S 4.269 Secure configuration of the SAP system database
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
The database used by an SAP system for storage contains all information available in an SAP system. The SAP system and the database communicate using SQL queries transmitted using the local network, provided that the database and the SAP system components are not installed on the same computer. For this reason, the database must be protected as well as possible. The following must be taken into account for these interfaces:
- The installation of an SAP system and its database on a single computer generally only makes sense for small companies and government agencies. In larger organisations, they should be installed on separate computers, because it is possible to configure the database computer separately to best meet the load and performance requirements in this case.
- No database administrator should be allowed to access the tables of the SAP system. The database authorisations must be checked and modified accordingly. In doing so, it must be taken into consideration that there is usually always one database administrator that has full access to all databases in the organisation, and therefore has full access to the tables.
- The database may only be accessed by the SAP system itself. In particular, this has the following consequences:
- Requests from other systems or clients to connect directly to the database must be blocked by a firewall.
- The database should be used exclusively by the SAP system. No other applications may be permitted to create their own tables in the database. In particular, there must not be any database links from the database or the tables of the SAP system to other databases.
- No other services or applications are permitted to run on the database computer used by the SAP system. Exceptions to this rule include the tools used to monitor the operating system. If such tools are used, it must be ensured that attempts to establish a connection are authenticated and that only certain computers (administration server, administrator client) are allowed to attempt to establish a connection.
- The database account used by the SAP system must be assigned a secure password.
- The database product used must be configured securely.
- Unneeded functions and services are to be disabled.
This applies especially to HTTP-based access interfaces such as application servers offering access to the databases through a web interface. In general, administrative capabilities are also offered through such interfaces. - Standard users must be deactivated or deleted, provided that they are not needed for administrative purposes.
- The passwords of all standard users must be changed, even if the corresponding accounts have been deactivated.
- Unneeded functions and services are to be disabled.
Depending on the operational scenario, it may be necessary to implement additional safeguards. The list must therefore be expanded accordingly.
It is recommended to implement the recommendations provided by SAP for securing the database. Details on these recommendations can be found in S 2.346 Use of the SAP documentation.
Review questions:
- Have the database authorisations been configured in such a way that no database administrator may access the tables of the SAP system?
- Is the database of the SAP system protected against direct access by third parties using a firewall?
- Has it been ensured that the database is used exclusively by the SAP system?
- Is the database account used by the SAP system equipped with a secure access control mechanism?
- Has the database of the SAP system been configured securely?