Category: Security validation

S4HANA security parameter baseline changes

If you convert your ECC system to S4HANA or upgrade a S4HANA system to a higher version, you should check the security parameters. A lot of parameters have a different recommendation in S4HANA.

Questions that are answered in this blog are:

  • Where can I find information on security parameter changes after S4HANA conversion or upgrade?
  • How can I check if the changed security parameter are properly implemented in my S4HANA system?

Security parameter changes S4HANA

OSS note 2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM is the master note. This note contains an important excel attachment that is listing all the changes and recommendations per S4HANA target version.

This note is also referring to OSS note 2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM, in which more details are explained on the background.

Checking implementation of security parameter changes in the system itself

After your upgrade to S4HANA, you can run program RSPFRECOMMENDED to check how well the security parameters are implemented:

Checking RFC security settings

RFC security is a cumbersome job. There are programs to help speed up the security checks for RFC connections.

Questions that will be answered in this blog:

  • How to quickly check all the RFC’s in my system?
  • How to quickly check the trusted RFC’s in my system?

Hacking using RFC connections

RFC callback hacking: read this blog.

RFC jump hacking: read this blog.

Check RFC connections

Program RSRFCCHK (which also has the same transaction code RSRFCCHK) can quickly scan all your RFC’s. In the selection screen, please make sure to select the 2 extra boxes for “Also check RFC destinations without explicit password” and the “Select destinations without target system too”:

The connection test is optional. But if the RFC is not working, then you might consider it old and no longer needed. In this case you can perform the clean up by deleting the RFC.

The output of the report RSRFCCHK, you can use to look for:

  • RFC’s with personal user ID
  • Cross system layer RFC’s (from production to development, or from development to production)
  • Trusted connections where you don’t expect them
  • Old destinations no longer in use
As a best practice at least yearly check on every system the RFC's that are setup there. Read this blog on how easy it is to use wrongly configured RFC's to hack a system.

OSS notes: 3283474 – Adjustment of authorization for program RSRFCCHK.

Check trusted connections

To check trusted connections run program RS_SECURITY_TRUST_RELATIONS. Output example:

The red lights should be investigated and fixed.

More on setting up trusted RFC’s is written in this blog.

SAP standard on RFC security

OSS note 2008727 – Securing Remote Function Calls (RFC) contains a very extensive PDF explaining all ins and outs on RFC security.

Security OSS notes via System Recommendations

This blog will explain how you can optimize your process of security notes via System Recommendations.

Questions that will be answered are:

  • What is the System Recommendations tool?
  • How do I set up the System Recommendations tool?
  • How do I deal with the results of the System Recommendations tool?
  • Where to find even more information on the System Recommendations tool?

What is the System Recommendations tool?

System Recommendations is a tool that runs in SAP solution manager. It weekly check SAP for new security notes and compares it with your own system. New notes will be alerted as new in the System Recommendations list. Notes you have applied will be removed from the list.

This automated procedure save you a lot of time checking for and follow up on security notes.

Alternative in SAP Focused Run

SAP Focused Run has a superior alternative for checking security notes with it’s Configuration and Security validation tool. Read more in this blog.

Setting up System Recommendations

If solution manager is properly setup, system recommendations is already enabled.

To verify if the system recommendations job is running start transaction SOLMAN_SETUP and select Mandatory Configuration and then Basic Configuration. Then select in the roadmap on top step number 2 and look for the system recommendations job, which will typically run every week:

System recommendations job

Adding a system to System Recommendations

In SOLMAN_SETUP goto the managed system configuration of the system you want to add to system recommendations.

Select the full configuration for the system. On the roadmap select step 5: Enter System Parameters. On the screen below tick the box for Enable System Recommendations:

Managed system configuration Step5 landscape parameters

Now the system is added you need to wait until the weekly job runs.

System recommendations result

In solution manager goto the System Recommendations tile:

Fiori tile for system recommendations

Upon clicking you get the list of systems and OSS notes per category:

System recommendations overview

Now you can zoom in for example on the security notes:

Security notes

Per OSS note you can keep track of the status:

System recommendations status change

Dealing with the list

Some notes you can implement via SNOTE automatically. After they are implemented (normally via transport import if you run System Recommendations against productive system) they will be gone with the next run of system recommendations.

Some notes depend on kernel patch: also here, you can mark the status as to-be-implemented and wait for the actual implementation of the kernel patch.

Some notes might be non-relevant: you can mark them and they will no longer show in the open list of security notes.

DB and OS versions

The security notes will pickup all the database and OS versions for security notes, even if you don’t run them. To reduce the list goto transaction SM30 and maintain the content of table AGSSR_OSDB:

Table AGSSR_OSDB

Flag the unused Databases and OS to Inactive and they will be filtered away next run.

More features

System recommendations function has more features. If you want to read all of them, please read the SAP full document. You need to use transaction SM30_DNOC_USERCFG_SR to configure these settings. 

OSS note backbone settings

If you have issues updating most recent notes, or anything at all, please check in transaction SM30_DNOC_USERCFG_SR. Make sure there is no entry there for SYSREC_RFC_CALL. If it is there delete it. This is due to the SAP technical backbone change.

More background information

More background information can be found at the SAP pages on system recommendations and in SAP oss note 2554633 – System Recommendations configuration guide for SAP Solution Manager 7.2.

Bug fix OSS notes

Please check these notes for potential bug fixes:

Security Optimization Service

In SAP solution manager there is a free out-of-the-box tool available to quickly scan for security items in your system: the Security Optimization Service.

Questions that will be answered in this blog are:

  • How to run the Security Optimization Service?
  • How does the questionnaire work?
  • How does a sample result look like?

How to run Security Optimization Service

In solution manager 7.2 go to the tile Active Sessions for Service Delivery:

Service delivery Sessions

You now arrive in the sessions overview screen:

Sessions overview

If you are first time using: hit the button Content Update to fetch the latest content from SAP. When done, you are ready to run.

Select the button create to make a new service. From the list choose the option SAP Security Optimization:

New security optimization service

There might be multiple. In that case select this one (the others won’t work):

Then select the system for which you want to run the service. Do this by clicking the Add button in the Technical System section:

Select system

Finish the roadmap. After the final step the detailed roadmap will appear:

Security optimization session roadmap

In the first step select the logon and test the connection:

Select system logon

In the next step you need to assign a questionnaire:

Create and assign questionaire

If you run the SOS before you can re-use or change the template. The first time you need to create the questionnaire:

Questionaire maintenance

In the questionnaire you can maintain whitelist. In the example above user from the basis team is added to the list of system administrators. These users will no longer appear in the report as exceptions.

More background information on the questionnaire and the impact can be found in OSS note 2036188 - How questionnaire influences results of Security Optimization Service.

Save the questionnaire and return to the roadmap.

Next step is to start the data collection:

Data collection

If you have a recent run, you can select it here. If no run is present, hit the button Schedule new ST14 analysis run. Pending on your system size and speed the run will take between 5 and 60 minutes. If the run is finished select the run and complete the roadmap.

The SOS session is now scheduled.

Authorizations

You need authorizations in the backend system for ST14. If that is missing you get this message:

This refers to OSS note 696478 – SAP Security Optimization: Preparation, additions.

Results

Usually the run is done overnight and you can fetch the results next day. Go to the active services tile, select your run and go to the column Documents. Click on the document to get the results.

Example of an SOS report can be found at this URL.

Follow up

If you find issues: solve them and rerun the report.

If you find many users with too many rights: start to revoke the rights and rerun the report.

If you find basis and authorization staff in the list with rights they should have, add their user ID’s to the corresponding section in the questionnaire, and rerun the report.

In general it will take a few runs to come to a more cleaned up system.

Referring OSS notes

Relevant OSS notes: