DEFENSE IN DEPTH - Layer Seven Security

More documents

Recommendations

Info

DEFENSE IN DEPTH AN INTEGRATED STRATEGY FOR SAP SECURITY 10Client SecurityThe fourth component of an integrated SAP security strategy isclient-level security. Clients are oſten a target for attack since theycan provide an unguarded corridor to SAP applications andplatforms. There are two primary clients supporting a variety ofuser interfaces. The first is SAP GUI. The desktop variant of SAPGUI is a thick client installed on Windows, Apple or UNIX workstations.It is the most widely used method of accessing SAP applicationservers and is the rendering engine for the desktop version ofthe recently introduced NetWeaver Business Client (NWBC).There are several precautions required for the secure use of SAPGUI. This includes disabling the scripting API which can be abusedto execute transactions and processes in the background. Anotherreason for disabling scripting is that scripts oſten storeunencrypted logon data in local files. Credentials can be read andused by attackers if a workstation is compromised. Automaticsecurity warnings should be enabled for users that require the useof SAP GUI scripting. This will alert users when a script is executed.Security rules should be configured to prevent the ability ofattackers to exploit SAP shortcut commands. Similar to scripting,such commands can enable attackers to interact with SAP serverswithout the knowledge of the user.Input history should be disabled. Although SAP GUI does not storedata entered in password fields, it can be configured to store datakeyed by users in other fields. This may include sensitive customer,financial or other information. The data is stored in local Accessdatabases.The communication path between SAP GUI and application serversis not encrypted by default. Therefore, data transfers betweenclients and servers are in clear text. SNC (Secure NetworkCommunication) should be used to secure the path. This is asoſtware component that applies symmetric encryption algorithmsfor DIAG and RFC protocols through the GSS-API V2 interface toexternal security products. SAP Note 1643878 provides instructionsfor enabling SNC in SAP GUI 7.20, Patch Level 7 and higher.Earlier versions of SAP GUI are vulnerable to buffer overflowexploits that can lead to the injection of malicious code designed tocorrupt SAP programs and processes. Solutions include eitherapplying the relevant patches released by SAP or upgrading SAPGUI to the latest available version. Program files in SAP GUI 7.20and higher are digitally signed by SAP. This protects sensitive filesagainst unauthorized modification.Later versions of SAP GUI also feature a security module toprotect the local environments of users. The module leveragesrules to control potentially dangerous or malicious actionstriggered by back-end systems related to specific files, extensions,directories, registry keys and values, ActiveX controls andcommand lines. Rules should be configured and applied centrallybut can vary by user or system groups. They can also be contextdependant.The rules are employed when the module is configuredin 'Customized' mode and are applied in sequential order. Therefore,higher order rules take precedence over lower rules. Thedefault response for actions not defined in the rules should be setto 'Ask' or 'Deny' rather than 'Allow'SAP GUI for HTML provides a thin alternative to thick desktopclients. This provides a browser-based platform for SAP access.Browsers also support the presentation layer for NWBC for HTML,the CRM WebClient UI and Java applications such as the EnterprisePortal. Supported browsers include specific versions of IE, Firefox,Safari and Chrome. However, certain browsers are not supportedby some SAP applications.Since browsers provide varying levels of protection, the ability toaccess SAP resources should be restricted to specific types. Thiscan be performed by deploying standardized desktop images thatinclude only approved browsers, supported by group policy rulesthat restrict end user privileges to install executable programs.Controls can also be implemented at the SAP level. For example,4LAYER SEVEN SECURITY © 2013
DEFENSE IN DEPTH AN INTEGRATED STRATEGY FOR SAP SECURITY 11the Enterprise Portal can support browser-checking to block connectionattempts from unsupported browsers.Microsoſt Internet Explorer offers the greatest protection for SAPaccess. The ability to configure trusted zones provides a seamlessuser experience while safeguarding against malicious applets, scriptsand downloadable content from untrusted sites. The use of Firefoxshould be avoided, wherever possible. Weaknesses in the existingarchitecture of the browser can enable vulnerabilities in add-ons to goundetected by anti-virus solutions.Web browser security should be supported with Web content filtering,anti-virus and anti-spyware, two-factor authentication for remoteaccess, as well as regular patching of browsers and operatingsystems. Personal firewalls can be enabled for added protection,including stateful inspection firewalls available in some Windowsoperating systems. However, firewall rules should be thoroughlytested to ensure they do not inadvertently block access to SAP andother business applications. Operating systems should be hardened inline with security recommendations issued by vendors or in accordancewith generally-accepted configuration benchmarks. ForWindows systems, hardening should include enabling file protection,strong password policies, account lockouts, roles-based access basedon least privilege, and disabling services such as FTP, Messenger,Remote Desktop Sharing and Telnet.LAYER SEVEN SECURITYLayer Seven Security specialize in SAP security. The companyserves customers worldwide to protect SAP systems againstinternal and external threats and comply with industry andstatutory reporting requirements. It fuses technical expertise withbusiness acumen to deliver unparalleled implementation,consulting & audit services targeted at managing risks in contemporarySAP systems.Layer Seven Security employs a distinctive approach to SAP riskmanagement that examines and manages vulnerabilities at theplatform, application, program and client level. Through partnershipswith leading soſtware developers, the company is able todevelop SAP systems with defense in depth and performintegrated security assessments that improve the quality andlower the cost of SAP audits. Layer Seven Security leverageleading SAP-certified solutions to provide comprehensive andrapid results covering risks in every component of SAPlandscapes.www.layersevensecurity.comBasic authentication should be avoided for HTTP connections since itdoes not sufficiently protect user credentials during transport betweenclients and SAP servers. Also, it is susceptible to phishing attackssince servers are not authenticated. Phishing involves the redirectionof users to malicious servers with logon screens that appear identicalto those of legitimate SAP servers. User credentials entered intomalicious servers can be used to compromise SAP systems. As aresult, SAP strongly recommends the use of SSL/ HTTPS to securebasic authentication. This encrypts client-server communication andauthenticates SAP servers. SSL requires the configuration of digitalcertificates which can be obtained from SAP Trust Center Services.SSL also protects SAP logon tickets used for single sign-on. Theseare authentication tickets stored as non-persistent cookies inbrowsers. However, this does not include safeguards againstcross-site scripting attacks that attempt to read cookies through theexecution of client-side scripts. This requires alternativecounter-measures including the configuration of cookies asHTTP-only. The parameter setting ume.logon.httponlycookie=true willprevent malicious attempts to read SAP logon tickets.LAYER SEVEN SECURITY © 2013
Page 3 and 4: DEFENSE IN DEPTH AN INTEGRATED STRA

DEFENSE IN DEPTH - Layer Seven Security

Create successful ePaper yourself

Delete template?

Save as template?