Professional Documents
Culture Documents
Microsoft Corporation
November 15, 2005
Summary
This whitepaper introduces security measures for SAP systems running on Windows Server. Two
security measures are described: hardening and patch management. These security measures can
help enhance security within your Windows Server-based SAP environment.
The information contained in this document represents the current view of
Microsoft Corporation on the issues discussed as of the date of publication.
Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information presented after the date of publication.
This Whitepaper is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.
Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any
form or by any means (electronic, mechanical, photocopying, recording, or
otherwise) or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may own patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as
expressly provided in a written license agreement from Microsoft, the furnishing of
this document does not assign any license to these patents, trademarks,
copyrights, or other intellectual property.
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, SQL Server, Windows, Windows Server, and the Windows logo are
either registered trademarks or trademarks of Microsoft Corporation in the U.S.A.
and/or other countries.
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
Table of Contents
1 Introduction........................................................................................................................................... 1
2 Hardening .............................................................................................................................................. 5
2.1 What Is Hardening? ......................................................................................................................... 5
2.2 Multi-layered Hardening................................................................................................................... 6
2.3 Harding Implementation Steps......................................................................................................... 6
2.4 Implementation of Hardening........................................................................................................... 7
Network Hardening............................................................................................................................. 7
Server Hardening ............................................................................................................................. 23
Implement Other Hardening ............................................................................................................. 41
2.5 Other Hardening Information ......................................................................................................... 44
2.6 Operation Checks .......................................................................................................................... 45
2.7 Final Security Check ...................................................................................................................... 47
2.8 Other Methods for Checking Hardening Implementation .............................................................. 47
3 Patch Management............................................................................................................................. 48
3.1 What Is Patch Management?......................................................................................................... 48
3.2 Collecting Information .................................................................................................................... 49
Collecting Information about Security Vulnerability.......................................................................... 49
3.3 Assessing Risks............................................................................................................................. 50
Assessing the Consequences and Urgency of the Vulnerability...................................................... 52
What is a Vulnerability Assessment Matrix? .................................................................................... 52
Organizing the Information about Security Vulnerability .................................................................. 53
Assessing the Pros and Cons of the Risk ........................................................................................ 54
Determining the Degree of Urgency................................................................................................. 54
Devising a Plan for Responding to the Vulnerability ........................................................................ 59
3.4 Applying Security Update Program................................................................................................ 61
Points to Consider When Applying Security Patches ...................................................................... 61
Testing the Security Update Program before Application ................................................................ 62
Testing the Application in a Test Environment................................................................................. 62
Updating via Management Tools ..................................................................................................... 62
3.5 Monitoring the Results ................................................................................................................... 63
Verifying Behavior in the Test Environment ..................................................................................... 63
Confirming the Steps for Roll-Back in the Test Environment........................................................... 64
Confirming that the Necessary Programs have been Applied ......................................................... 64
Appendix: Report on Hardening Verification .................................................................................... 65
1.1 Verification Scenarios .................................................................................................................... 65
1.2 Contents of Verifications ................................................................................................................ 66
1.3 Verification Results ........................................................................................................................ 66
1.4 Network Hardening Settings .......................................................................................................... 67
Network Hardening in SAP R/3 Enterprise ...................................................................................... 67
Network Hardening in SAP ITS ........................................................................................................ 69
Network Hardening in SAP Enterprise Portal................................................................................... 72
1.5 Service and Other Hardening Settings .......................................................................................... 77
Service Hardening Using Templates................................................................................................ 77
Reconfigurations Made After the Application of Security Templates ............................................... 94
Note:
Hardening and patch management are complementary procedures and implementation of one without the
other will be insufficient. Hardening helps to reduce a system from possible attacks (such as from computer
viruses), but may not be able to handle unfamiliar attack methods. To minimize this possibility, risk
assessment (as a part of patch management) should be implemented.
Among the security measures illustrated in Figure 1, "Building a Secure System (Multi-layer Defense)"
and "Patch Management" can be effective technical measures if implemented properly.
Enhancing Applications,
Application Virus Protection
Host Yes
Internal network Yes
Boundaries
Equipment security
Policy implementation
It is also important to note that such security measures must be considered on every SAP system in
your environment (regardless of the type of operating system or database used) as no platform is
completely secure.
1. What is Hardening?
2. Multi-layered Hardening
3. Implementation of Hardening
4. Final Security Check
5. Summary
Hardening Defined…
Definition: Configuring SAP systems with only the minimum platform functions that
are necessary for operating the system.
Hardening should be implemented in stages. For example, take one item (such as network or service)
at a time, check the behavior, then move on to the next item.
Assure there is a means for rollback or backup the system configuration (*1)
Operation checks
*1 Use ASR backup of Windows Server 2003 or a third party image backup tool.
*2 Use Microsoft Baseline Security Analyzer or other tools.
Before implementing high-quality hardening, some preparation is required. Some important preparation
tasks are: clarifying the required security level, checking the specifications of your system, determining
what might need hardening, estimating the cost and the effect of the hardening, and determining what
to harden.
Network Hardening
Hardening networks on an SAP system is implementing packet filtering to block unnecessary
communications. With this, the goal is to make stacks more difficult by blocking unnecessary
communication.
Reason: SAP systems only use specific ports that can be easily identified.
The ports are further limited when the functions of the SAP J2EE engine are suspended.
Reason: The ports used on SAP systems are that are typically less apt to be
attacked by computer viruses.
The ports are also customizable.
As a first step, determine which servers are critical to deliver SAP services (which servers might be a
single point of failure from a network hardening perspective?).
SAP Central Instance
SAP Database Instance
Other non-redundant servers
Such a determination will decrease the time necessary to install the applicable security patches which
could lead to downtime for these servers from a standpoint of availability. Therefore, there would be
implementation of port and services limits of these specific SAP application and database servers (also
effective with SAP Router) while other servers may not have such strict limitations.
Overall, separate SAP servers which potentially have a single point of failure (CI, DB, etc.) from others;
thus creating a “SAP server segment” via firewall, router, etc. So that security patches can be done
one by one, other SAP-related servers that are “redundant” are separate (e.g. SAP dialog instance, ITS
AGate/WGate, etc.).
Packet filtering should be taken into consideration to block all unnecessary network traffic on ports to
SAP systems (as well as any 3rd party tools) and IPSec script policy should be leveraged.
Execute IPSec policy scripts on each Windows Server and hardware-based packet filtering to lock
down specific ports can be done via a firewall, router, and layer 3 switch among network subnets. (See
SAP Note #66687 (“Use of Network Security Products”) concerning SAP certification requirements for
some 3rd party network security tools.)
Note that Microsoft ISA Server 2004 can provide advanced firewall protection and includes the
following:
One machine can act as both Firewall and SAP Router
Application layer filtering
Can decrypt HTTPS, inspect content and redeliver it internally
Pre-authentication, form based
Attachment control
By applying the IPSec script policy to your server, you can confine the communication pathway and
restrict the TCP and UDP ports used for the communication. For how to use IPSec, refer to:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod111.asp
Example: Create the sample code as a batch file and execute it on SAP R/3 Enterprise server.
Note:
• The port numbers are customizable.
• <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such as 00).
Note:
• The port numbers are customizable.
• <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such as 00).
13. The Packet Filters - R3 Properties dialog box is displayed (see Figure 10). Click the Rules tab.
14. Select an IP filter that you want to verify from the IP Security Rules section on the Rules tab, and
then click Edit.
18. When you finish verifying the IP filter, click Cancel to close the dialog box.
19. To verify the configuration of the filter action, select the Filter Action tab in the Edit Rule
Properties dialog box.
Server Hardening
An SAP system is under unnecessary security risks when there are services not applicable to SAP or
have ineffective settings. Therefore, administrators should disable unnecessary services and
strengthen security settings for others to the extent that SAP services can run without any issues. Such
actions can be efficiently performed to some extent by utilizing security templates provided by Microsoft.
Additional Information:
After applying Windows Server 2003 templates, you can make your SAP system more secure by
checking and changing the following configurations in accordance with the documents in Table 3.
- Confirm that every partition of the disk is formatted in NTFS.
- Confirm that an invulnerable password is set for the Administrator account.
- Disable or delete unnecessary accounts.
- Make sure that the old security configurations are not changed when you upgrade your system
from previous versions.
- Configure the Administrator account.
- Delete all unnecessary file sharing.
- Specify an appropriate ACL for every necessary file sharing.
- Protect your Telnet server.
- Enable IIS logging.
- Unbind NetBIOS from TCP/IP.
- Remove OS/2 and POSIX subsystems.
- Disable the automatic generation of short file names (8.3 format).
- Disable the creation of LM hashes.
- Configure NTLMSSP security.
- Disable automatic execution.
Use Microsoft Management Console to apply security templates. Before you apply a security template,
you need to backup the role security policies using an administrative tool called "Local Security Policy."
5. The Export Policy To dialog box is displayed. In the File Name field, type the name of the file that
you want to export the policy to.
2. Type "mmc" in the Name field of the Select File To Run dialog box and click OK.
3. The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.
4. From the pull-down menu, select Add/Remove Snap-in.
5. The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.
6. In the Standalone tab, click Add.
7. The Add Standalone Snap-in dialog box is displayed. Select Security Configuration and
Analysis in the Available Standalone Snap-ins dialog box, and then click Add.
8. Click Close on the Add Standalone Snap-in dialog box.
9. Click OK on the Add/Remove Snap-in dialog box.
10. Security Configuration and Analysis is added under the Console Root on the Microsoft
Management Console.
11. Select then right-click the added Security Configuration and Analysis.
12. Select Open Database from the pop-up menu.
14. The Import Template dialog box is displayed. In the File Name field, select the security template
file (INF file) downloaded from Internet, and then click Open. You should select a security template
file appropriate for your server configuration.
15. On the Microsoft Management Console, select then right-click Security Configuration and Analysis.
16. Select Analyze Computer Now from the pop-up menu.
Note:
• We recommend that the procedure be carried out step by step.
• If you want to provide against the worst case, it is recommended that you perform a system backup
using Automatic System Recovery (ASR) or an image backup tool before applying a template.
Service hardening investigates Windows services that are unnecessary for the operation of the SAP
system and disables their Startup options in order to prevent any attacks through usage of these
unnecessary services.
There are three settings for Startup options: "Auto", "Manual", and "Disable." Set the option in
accordance with the criteria described in the table below.
Reason: SAP systems only use specific Windows services that can be easily
identified.
Reason: As long as you are willing to give up some functionality, many of the
services can be disabled and the SAP system will still function
adequately.
Note:
• This table shows Windows services installed during a standard installation. Clustering environments
may have different services.
• <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such
as 00). For SAP R/3 Enterprise, there are two "SAP<SID>_<NN>" services - one is for central
instances and the other is for central service instances.
• SAP J2EE Engine (Dispatcher and Server), SDM, and IGS of SAP R/3 Enterprise are started by
central instance services.
• SAP J2EE Engine Server of SAP Enterprise Portal 6.0 is started by "SAP J2EE Engine Dispatcher"
service.
• When you disable services not listed in this table, you should check the intended purpose of the
services and test it in the appropriate system environment.
Services not required for SQL Server (for SAP R/3 Enterprise)
Alerter Network DDE DSDM
Application Layer Gateway Service Portable Media Serial Number Service
Application Management Print Spooler
ClipBook Remote Access Auto Connection Manager
COM+ System Application Remote Access Connection Manager
DHCP Client Remote Desktop Help Session Manager
Distributed File System Remote Procedure Call (RPC) Locator
Distributed Link Tracking Client Resultant Set of Policy Provider
Distributed Link Tracking Server Routing and Remote Access
Distributed Transaction Coordinator Secondary Logon
Error Reporting Service Shell Hardware Detection
File Replication Smart Card
Help and Support Special Administration Console Helper
HTTP SSL Task Scheduler
Human Interface Device Access Telephony
IMAPI CD-Burning COM Service Telnet
Indexing Service Terminal Services Session Directory
Internet Connection Firewall (ICF) / Internet Connection Themes
Sharing (ICS) Uninterruptible Power Supply
Intersite Messaging Upload Manager
Kerberos Key Distribution Center Virtual Disk Service
License Logging WebClient
Messenger Windows Audio
Microsoft Search Windows Image Acquisition (WIA)
MSSQLServerADHelper WinHTTP Web Proxy Auto-Discovery Service
NetMeeting Remote Desktop Sharing Wireless Configuration
Network DDE
When using IIS 6.0 however, such toolkit functionality is included with Windows Server 2003. Note that
usage of IIS 6.0 is only available for ITS starting with SAP ITS version 6.20 patch level 3 and IIS 6.0 on
Windows Server 2003 is not installed or setup by default. See SAP Note #585545 for information on
running SAP ITS on IIS 6.0.
Specifically, the firewall provided with Windows XP SP2 is on by default for all network interfaces,
provides boot-time security and global and per-interface configurations, has an exceptions list (that can
be disallowed), accounts for local subnet restrictions, supports multiple profiles and RPC, can be
configured via command-line and has better group policy management.
Summary
This chapter has explained how to implement hardening to improve your Windows Server-
based SAP systems.
Microsoft and SAP work closely during the release cycle for service packs as Microsoft provides SAP
all pending services packs prior to their release. Thorough testing occurs by SAP before Microsoft
releases a particular service pack to ensure that installation will not cause a disruption of a running SAP
system. See SAP Note #663621 (“Supporting Microsoft Hot Fixes with Windows Update”) for more
information on SAP support of service packs.
Specific SAP support statements for Microsoft Windows Server service packs can be found at SAP
Note #30478 (“Support Packs on Windows”).
Yes
Have all update No
programs been applied? Security update
No programs need to be
Monitoring the applied?
Result
Assessing
Check that the necessary update Risks
programs have all been applied Yes
3.3
For more information, see the Microsoft Security Response Center Security Bulletin Severity Rating
System (http://www.microsoft.com/technet/security/bulletin/rating.mspx).
This whitepaper uses four categories to describe the urgency of applying the security update program:
"Urgent application", "Applying during regular operation", "Applying with the service pack", and "No
application". Determine the appropriate emergency assessment category to suit your operation
depending on your system environment and security policies.
1. Urgent application
Apply within 1 month.
4. No application
OS, functionality, product not affected.
Start
Affected by the NO
Pros/Cons of the
Risk
YES
YES NO
Maximum severity is
"Critical" or
"Important"
YES
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise
Determination Urgent application.
(After hardening is implemented, the degree of urgency will
be lessened.)
Nature of the vulnerability Buffer overrun in MDAC function could allow code execution
(832483)
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise
Determination Apply during the regular course of operation.
(After implementing hardening, the degree of urgency will be
lessened.)
Characteristics Important
This security update program can be uninstalled The WINS service is not installed by default.
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise
Determination Only needs to be applied to the WINS server.
Application to the WINS server during regular operation.
(After hardening is implemented, the degree of urgency will
be lessened.)
For the details on applying security update programs, see the document listed below.
Emergency?
YES
NO
Normal process Emergency process
Plan the steps for change and Plan the steps for rapid change
restoration and restoration
NO
Test the steps for change and Testing
restoration required?
YES
NO Test quickly
Successful?
YES
NO
Successful?
Adjust before applying to the
production environment
YES
Finish Finish
Test Steps
Test the security update program in a test environment before applying it to the
production environment.
Summary
This chapter described how to keep your Windows Server 2003-based SAP system
secure by implementing patch management.
Verification environments were constructed for three common SAP configuration patterns: SAP R/3
Enterprise, SAP ITS, and SAP Enterprise Portal.
Verification Scenarios
Verification environments were constructed for three common SAP configuration
patterns.
The versions of software systems used for the verification of these configurations are summarized
below.
SAP R/3 Enterprise Windows Server 2003 R/3 Enterprise 4.70 SR1 Ext.2.00, J2EE
Engine 6.30 SP2 (JDK1.3.1_10)
RDBMS (for R/3) Windows Server 2003, SQL Server 2000 -
(SP3+Hotfix 844 + new collation)
SAP ITS – Agate Windows Server 2003 ITS 6.20 SP8
SAP ITS – Wgate Windows Server 2003, IIS 6.0 ITS 6.20 SP8
SAP Enterprise Portal Windows Server 2003 Enterprise Portal 6.0 SP2 Patch3 + hotfix
2,J2EE Engine 6.20 SP20 (JDK1.3.1_10)
RDBMS (for EP) Windows Server 2003, SQL Server 2000 -
(SP3+Hotfix 844 + new collation)
EP IISProxy Windows Server 2003, IIS 6.0 IIS Proxy 1.5.0.0
Note: The latest security update programs as of March 1, 2004 had been applied to the respective
versions of Windows Server 2003 and SQL Server 2000.
Two types of verification were conducted: network hardening (packet filtering using the IPSec script
policy)" and "service and other hardening (disabling and reconfiguring services using security
templates).
Contents of Verifications
Two types of verification were conducted.
For each verification scenario, configurations were set according to the verification contents and
confirmation was made that the SAP system ran without problems.
Verification notes:
• Hardening was carried out after the target system was disconnected from the network and all setup
procedures were completed.
• Tests were carried out on R/3 Enterprise, ITS, and Enterprise Portal in that order.
• For each scenario, single sign-on to an Active Directory was assumed.
Reasons
- "Single sign-on to an Active Directory" is expected to become a mainstream configuration in the future.
- Scenarios without single sign-on can be included.
• Network hardening was carried out after configuration/rollback scripts were prepared.
• A backup copy of the pre-hardening settings was taken whenever a security template was applied.
• For operation verification, hardening checks were made using SAP security checklists, MBSA, and
simple ping commands.
Packet filtering was implemented using the IPSec script policy in the environment shown below and as
summarized in Table 3 to Table 5.
All Any Any Any Any This Block Yes All blocked by default.
traffic computer
SAP R/3 Any Any Any SAP R/3 This Grant Yes All communications from SAP
Enterprise Enterprise computer R/3 Enterprise granted.
SQL Server (for Any Any Any SQL Server This Grant Yes All communications from SQL
R/3) (for R/3) computer Server (for R/3) granted.
Other Domain Any Any Any Other This Grant Yes All communications from other
Controller Domain computer domain controllers granted.
Controller
ICMP ICMP Any Any This SAP R/3 Grant Yes Communication to SAP R/3
computer Enterprise Enterprise
ICMP ICMP Any Any This SQL Server Grant Yes Communication to SQL
computer (for R/3) Server (for R/3)
All Any Any Any Any This Block Yes All blocked by default.
traffic computer
SAP DIALOG TCP Any 3200 Any This Grant Yes Communication from SAP
Server computer GUI
SQL Server (for TCP Any 1433 This SQL Server Grant Yes Communication to SQL
R/3) Client computer (for R/3) Server (for R/3)
Domain Member Any Any Any This Domain Grant Yes Communication to Domain
computer Controller Controller
All Any Any Any Any This Block Yes All blocked by default.
traffic computer
SQL Server (for TCP Any 1433 SAP R/3 This Grant Yes Communication from SAP R/3
R/3) Enterprise computer Enterprise
Domain Any Any Any This Domain Grant Yes Communication to Domain
Member computer Controller Controller
Packet filtering was implemented using the IPSec script policy in the environment shown below and as
summarized in the Table 6to Table 10.
All Any Any Any Any This Block Yes All blocked by default.
traffic computer
SAP R/3 Any Any Any SAP R/3 This Grant Yes All communications from SAP
Enterprise Enterprise computer R/3 Enterprise granted.
SQL Server (for Any Any Any SQL Server This Grant Yes All communications from SQL
R/3) (for R/3) computer Server (for R/3) granted.
SAP ITS - Agate Any Any Any SAP ITS - This Grant Yes All communications from SAP
Agate computer ITS - Agate granted
ICMP ICMP Any Any This SAP R/3 Grant Yes Communication to SAP R/3
computer Enterprise Enterprise
ICMP ICMP Any Any This SQL Server Grant Yes Communication to SQL
computer (for R/3) Server (for R/3)
ICMP ICMP Any Any This SAP ITS - Grant Yes Communication to SAP ITS -
computer Agate Agate
All Any Any Any Any This Block Yes All blocked by default.
traffic computer
SAP DIALOG TCP Any 3200 SAP ITS - This Grant Yes Communication from SAP ITS
Server Agate computer - Agate
SAP RFC TCP Any 3300 SAP ITS - This Grant Yes Communication from SAP
Server Agate computer RFC/BAPI program
HTTP Server TCP Any 8000 Any This Grant Yes Communication from Web
computer browser
HTTPS Server TCP Any 44300 Any This Grant Yes Communication from Web
computer browser
SQL Server (for TCP Any 1433 This SQL Server Grant Yes Communication to SQL
R/3) Client computer (for R/3) Server (for R/3)
Domain Any Any Any This Domain Grant Yes Communication to Domain
Member computer Controller Controller
All Any Any Any Any This Block Yes All blocked by default.
traffic computer
SQL Server (for TCP Any 1433 SAP R/3 This Grant Yes Communication from SAP R/3
R/3) Enterprise computer Enterprise
Domain Any Any Any This Domain Grant Yes Communication to Domain
Member computer Controller Controller
All traffic Any Any Any Any This computer Block Yes
HTTPS Server TCP Any 443 Any This computer Grant Yes
HTTP Server for mgmt TCP Any 8080 Any This computer Grant Yes For administration
purposes
SAP ITS - Agate Client1 TCP Any 3900 This SAP ITS - Agate Grant Yes
computer
SAP ITS - Agate Client2 TCP Any 3910 This SAP ITS - Agate Grant Yes
computer
SAP ITS - Agate Client1 TCP Any 3918 This SAP ITS - Agate Grant Yes For administration
(for Mgmt) computer purposes
SAP ITS - Agate Client2 TCP Any 3928 This SAP ITS - Agate Grant Yes For administration
(for Mgmt) computer purposes
Domain Member Any Any Any This Domain Grant Yes
computer Controller
(oa.corp.com)
All traffic Any Any Any Any This computer Block Yes
SAP ITS - Agate Server1 TCP Any 3900 SAP ITS - This computer Grant Yes
Wgate
SAP ITS - Agate Server2 TCP Any 3910 SAP ITS - This computer Grant Yes
Wgate
SAP ITS - Agate Server1 TCP Any 3918 SAP ITS - This computer Grant Yes For administration
(for Mgmt) Wgate purposes
SAP ITS - Agate Server2 TCP Any 3928 SAP ITS - This computer Grant Yes For administration
(for Mgmt) Wgate purposes
SAP DIALOG Client TCP Any 3200 This SAP DIALOG Grant Yes
computer Server
SAP RFC Client TCP Any 3300 This SAP RFC Grant Yes
computer Server
Domain Member Any Any Any This Domain Grant Yes
computer Controller
(sap.corp.com)
Packet filtering was conducted using the IPSec script policy in the environment shown below and as
summarized in the Table 11 to Table 18.
All Any Any Any Any This Block Yes All blocked by default.
traffic computer
SAP R/3 Any Any Any SAP R/3 This Grant Yes All communications from SAP
Enterprise Enterprise computer R/3 Enterprise granted.
SQL Server Any Any Any SQL Server (for This Grant Yes All communications from SQL
(for R/3) R/3) computer Server (for R/3) granted.
SAP ITS - Any Any Any SAP ITS - Agate This Grant Yes All communications from SAP
Agate computer ITS - Agate granted.
SAP Any Any Any SAP Enterprise This Grant Yes All communications from SAP
Enterprise Portal computer Enterprise Portal granted.
Portal
SQL Server Any Any Any SQL Server This Grant Yes All communications from SQL
(for EP) (for EP) computer Server (for EP) granted.
ICMP ICMP Any Any This computer SAP R/3 Grant Yes Communication to SAP R/3
Enterprise Enterprise
ICMP ICMP Any Any This computer SQL Server Grant Yes Communication to SQL Server
(for R/3) (for R/3)
ICMP ICMP Any Any This computer SAP ITS - Grant Yes Communication to SAP ITS -
Agate Agate
ICMP ICMP Any Any This computer SAP Grant Yes Communication to SAP
Enterprise Enterprise Portal
Portal
ICMP ICMP Any Any This computer SQL Server Grant Yes Communication to SQL Server
(for EP) (for EP)
All Any Any Any Any This Block Yes All blocked by default.
traffic computer
SAP DIALOG TCP Any 3200 SAP ITS - This Grant Yes Communication from SAP
Server Agate computer ITS - Agate
SAP RFC TCP Any 3300 SAP ITS - This Grant Yes Communication from SAP
Server Agate computer RFC/BAPI program
SAP RFC TCP Any 3300 SAP Enterprise This Grant Yes Communication from SAP
Server Portal computer Enterprise Portal
HTTP Server TCP Any 8000 Any This Grant Yes Communication from Web
computer browser
HTTPS Server TCP Any 44300 Any This Grant Yes Communication from Web
computer browser
SQL Server TCP Any 1433 This computer SQL Server Grant Yes Communication to SQL
(for R/3) Client (for R/3) Server (for R/3)
Domain Any Any Any This computer Domain Grant Yes Communication to Domain
Member Controller Controller
All Any Any Any Any This Block Yes All blocked by default.
traffic computer
SQL Server TCP Any 1433 SAP R/3 This Grant Yes Communication from
(for R/3) Enterprise computer SAP R/3 Enterprise
Domain Any Any Any This computer Domain Grant Yes Communication to Domain
Member Controller Controller
All traffic Any Any Any Any This Block Yes All blocked by
computer default.
SAP J2EE Dispatcher TCP Any 50000 Any (EP This Grant Yes
Server (HTTP) IISPROXY) computer
SAP J2EE Dispatcher TCP Any 50001 Any (EP This Grant Yes
Server (HTTPS) IISPROXY) computer
HTTP Client TCP Any 80 This computer SAP ITS - Grant Yes SAP ITS - Wgate
Wgate
HTTPS Client TCP Any 443 This computer SAP ITS - Grant Yes
Wgate
HTTP Client TCP Any 8000 This computer SAP R/3 Grant Yes SAP R/3 Enterprise
Enterprise
HTTPS Client TCP Any 44300 This computer SAP R/3 Grant Yes
Enterprise
RFC Client TCP Any 3300 This computer SAP R/3 Grant Yes
Enterprise
SQL Server (for EP) TCP Any 1433 This computer SQL Server Grant Yes Communication to
Client (for R/3) SQL Server (for R/3)
Domain Member Any Any Any This computer Domain Grant Yes Communication to
Controller Domain Controller
All Any Any Any Any This Block Yes All blocked by default.
traffic computer
SQL Server TCP Any 1433 SAP Enterprise This Grant Yes Communication from SAP
(for EP) Portal computer Enterprise Portal
Domain Any Any Any This computer Domain Grant Yes Communication to Domain
Member Controller Controller
HTTPS Server TCP Any 443 Any This computer Grant Yes
HTTP Server for mgmt TCP Any 8080 Any This computer Grant Yes For administration
purposes
SAP ITS - Agate TCP Any 3900 This SAP ITS - Agate Grant Yes
Client1 computer
SAP ITS - Agate TCP Any 3910 This SAP ITS - Agate Grant Yes
Client2 computer
SAP ITS - Agate TCP Any 3918 This SAP ITS - Agate Grant Yes For administration
Client1 (for Mgmt) computer purposes
SAP ITS - Agate TCP Any 3928 This SAP ITS - Agate Grant Yes For administration
Client2 (for Mgmt) computer purposes
Domain Member Any Any Any This Domain Controller Grant Yes
computer (oa.corp.com)
All traffic Any Any Any Any This computer Block Yes
SAP ITS - Agate TCP Any 3900 SAP ITS - This computer Grant Yes
Server1 Wgate
SAP ITS - Agate TCP Any 3910 SAP ITS - This computer Grant Yes
Server2 Wgate
SAP ITS - Agate TCP Any 3918 SAP ITS - This computer Grant Yes For administration
Server1 (for Mgmt) Wgate purposes
SAP ITS - Agate TCP Any 3928 SAP ITS - This computer Grant Yes For administration
Server2 (for Mgmt) Wgate purposes
SAP DIALOG Client TCP Any 3200 This SAP DIALOG Grant Yes
computer Server
SAP RFC Client TCP Any 3300 This SAP RFC Server Grant Yes
computer
Domain Member Any Any Any This Domain Controller Grant Yes
computer (sap.corp.com)
Table 18 – Packet Filtering Settings (8. IIS + SAP Enterprise Portal IIS Proxy)
Service Protocol Source Destination Source Destination Action Mirroring Remarks
Port Port Address Address
All traffic Any Any Any Any This computer Block Yes All Traffic
HTTP Server TCP Any 80 Any This computer Grant Yes HTTP Server
HTTPS Server TCP Any 443 Any This computer Grant Yes HTTPS Server
SAP Enterprise Portal TCP Any 50000 This SAP Enterprise Grant Yes SAP Enterprise Portal
Client for HTTP computer Portal Client for HTTP
SAP Enterprise Portal TCP Any 50001 This SAP Enterprise Grant Yes SAP Enterprise Portal
Client for HTTPS computer Portal Client for HTTPS
Domain Member Any Any Any This Domain Controller Grant Yes Domain Member
computer (oa.corp.com)
Security templates suitable for the respective servers (see below) were applied and services were
disabled (see Table 20 to Table 27).
* The most secure "high security" template was used as the assumed security environment.
RECONFIGURATION
Figure 5 – Settings
Note: An application that is running as if it were a user can be disguised as a client if it is assigned the
[Impersonate a client after authentication] privilege. The unauthorized user's attempt to credit a client
with an authorized connection with this type of disguise is checked by asking the user for a user
authorization. For example, when an unauthorized user is presented as a client after connecting to a
service that has been created from a remote procedure call (RPC) or a named pipe, the authority level
of unauthorized users is raised to the administrator or system level. The default security group for this
user authority is suitable for the legacy client and enterprise client environments. This user authority in
a high security environment, however, can only be configured with Local Service and Network Service.
RECONFIGURATION
Figure 7 – Settings
Note: The [Shutdown: Clear virtual memory page file] security option determines whether the virtual
memory page file is to be cleared when the system is shut down. When this option is selected, the
system page file is cleared each time the system is shut down. When this security option is activated,
the hibernation file (hiberfil.sys) is also zeroed in a portable computer system if the hibernation state is
disabled. The sequence of shutting down and restarting the server will then take a long time, which will
be noticeable in a server with a large paging file. For this reason, this option is configured as "disabled"
in legacy client and enterprise client environments although it is "enabled" in a high security
environment.
Caution: There is the possibility that an attacker who is physically accessing a server could bypass this
setting by disconnecting the server from the power source.