the network. In large government agencies and companies, this directory may be used to install additional SAP systems. If the systems are not installed in a separate and isolated network segment, it makes sense to disconnect the installation host from the network when it is not needed.
It is recommended to secure access to the installation sources using the resources provided by the operating system so that only authorised administrators are able to access them. Unauthorised users must not have any write privileges to the installation sources in particular, so that the data on the installation sources cannot be changed.
If the installation sources are stored locally on the computers of the SAP system, it is recommended to delete these sources after completing installation.
Implementing the SAP notes for the installation
The installation instructions for an SAP system generally contain a number of references to SAP notes and these notes contain important information for smooth installation or for troubleshooting problems during installation. In general, the SAP notes provided in the documentation themselves also refer to other SAP notes, which means that a significant amount of information may accumulate. The notes must be obtained in advance before installation. In general, it is enough to initially read the notes specified in the installation documentation and then implement another iteration step. In many cases, the references explicitly specify additional information stating whether the information must be read in all cases or only needs to be read under certain conditions. It is absolutely recommended to actually read all relevant information since it is easy to install the system incorrectly otherwise.
It is possible for sub-functions of an SAP system to operate incorrectly, especially in cases where the installation has been completed but errors have occurred during installation. This may also affect the security of the system and so a complete installation without errors should always be aimed for. Error messages can only be ignored when this is stated explicitly in the installation instructions or in an SAP note.
SAP notes can be obtained from the SAP Service Marketplace (see S 2.265 Proper use of digital signatures in archiving). It is recommended to print out the SAP notes and attach them to the system documentation after having read them.
Taking the most recent SAP security guidelines into account
Security guidelines are becoming available for more and more of the products offered by SAP. Although the quality of the security recommendations differs, it still makes sense to use the guidelines for the SAP components to be installed. The security guidelines are updated regularly, which means it is a good idea to take newer guidelines available for the systems already installed into account as well.
The security guidelines are primarily available for the latest versions of the systems and products. However, it is still a good idea for the operators of older R/3 systems to use the security guidelines available for later product versions, since many recommendations can be applied directly to R/3 systems or require only slight modifications.
The SAP security guidelines currently available can be obtained from the SAP Service Marketplace (see S 2.346 Use of the SAP documentation).
Secure installation and configuration of the database
The database used by the SAP system to persistently store all information is a critical component that absolutely must be protected against unauthorised access. Along with the general aspects for secure database installations, safeguard S 4.269 Secure configuration of the SAP system database also provides a summary of specific recommendations for secure database installations. Database security is also in addressed in module S 5.7 Databases.
Secure installation and configuration of the SAP system landscape
The SAP and non-SAP components affected (e.g. firewalls) must be installed and configured according to the system landscape plan (see S 2.341 Planning the use of SAP).
Review questions:
- Are the IT systems hardened when installing the SAP system, i.e. are unneeded services and programs disabled and/or uninstalled?
- Is part of the stack which may not be needed protected against unauthorised use when installing the SAP system?
- Is the password selection during SAP installation based on the internal password policies?
- Are new passwords configured when installing the SAP system even if the installation routine already assigns a password?
- Are the passwords assigned during SAP installation changed by trustworthy administrators?
- Are the sources of information of SAP protected in such a way that only authorised administrators may use them?
- Are the installation notes for SAP installation taken into consideration prior to and during the installation?
- Are the affected SAP and non-SAP components installed and configured securely in accordance with the plan?