Sap Hardering For Windows Server

SAP Hardening and Patch Management Guide
for Windows Server
Microsoft Corporation
November 15, 2005
Summary
This whitepaper introduces security measures for SAP systems running on Windows Server. Two
security measures are described: hardening and patch management. These security measures can
help enhance security within your Windows Server-based SAP environment.
The information contained in this document represents the current view of
Microsoft Corporation on the issues discussed as of the date of publication.
Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information presented after the date of publication.
This Whitepaper is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.
Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any
form or by any means (electronic, mechanical, photocopying, recording, or
otherwise) or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may own patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as
expressly provided in a written license agreement from Microsoft, the furnishing of
this document does not assign any license to these patents, trademarks,
copyrights, or other intellectual property.
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, SQL Server, Windows, Windows Server, and the Windows logo are
either registered trademarks or trademarks of Microsoft Corporation in the U.S.A.
and/or other countries.
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
Table of Contents
1 Introduction........................................................................................................................................... 1
2 Hardening .............................................................................................................................................. 5
2.1 What Is Hardening? ......................................................................................................................... 5
2.2 Multi-layered Hardening................................................................................................................... 6
2.3 Harding Implementation Steps......................................................................................................... 6
2.4 Implementation of Hardening........................................................................................................... 7
Network Hardening............................................................................................................................. 7
Server Hardening ............................................................................................................................. 23
Implement Other Hardening ............................................................................................................. 41
2.5 Other Hardening Information ......................................................................................................... 44
2.6 Operation Checks .......................................................................................................................... 45
2.7 Final Security Check ...................................................................................................................... 47
2.8 Other Methods for Checking Hardening Implementation .............................................................. 47
3 Patch Management............................................................................................................................. 48
3.1 What Is Patch Management?......................................................................................................... 48
3.2 Collecting Information .................................................................................................................... 49
Collecting Information about Security Vulnerability.......................................................................... 49
3.3 Assessing Risks............................................................................................................................. 50
Assessing the Consequences and Urgency of the Vulnerability...................................................... 52
What is a Vulnerability Assessment Matrix? .................................................................................... 52
Organizing the Information about Security Vulnerability .................................................................. 53
Assessing the Pros and Cons of the Risk ........................................................................................ 54
Determining the Degree of Urgency................................................................................................. 54
Devising a Plan for Responding to the Vulnerability ........................................................................ 59
3.4 Applying Security Update Program................................................................................................ 61
Points to Consider When Applying Security Patches ...................................................................... 61
Testing the Security Update Program before Application ................................................................ 62
Testing the Application in a Test Environment................................................................................. 62
Updating via Management Tools ..................................................................................................... 62
3.5 Monitoring the Results ................................................................................................................... 63
Verifying Behavior in the Test Environment ..................................................................................... 63
Confirming the Steps for Roll-Back in the Test Environment........................................................... 64
Confirming that the Necessary Programs have been Applied ......................................................... 64
Appendix: Report on Hardening Verification .................................................................................... 65
1.1 Verification Scenarios .................................................................................................................... 65
1.2 Contents of Verifications ................................................................................................................ 66
1.3 Verification Results ........................................................................................................................ 66
1.4 Network Hardening Settings .......................................................................................................... 67
Network Hardening in SAP R/3 Enterprise ...................................................................................... 67
Network Hardening in SAP ITS ........................................................................................................ 69
Network Hardening in SAP Enterprise Portal................................................................................... 72
1.5 Service and Other Hardening Settings .......................................................................................... 77
Service Hardening Using Templates................................................................................................ 77
Reconfigurations Made After the Application of Security Templates ............................................... 94
SAP Hardening and Patch Management Guide for Windows Server 4

1 Introduction
Recently, there has been an increase in reports by newspapers and TV programs about computer virus
damage and information leakages. Computer virus damage and information leakages may cause
suspension of business and consume large amounts of company resources in taking countermeasures.
In serious cases, it may pose a threat to the status and reputation of the company.
SAP systems typically handle mission-critical operations, such as finance and sensitive company
information. For this reason, if information leakage or virus problems occur in an SAP system, the
company may suffer enormous damage. To reduce the risk of unplanned system shutdowns, effective
security measures must be taken.
This whitepaper presents hardening and patch management as security measures against such risks to
Windows Server-based SAP systems.
The purpose of hardening is to achieve a system environment that is less vulnerable to unauthorized
access and virus attacks. In the Hardening chapter, we describe how to define and implement
hardening, as well as verify the implementation.
The purpose of patch management is to assess the specific risks to a company and to apply
appropriately timed security update programs. With patch management, the minimum required security
update programs can be applied to that helps to minimize the risks and costs of system changes. In
the Patch Management chapter, defining patch management and operation is explained in five steps:
"Collecting Information", "Assessing Risks", "Applying the Security Update Programs", and "Monitoring
the Result." Throughout the chapter, risk assessment is emphasized.
Note:
Hardening and patch management are complementary procedures and implementation of one without the
other will be insufficient. Hardening helps to reduce a system from possible attacks (such as from computer
viruses), but may not be able to handle unfamiliar attack methods. To minimize this possibility, risk
assessment (as a part of patch management) should be implemented.
Purpose of This Whitepaper

Secure system environments can be maintained by applying security update programs as soon as they
are released. However, it may be difficult to apply them immediately after release because of issues
such as the costs associated with verifying the effect of a security update program, the interruption of
services when the programs are applied to the operating environment, and the risk of altering the
operating environment. This whitepaper aims at helping to alleviate these problems and attempts to
help you build a more secure SAP system. By applying what is described in this whitepaper to a
Windows Server-based SAP system, help with securing an SAP system (and thus addressing an
aspect of high system availability) is achieved and TCO may be reduced. Note that most of the
configuration-specific guidance in this paper is applicable to Windows Server 2003. Similar procedures
may be found in Windows Server 2000 documentation dependent on the particular topic covered.

Scope of Security Measures Covered in This Whitepaper
Common security measures are further classified into "technical measures" (such as installation or
configuration of hardware and software) and "institutional measures" (such as creation of policies, or
determination and analyses of vulnerabilities).
Figure 1 – Security Measures
Among the security measures illustrated in Figure 1, "Building a Secure System (Multi-layer Defense)"
and "Patch Management" can be effective technical measures if implemented properly.

Multi-layer Defense
Using a multi-layer approach The idea is to protect the system

Increases risk for attackers to be detected from unexpected attacks.
Reduces the possibility of successful attacks It enhances protection by
setting multiple defense lines.
Data ACL, Encryption
Enhancing Applications,
Application Virus Protection
Host Enhancing operation systems, Security Update

Management, Authentication, HIDS
Internal Network Network Segment, IPSec, NIDS
Boundaries Firewall, VPN isolation

Security Guard, Lock and
Equipment Security
Tracking Device
Policies, Regulations User Education

and Awareness
Figure 2 – Multi-layer Defense

This whitepaper covers the security measures indicated under the Category column of Table 1:
Common Security Measures. For security issues not listed here, appropriate measures will need to
be implemented as necessary.
Table 1: Common Security Measures

Category Measures Coverage
Technical measures Security breach inspection
Building a secure system Data

(multi-layer defense) Application
Host Yes
Internal network Yes
Boundaries
Equipment security
Policies, regulations, and

awareness
Patch Management Yes
Monitoring viruses and unauthorized access
Institutional measures Risk analysis Yes

Operation guidelines
Risk management procedures
Policy implementation
It is also important to note that such security measures must be considered on every SAP system in
your environment (regardless of the type of operating system or database used) as no platform is
completely secure.

2 Hardening
This chapter defines hardening and how to implement and verify it on a Windows Server-based SAP
system.
Contents of this Chapter

This chapter defines hardening and how to implement and verify it on a Windows
Server-based SAP system.
1. What is Hardening?
2. Multi-layered Hardening
3. Implementation of Hardening
4. Final Security Check
5. Summary
2.1 What Is Hardening?

Hardening an SAP system is configuring your SAP system with only the minimum platform functions
that are necessary for operating the system. In this way, security, availability and reduction of the
operating cost of the system is addressed.
Hardening Defined…
Definition: Configuring SAP systems with only the minimum platform functions that
are necessary for operating the system.
Effect: Enhances security

Prevent the SAP system from exposure to unnecessary vulnerability risks and block
computer virus attacks to a maximum extent.
Effect: Ensures availability

Minimize the frequency of applying security update programs that often require
systems to be shutdown.
Effect: Reduces operational cost

Minimize the frequency of applying security update programs that may involve user-
side testing.

2.2 Multi-layered Hardening
This whitepaper covers three types of hardening which are especially effective on SAP systems.
Effective hardening methods for SAP systems

This whitepaper covers three types of hardening can be effective on SAP systems, if
implemented properly.
1. Network hardening (internal network layer)

2. Service hardening (host layer)
3. Other hardening (host layer)
2.3 Harding Implementation Steps
Hardening should be implemented in stages. For example, take one item (such as network or service)
at a time, check the behavior, then move on to the next item.
Assure there is a means for rollback or backup the system configuration (*1)
Implement network Implement server Implement other

hardening hardening hardening
Step-by-step implementation of hardening
Repeat the procedure for each server and hardening

(rollback when a problem arises)
Operation checks
Final security check (*2)
Figure 3 - Hardening Implementation Steps
*1 Use ASR backup of Windows Server 2003 or a third party image backup tool.
*2 Use Microsoft Baseline Security Analyzer or other tools.

2.4 Implementation of Hardening
Before implementing high-quality hardening, some preparation is required. Some important preparation
tasks are: clarifying the required security level, checking the specifications of your system, determining
what might need hardening, estimating the cost and the effect of the hardening, and determining what
to harden.
Preparations before implementing hardening

Before implementing high-quality hardening, some preparation is required.
1. Clarifying the required security level

Determine how far security should be enhanced.
2. Checking the system specifications

Check the specifications of not only the SAP system but also systems other than SAP.
This includes checking required communication paths, ports, and services.
3. Determining what might need hardening

Determine what should be subjected to network, service, and other hardenings.
4. Estimating the cost and the effect of the hardening

Estimate the effect and the associated cost beforehand to ensure maximum effect with
minimum cost.
5. Determining what to harden

Decide which items should be subjected to hardening and how extensively it should be
done.
Network Hardening
Hardening networks on an SAP system is implementing packet filtering to block unnecessary
communications. With this, the goal is to make stacks more difficult by blocking unnecessary
communication.
Network Hardening Defined…

Definition: Implementing packet filtering on SAP systems to block unnecessary
communications.
Effect: Blocks attacks that use unnecessary communications

Making attacks against vulnerability more difficult by closing unnecessary
communications to SAP systems.

Network hardening is important on SAP systems for the following reasons: 1) SAP systems only use
specific ports that can be easily identified, 2) the ports used on SAP systems are typically less apt to be
attacked by computer viruses, and 3) hardening networks to the maximum extent makes attacks more
difficult for hackers.
Importance of Network Hardening

Reasons why network hardening is important on all SAP systems in your environment.
Reason: SAP systems only use specific ports that can be easily identified.
The ports are further limited when the functions of the SAP J2EE engine are suspended.
Reason: The ports used on SAP systems are that are typically less apt to be
attacked by computer viruses.
The ports are also customizable.
Reason: Therefore, hardening networks to the maximum extent makes

attacks more difficult.
As a first step, determine which servers are critical to deliver SAP services (which servers might be a
single point of failure from a network hardening perspective?).
SAP Central Instance
SAP Database Instance
Other non-redundant servers
Such a determination will decrease the time necessary to install the applicable security patches which
could lead to downtime for these servers from a standpoint of availability. Therefore, there would be
implementation of port and services limits of these specific SAP application and database servers (also
effective with SAP Router) while other servers may not have such strict limitations.
Overall, separate SAP servers which potentially have a single point of failure (CI, DB, etc.) from others;
thus creating a “SAP server segment” via firewall, router, etc. So that security patches can be done
one by one, other SAP-related servers that are “redundant” are separate (e.g. SAP dialog instance, ITS
AGate/WGate, etc.).

Figure 4 – An Example of Network Hardening for a Corporate Network
Ports and Packet Filtering
Packet filtering should be taken into consideration to block all unnecessary network traffic on ports to
SAP systems (as well as any 3rd party tools) and IPSec script policy should be leveraged.
Execute IPSec policy scripts on each Windows Server and hardware-based packet filtering to lock
down specific ports can be done via a firewall, router, and layer 3 switch among network subnets. (See
SAP Note #66687 (“Use of Network Security Products”) concerning SAP certification requirements for
some 3rd party network security tools.)
Note that Microsoft ISA Server 2004 can provide advanced firewall protection and includes the
following:
One machine can act as both Firewall and SAP Router
Application layer filtering
Can decrypt HTTPS, inspect content and redeliver it internally
Pre-authentication, form based
Attachment control

Interface blocking
Intrusion detection
By applying the IPSec script policy to your server, you can confine the communication pathway and
restrict the TCP and UDP ports used for the communication. For how to use IPSec, refer to:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod111.asp
The following is includes an example of the IPSec script policy:
:IPSec Policy Definition

netsh ipsec static add policy name="Packet Filters - R3" description="Server Hardening
Policy" assign=no
:IPSec Filter List Definitions

netsh ipsec static add filterlist name="ALL" description="Server Hardening"
netsh ipsec static add filterlist name="DIALOG" description="Server Hardening"
netsh ipsec static add filterlist name="MSSQL" description="Server Hardening"
:IPSec Filter Action Definitions

netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass"
action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block
:IPSec Filter Definitions

netsh ipsec static add filter filterlist="ALL" srcaddr=any dstaddr=me description="ALL"
protocol=any srcport=0 dstport=0
netsh ipsec static add filter filterlist="DIALOG" srcaddr=any dstaddr=me description="DIALOG"
protocol=TCP srcport=0 dstport=3200
netsh ipsec static add filter filterlist="MSSQL" srcaddr=me dstaddr=192.168.12.3
description="MSSQL" protocol=TCP srcport=0 dstport=1433
:IPSec Rule Definitions

netsh ipsec static add rule name="ALL" policy="Packet Filters - R3" filterlist="ALL"
kerberos=yes filteraction=Block
netsh ipsec static add rule name="DIALOG" policy="Packet Filters - R3" filterlist="DIALOG"
kerberos=yes filteraction=SecPermit
netsh ipsec static add rule name="MSSQL" policy="Packet Filters - R3" filterlist="MSSQL"
kerberos=yes filteraction=SecPermit
netsh ipsec static set policy name="Packet Filters - R3" assign=y
Example: Create the sample code as a batch file and execute it on SAP R/3 Enterprise server.
1 Default communication blocked.

2 Permit dialog process access from clients (between clients and SAP R/3 Enterprise via destination
port TCP 3200).
3 Permit access from SAP R/3 Enterprise to DB instances (between SAP R/3 Enterprise and SQL
server via destination port TCP 1433).

Necessary Ports for Operating SAP Systems
A list of ports used by:
SAP systems (along with other security-related documentation):
http://service.sap.com/security Æ Security Detail Æ Infrastructure Security.
Windows Server System:
“Service Overview and Network Port Requirements for the Windows Server System”
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017.
SQL Server: over TCP: 1433, UDP: 1434
IIS (World Wide Web Publishing Service): 80, 443
Terminal Services and Remote Desktop: 3389 (default; can be configured):
“How to Change the Listening Port in the Windows Terminal Server Web Client”
http://support.microsoft.com/default.aspx?scid=kb;en-us;326945)
Active Directory (dependent on design):
“How to Configure a Firewall for Domains and Trusts”
http://support.microsoft.com/kb/179442/EN-US/
“Restricting Active Directory Replication Traffic to a Specific Port”
http://support.microsoft.com/default.aspx?scid=kb;en-us;224196

Table 2 – Necessary (Destination) Ports for Operating SAP Systems
Application Service Name Protocol Destination Port
SAP R/3 Enterprise sapdpNN TCP 32NN
sapgwNN TCP 33NN
SAPlpd TCP 515
HTTP/HTTPS TCP 81NN/444NN
sapmsSID TCP 36NN
SMTP TCP 25
HTTP/HTTPS TCP 5NN00/5NN01
IIOP Initial context /IIOP over SSL TCP 5NN02/5NN03
P4/P4 over HTTP tunneling /P4 over SSL TCP 5NN04/5NN05/5NN06
IIOP TCP 5NN07
JMS TCP 5NN10
Telnet TCP 5NN08
Multiplexer TCP 4NN00
Portwatcher TCP 4NN01-79
HTTP TCP 4NN80-99
TCP 5NN17/5NN18/5NN19
MessageServer TCP 36NN
Engue Server TCP 32NN
Eng. Replication TCP 33NN
SAP ITS Wgate sapvw00_<SID> TCP 39NM
sapvwmm_<SID> TCP 39N9
sapvw00_ADM TCP 39NM
sapvwmm_ADM TCP 39N9
SAP ITS Agate HTTP/HTTPS TCP 80/443
sapdpNN TCP 32NN
sapgwNN TCP 33NN
sapmsSID TCP 36NN
SAP Enterprise Portal 6.0 HTTP/HTTPS TCP 5NN00/5NN01
IIOP Initial context /IIOP over SSL TCP 5NN02/5NN03
P4/P4 over HTTP tunneling /P4 over SSL TCP 5NN04/5NN05/5NN06
IIOP TCP 5NN07
JMS TCP 5NN10
Telnet TCP 5NN08
TCP 5NN17/5NN18/5NN19
SAP Enterprise Portal IIS Proxy HTTP/HTTPS TCP 80/443
HTTP/HTTPS TCP 5NN00/5NN01
Note:
• The port numbers are customizable.
• <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such as 00).

Table 3 – Necessary (Destination) Ports for Operating SAP Systems (cont’d)
Application Service Name Protocol Destination Port
SAP Router SAProuter TCP 3299
sapdpNN TCP 32NN
sapgwNN TCP 33NN
sapmsSID TCP 36NN
SAP Web Dispatcher HTTP/HTTPS TCP 80/443
Active Directory See Microsoft Knowledge Base Article #179442 – “How to Configure a Firewall for
Domains and Trusts" and #224196 – “256986) at support.microsoft.com
SQL Server SQL over TCP TCP 1433
Oracle TCP 1527
DB2/UDB TCP Customize
SAPDB TCP 7200/7210
Informix TCP 3800
IIS HTTP TCP 80
HTTPS TCP 443
Terminal Services TCP 3389
Windows Server NetMeeting Remote Desktop Sharing (Used TCP 3389
by SAP Support)
File Sharing (Used in the sharing of SAP TCP 445
migration files and in the shipping of UDP 445
SQL server logs) TCP 137
UDP 137
UDP 138
TCP 139
Clustering (Central instance and DB TCP 135
instance multiplexing) UDP 3343
For details, see Microsoft Knowledge Base Article #832017 – “Port Requirements for the
Microsoft Windows Server System".
Note:
• The port numbers are customizable.
• <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such as 00).

Figure 5 – Ports Used by SAP R/3 Enterprise
Figure 6 – Ports Used by SAP ITS (Wgate and Agate)

Figure 7 – Ports Used by SAP Enterprise Portal 6.0
Figure 8 – Ports Used by SAP Enterprise IIS Portal Proxy

Figure 9 – Ports Used by SAP Router
Figure 10 – Ports Used by SAP Web Dispatcher

Configuration of Ports
For configuration of ports and other steps for network hardening, use the "Microsoft Management
Console (MMC)":
Click Start, and then click Run.
1. Type "mmc" in the Name field of the Select File To Run dialog box, and then click OK.
2. The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.
3. From the pull-down menu, select Add/Remove Snap-in.
4. The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.
5. In the Standalone tab, click Add.
6. The Add Standalone Snap-in dialog box is displayed. Select IP Security Policy Management in
the Available Standalone Snap-ins dialog box, and then click Add.
7. The Select Computer or Domain dialog box is displayed. Select Local Computer. Click Finish.
8. Click Close on the Add Standalone Snap-in dialog box.

9. Click OK on the Add/Remove Snap-in dialog box.
10. IP Security Policies on Local Machine is added under the Console Root on the Microsoft
Management Console.
11. Click the added IP Security Policies on Local Machine to display the registered IP security policy
in the right pane.
Figure 11 – IP Security Policy

12. Double-click the registered Packet Filters - R3.
Figure 12 – Packet Filter IP Security Policy
13. The Packet Filters - R3 Properties dialog box is displayed (see Figure 10). Click the Rules tab.
14. Select an IP filter that you want to verify from the IP Security Rules section on the Rules tab, and
then click Edit.
Figure 13 – Edit Rule

15. Select the IP Filter List tab on the dialog box that is displayed.
16. Select an IP filter that you want to verify from the IP Filter List section in the IP Filter List tab, and
then click Edit.
17. The IP Filter List dialog box is displayed and you can verify the configuration of the IP filter.
Figure 14 – IP Filter List
18. When you finish verifying the IP filter, click Cancel to close the dialog box.
19. To verify the configuration of the filter action, select the Filter Action tab in the Edit Rule
Properties dialog box.
Figure 15 – Filter Actions

To un-assign network hardening, select then right-click on Packet Filters - R3 in the Microsoft
Management Console. Then select Un-assign from the pop-up menu. To remove the network
hardening, select Delete from the same pop-up menu.
Figure 16 – Un-assign IP Security Policy

Network Communication Paths
Figure 17 – Communication Paths for an SAP R/3 Enterprise Environment
Figure 18 – Communication Paths for an SAP ITS Environment

Figure 19 – Communication Paths for an SAP Enterprise Portal Environment
Figure 20 - Communication Paths for an

SAP Enterprise Portal + Active Directory Environment

Active Directory Considerations
As per SAP’s Web AS installation guide, SAP application and database servers should be implemented
in either of the following ways:
Extra domain: SAP systems are embedded in their own “SAP”-specific domain and a separate
domain is used for user accounts. Both domains must be incorporated in a domain tree with
the user account domain as the root domain and the SAP domain as the child.
Single domain: SAP servers and user accounts are in the same domain.
Reference SAP Note #711319 (“Domain Installation using Delegation of Administration in AD”) for
information regarding the situation when installation of SAP cannot be performed by a domain
administrator as specified in SAP’s installation guides.
Also, for SAP Enterprise Portal, situations may arise where it may be desired to prevent local users
from another domain from logging into SAP EP. See SAP Note #710032 (“Restrict Windows
Authentication to Domains”) for specific configuration information to meet this need.
Server Hardening
An SAP system is under unnecessary security risks when there are services not applicable to SAP or
have ineffective settings. Therefore, administrators should disable unnecessary services and
strengthen security settings for others to the extent that SAP services can run without any issues. Such
actions can be efficiently performed to some extent by utilizing security templates provided by Microsoft.
Hardening Using Templates

You can use the Windows Server 2003 Security Guide and the associated templates as a step towards
implementation of hardening. There are three types of security templates that are differentiated
according to the security environment and nine types of templates that are differentiated according to
the server role. You will need to implement a hardening for each server role.
For more information on the Windows Server 2003 Security Guide, visit the Microsoft Download Center.
http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-
521EA6C7B4DB&displaylang=en#filelist
Three types of templates differentiated according to security environment

• Legacy client (security level: low)
• Enterprise client (security level: medium)
• High security (security level: high)

Nine types of templates differentiated according to server role
• Domain controller
• Member server
• Web server
• Infrastructure server (DHCP, WINS)
• File server
• Print server
• IAS server
• Certificate service server
• Bastion host
Additional Information:
After applying Windows Server 2003 templates, you can make your SAP system more secure by
checking and changing the following configurations in accordance with the documents in Table 3.
- Confirm that every partition of the disk is formatted in NTFS.
- Confirm that an invulnerable password is set for the Administrator account.
- Disable or delete unnecessary accounts.
- Make sure that the old security configurations are not changed when you upgrade your system
from previous versions.
- Configure the Administrator account.
- Delete all unnecessary file sharing.
- Specify an appropriate ACL for every necessary file sharing.
- Protect your Telnet server.
- Enable IIS logging.
- Unbind NetBIOS from TCP/IP.
- Remove OS/2 and POSIX subsystems.
- Disable the automatic generation of short file names (8.3 format).
- Disable the creation of LM hashes.
- Configure NTLMSSP security.
- Disable automatic execution.
Use Microsoft Management Console to apply security templates. Before you apply a security template,
you need to backup the role security policies using an administrative tool called "Local Security Policy."

Backup Local Security Policy
1. Click Start, and then select All Programs.
2. Select Administrative Tools in the All Programs menu, and then click Local Security Policy.
3. The Local Security Policy dialog box is displayed. Select then right-click Security Settings in the
dialog box.
4. Select Export Policy from the pop-up menu.
Figure 21 – Backup Local Security Policy
5. The Export Policy To dialog box is displayed. In the File Name field, type the name of the file that
you want to export the policy to.
6. Click Save to export the local security policy to the file.

Applying the Security Template
1. Click Start, and then click Run.
2. Type "mmc" in the Name field of the Select File To Run dialog box and click OK.
3. The Microsoft Management Console (MMC) window is displayed. Click File on the menu bar.
4. From the pull-down menu, select Add/Remove Snap-in.
5. The Add/Remove Snap-in dialog box is displayed. Click the Standalone tab.
6. In the Standalone tab, click Add.
7. The Add Standalone Snap-in dialog box is displayed. Select Security Configuration and
Analysis in the Available Standalone Snap-ins dialog box, and then click Add.
8. Click Close on the Add Standalone Snap-in dialog box.
9. Click OK on the Add/Remove Snap-in dialog box.
10. Security Configuration and Analysis is added under the Console Root on the Microsoft
Management Console.
11. Select then right-click the added Security Configuration and Analysis.
12. Select Open Database from the pop-up menu.
Figure 22 – Security Configuration and Analysis

13. The Open Database dialog box is displayed. In the File Name field, type the name of the database
that you want to open, and then click Open.
14. The Import Template dialog box is displayed. In the File Name field, select the security template
file (INF file) downloaded from Internet, and then click Open. You should select a security template
file appropriate for your server configuration.
Figure 23 – Importing Templates
15. On the Microsoft Management Console, select then right-click Security Configuration and Analysis.
16. Select Analyze Computer Now from the pop-up menu.
Figure 24 – Security Configuration and Analysis

17. When you execute analysis of the computer, red X marks appear to indicate the parts where the
current settings should be changed.
18. If you want to change the template, double-click the entry.
Figure 25 – Analysis of Computer
19. If you want to change the template, change the entry.
Figure 26 – Property for Password Length

20. On the Microsoft Management Console, select then right-click Security Configuration and
Analysis.
21. Select Configure Computer Now from the pop-up menu.
Figure 27 – Configuration of Computer
Note:
• We recommend that the procedure be carried out step by step.
• If you want to provide against the worst case, it is recommended that you perform a system backup
using Automatic System Recovery (ASR) or an image backup tool before applying a template.

Service Hardening
Service hardening is the process of disabling the services that are unnecessary for operating your SAP
system. In this way you can block attacks that use unnecessary services and improve the performance
of the system.
Service Hardening Defined…

Definition: Disabling services that are unnecessary for operating SAP systems.
Effect: Blocking attacks that use unnecessary services

Makes attacks against vulnerability more difficult by disabling services unnecessary
for SAP systems.
Effect: Improving performance

Reduces the load on the server and improves performance by disabling services
unnecessary for SAP systems.
Service hardening investigates Windows services that are unnecessary for the operation of the SAP
system and disables their Startup options in order to prevent any attacks through usage of these
unnecessary services.
There are three settings for Startup options: "Auto", "Manual", and "Disable." Set the option in
accordance with the criteria described in the table below.
Table 3: Setting the Startup Option

Type of Service Startup Option
Services that are obviously unnecessary for operating the system Disable
Services that are obviously necessary for operating the system Auto
Other services Manual
Importance of Service Hardening

Reasons why service hardening is important on all SAP systems in your environment.
Reason: SAP systems only use specific Windows services that can be easily
identified.
Reason: As long as you are willing to give up some functionality, many of the
services can be disabled and the SAP system will still function
adequately.

Table 4: Services Necessary for SAP Systems
Minimum required services for Windows Server Event Log
Logical Disk Manager
Network Connections
Plug and Play
Protected Storage
Remote Procedure Call
Security Account Manager
Windows Management Instrumentation
Windows Management Instrumentation
Extensions
Additionally required services for SAP R/3 Enterprise SAPOSCOL
SAP<SID>_<NN>
SAP<SID>_<NN>
Additionally required services for SAP ITS Agate SAP ITS Manager - <SID>
SAP ITS Manager - ADM
ITS Watchdog
SAP IACOR Manager
Additionally required services for SAP Enterprise Portal SAP J2EE Engine Dispatcher
Additionally required services for SQL Server Workstation

Server
MSSQLSERVER
SQL Server Agent
Additionally required services for clusters Remote Registry
Cluster Service
Removal Storage
Additionally required services for IIS World Wide Web Publishing Service
IIS Admin Service
Additionally required services for SAP ITS Wgate SAP IACOR Manager
Additionally required services for SAP Enterprise Portal none
IIS Proxy
Note:
• This table shows Windows services installed during a standard installation. Clustering environments
may have different services.
• <SID> represents an SAP system ID (such as P01) and <NN> represents an instance number (such
as 00). For SAP R/3 Enterprise, there are two "SAP<SID>_<NN>" services - one is for central
instances and the other is for central service instances.
• SAP J2EE Engine (Dispatcher and Server), SDM, and IGS of SAP R/3 Enterprise are started by
central instance services.
• SAP J2EE Engine Server of SAP Enterprise Portal 6.0 is started by "SAP J2EE Engine Dispatcher"
service.
• When you disable services not listed in this table, you should check the intended purpose of the
services and test it in the appropriate system environment.

The tables below show the services that are not required for operating SAP various systems.
Table 5: Unnecessary Services for SAP Systems
Services not required by Domain Controller

Alerter Print Spooler
Application Layer Gateway Service Remote Access Auto Connection Manager
Application Management Remote Access Connection Manager
ClipBook Remote Desktop Help Session Manager
COM+ System Application Resultant Set of Policy Provider
DHCP Client Routing and Remote Access
DHCP Server Secondary Logon
Distributed Link Tracking Client Shell Hardware Detection
Distributed Link Tracking Server Smart Card
Distributed Transaction Coordinator Special Administration Console Helper
Error Reporting Service Task Scheduler
Help and Support Telephony
HTTP SSL Telnet
Human Interface Device Access Terminal Services Session Directory
IMAPI CD-Burning COM Service Themes
Indexing Service Uninterruptible Power Supply
Internet Connection Firewall (ICF) / Internet Connection Upload Manager
Sharing (ICS) Virtual Disk Service
License Logging WebClient
Messenger Windows Audio
NetMeeting Remote Desktop Sharing Windows Image Acquisition (WIA)
Network DDE WinHTTP Web Proxy Auto-Discovery Service
Network DDE DSDM Wireless Configuration
Portable Media Serial Number Service

Services not required for SAP R/3 Enterprise

Alerter Portable Media Serial Number Service
Application Layer Gateway Service Print Spooler
Application Management Remote Access Auto Connection Manager
ClipBook Remote Access Connection Manager
COM+ System Application Remote Desktop Help Session Manager
DHCP Client Remote Procedure Call (RPC) Locator
Distributed Link Tracking Client Resultant Set of Policy Provider
Distributed Link Tracking Server Routing and Remote Access
Distributed Transaction Coordinator Secondary Logon
Error Reporting Service Shell Hardware Detection
File Replication Smart Card
Help and Support Special Administration Console Helper
HTTP SSL Task Scheduler
Human Interface Device Access Telephony
IMAPI CD-Burning COM Service Telnet
Indexing Service Terminal Services Session Directory
Internet Connection Firewall (ICF) / Internet Connection Themes
Sharing (ICS) Uninterruptible Power Supply
Intersite Messaging Upload Manager
Kerberos Key Distribution Center Virtual Disk Service

Services not required for SQL Server (for SAP R/3 Enterprise)
Alerter Network DDE DSDM
Application Layer Gateway Service Portable Media Serial Number Service
Application Management Print Spooler
ClipBook Remote Access Auto Connection Manager
COM+ System Application Remote Access Connection Manager
DHCP Client Remote Desktop Help Session Manager
Distributed File System Remote Procedure Call (RPC) Locator
Microsoft Search Windows Image Acquisition (WIA)
MSSQLServerADHelper WinHTTP Web Proxy Auto-Discovery Service
NetMeeting Remote Desktop Sharing Wireless Configuration
Network DDE

Services not required for SAP ITS Agate

Distributed File System Resultant Set of Policy Provider
Distributed Link Tracking Client Routing and Remote Access
Distributed Link Tracking Server Secondary Logon
Distributed Transaction Coordinator Shell Hardware Detection
Error Reporting Service Smart Card
File Replication Special Administration Console Helper
Help and Support Task Scheduler
HTTP SSL Telephony
Human Interface Device Access Telnet
IMAPI CD-Burning COM Service Terminal Services Session Directory
Indexing Service Themes
Internet Connection Firewall (ICF) / Internet Connection Uninterruptible Power Supply
Sharing (ICS) Upload Manager
Intersite Messaging Virtual Disk Service
Kerberos Key Distribution Center WebClient
License Logging Windows Audio
Messenger Windows Image Acquisition (WIA)
NetMeeting Remote Desktop Sharing WinHTTP Web Proxy Auto-Discovery Service
Network DDE Wireless Configuration
Network DDE DSDM

Services not required for SAP ITS Wgate


Services not required for SAP Enterprise Portal

HTTP SSL Telephony
Human Interface Device Access Telnet
IMAPI CD-Burning COM Service Terminal Services Session Directory
Indexing Service Themes
Internet Connection Firewall (ICF) / Internet Connection Uninterruptible Power Supply
Sharing (ICS) Upload Manager
Intersite Messaging Virtual Disk Service
Kerberos Key Distribution Center WebClient
License Logging Windows Audio
Messenger Windows Image Acquisition (WIA)
NetMeeting Remote Desktop Sharing WinHTTP Web Proxy Auto-Discovery Service
Network DDE Wireless Configuration
Network DDE DSDM

Services not required for SQL Server (SAP Enterprise Portal)

Alerter Network DDE DSDM
Application Layer Gateway Service Portable Media Serial Number Service
Application Management Print Spooler
ClipBook Remote Access Auto Connection Manager
COM+ System Application Remote Access Connection Manager
DHCP Client Remote Desktop Help Session Manager
Distributed File System Remote Procedure Call (RPC) Locator
Microsoft Search Windows Image Acquisition (WIA)
MSSQLServerADHelper WinHTTP Web Proxy Auto-Discovery Service
NetMeeting Remote Desktop Sharing Wireless Configuration
Network DDE

Services not required for SAP Enterprise Portal IIS Proxy


Implementing Service Hardening
Use the administrative tool called "Services" to implement service hardening.
1. Click Start, and then select All Programs.
2. Select Administrative Tools in the All Programs menu, and then click Services.
3. The Services dialog box is displayed. Select then right-click on the service that you want to harden.
4. Select Properties from the pop-up menu.
Figure 28 – Service Hardening

5. The Properties dialog box is displayed. Set the Startup Type to Disable, and then click OK.
6. Repeat the above procedure for all services that you want to harden.
Figure 29 – Disabling Services
Implement Other Hardening
Internet Information Server (IIS) Hardening

If using IIS 4.0 (NT 4.0) or 5.0 (Windows 2000) for SAP ITS or SAP Enterprise Portal, use the IIS
Lockdown Tool to lock down services. The tool is available for download at
http://www.microsoft.com/technet/security/tools/locktool.mspx.
The lockdown tool provides an wizard to change security settings and various templates for various
scenarios are available. URLscan integration is also provided which decreases the possibility of attack
by computer viruses as it analyzes HTTP requests and keeps IIS from accepting unordinary requests.
When using IIS 6.0 however, such toolkit functionality is included with Windows Server 2003. Note that
usage of IIS 6.0 is only available for ITS starting with SAP ITS version 6.20 patch level 3 and IIS 6.0 on
Windows Server 2003 is not installed or setup by default. See SAP Note #585545 for information on
running SAP ITS on IIS 6.0.
For reference, other security-related tools are available at

http://www.microsoft.com/technet/security/tools/default.mspx.

SQL Server Hardening
If SQL Server 2000 is used as the database for SAP on Windows Server, refer to
http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp for
information on steps to secure SQL Server 2000. Information for SAP running on Windows Server
2003 will be added to this whitepaper when available.
Install most recent SQL Server Service Pack
Assess your server security with MBSA
Use Windows Authentication Mode
Isolate your server and backup it up regularly
Assign a strong SA password
Limit privilege of SQL Server Service
o One account per service
o Simple Domain User right
Disable SQL Server port on Firewall
Use the most secure file system – NTFS
Delete or secure old setup files
Audit connection to SQL Server
Specific SAP Hardening

For specific considerations for SAP applications (Basis level 4.6B and higher), refer to SAP Note
#165485 (“R/3 Security under Windows NT”). In addition:
On servers without transport directory, you can restrict the directories \usr and \usr\sap to the
local administrators: Administrators(Full Control).
On the transport server, generate a further local group "SAP_LocalAdmin". Insert the
SAP_<SID>_GlobalAdmin groups of all SIDs involved in the transport into this group.
Assign the following authorizations to the directories \usr, \usr\sap and \usr\sap\trans:
Administrators(Full Control) SAP_LocalAdmin(Full Control).
The shares "SAPLOC" and "SAPMNT" can also be provided with this authorization list.
Change password on default Users SAP*, DDIC… Client 000 and 066

Anti-Virus Considerations
Even further protection beyond locking down ports and services, segmenting the SAP servers onto a
separate network, etc. is the protection via anti-virus software. Most Microsoft customers running SAP
on Windows Server have used anti-virus software with shield activated without experiencing
performance issues or problems and the following several best practices can be considered:
Exclude the database file(s)
Exclude SAP temporary files
Scan only incoming traffic or file on write operations
Do not activate self decontamination but warn SAP administrators immediately
Well known viruses can many times be detected and immediately removed without infection as anti-
virus vendors typically have provided the capability to quickly scan a system and update all definition
files immediately in case of critical news of widespread attack. Critical viruses are, on average, typically
only “unknown” for 24 hours. Another option can also include implementation of an anti-virus gateway.
SAP Workstation Hardening

Even if an SAP client is secured through SAP security administration, a workstation (host) could be
compromised through operating system, network, and other application vulnerabilities. As a result, it
may not be able to run applications, it could be used as a “zombie” to run attacks and it could be used
by an attacker to steal data, including usernames and passwords.
Protection of workstations includes the following considerations:
Security Configuration
OS, Application, Browser, E-mail, etc.
Security Patches
Service Packs
Host firewall
Scanning, Analyzing, Remediation
Deployment strategy
Antivirus Software
In addition, evaluate the latest security enhancements in relation to Windows XP SP2:

Windows Firewall
Internet Explorer Security Enhancements
Outlook Express Security Enhancements
OS Security Enhancements
o Core services reviewed and rewritten
o Memory protection
Review SAP Notes #66971 and 738927 about Windows XP SP2
Identify, Assess, Test and Deploy latest security patches
Deploy baseline security on new machines
Specifically, the firewall provided with Windows XP SP2 is on by default for all network interfaces,
provides boot-time security and global and per-interface configurations, has an exceptions list (that can
be disallowed), accounts for local subnet restrictions, supports multiple profiles and RPC, can be
configured via command-line and has better group policy management.

The firewall’s feature of “on by default” is:
Installed with new installations and upgrades
Enabled when new interfaces are added
Has default configuration that provides good protection against worms (e.g., Blaster)
Can account for certain applications that might require special settings
Manageable through Group Policy Administrative Templates, Network, Network Connections,
Windows Firewall, profile, "Windows Firewall: protect all network connections“
The firewall’s “boot time security” features:

Provides a new, static filtering policy at boot time
Permits DNS, DHCP, Netlogon
WF policy that is applied after logon (policy then stays in effect until after IP stack is shut down)
Closes hole that existed after boot, but before policy application
The firewall’s “perimeter protection”:

Could be a distributed environment
Application layer inspection
Pre-authentication
Protocol filtering
o HTTP content, URL, and other filtering
Port blocking
Intrusion detection
Logging
2.5 Other Hardening Information

Other considerations that impact overall total cost of ownership (TCO) for hardening that need to be
considered are aspects such as the use of Active Directory with proper Organizational Unit (OU)
architecture and Group Policy Objects that can help with securing the overall computing environment.
As well, management tools such as Microsoft Operations Manager (MOM), Terminal Services, HP
OpenView, etc. can be used for centralized, proactive security monitoring and administration.

Other Reference Information
Microsoft TechNet Security Center
http://www.microsoft.com/technet/security/default.mspx
Windows Server 2003 Security Guide

http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.mspx
Windows Server 2000 Security Hardening Guide

http://www.microsoft.com/technet/security/prodtech/Windows2000/win2khg/default.mspx
Windows XP Security Guide

http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx
From Blueprint to Fortress: A Guide to Securing IIS 5.0

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/dep
ovg/securiis.mspx
SAP Network and Layer Transport Security

http://service.sap.com/security Æ Security in Detail Æ Infrastructure Security Æ Network and
Layer Transport Security (SAP NW ’04)
SAP Security Guides

http://service.sap.com/security Æ Security in Detail Æ SAP Security Guides Æ SAP Basis /
Web AS Security Guides or SAP NetWeaver ’04 Security Guide (Complete)
2.6 Operation Checks

You can perform an operation check of your SAP system by performing a basic operation check in
accordance with the table below.
Table 13: Basic Operation Check

Environment Operations to be checked
SAP R/3 Enterprise Are the services of SAP R/3 Enterprise started? Any errors in the log?
environment Are the services of RDBMS started? Any errors in the log?
Can you log on to SAP R/3 Enterprise?
SAP ITS environment Are the services of ITS Wgate started? Any errors in the log?
Are the services of ITS Agate started? Any errors in the log?
Can you log on using a Web browser?
SAP Enterprise Portal Are the services of SAP Enterprise Portal started? Any errors in the log?
environment Are the services of RDBMS started? Any errors in the log?
Can you log on using a Web browser?

You can also check your system using the checklist and the transactions described in the table below.
Checking these items verifies that there are no problems at the SAP basis level (note that problems in
the application level are not checked).
Table 14: Operation Checklist

Task Transaction Method
Check that every AP server is SM51-SAP Servers
started.
Verify the work processes. SM50-Process Overview Check that every work process is in
either "running" or "waiting" status.
Check if any updates have SM13-Update Records Use "*" as the user ID and check if
failed. any "Err." have occurred for all
updates in the past year.
Verify the system log. SM21-System Log Investigate peculiar events such as
"Errors", "Warnings", "Security",
"messages", "Abends Database"
and "problems".
Check for cancelled jobs. SM37-Select Background jobs Use "*" as user ID and check that
every critical job has been
successful.
Check that no locks have SM12-Lock entry list. Use "*" as user ID.
continued for long periods of
time.
Verify the user sessions. SM04-Users Check for unknown or suspicious
AL08 - Users user IDs.
Verify that there are no SP01-Spool: Investigate any processes with "in
problems with spooling. Request Screen process" status lasting more than an
hour.
Verify the job logs. SM35-Batch input: Initial Investigate "New jobs" and
Screen "Incorrect jobs."
Analyze the dump. ST22-ABAP Dump Analysis
Analyze the workload statistics. ST03N-Workload:Analysis of

<SID>
Analyze the buffer statistics. ST02-Tune Summary Investigate the swaps.
Investigate the error log. ST04-DB Performance
Analysis
Check usage of the table area. DB12
Verify the system log. OS06-OS Monitor Investigate the OS log.

2.7 Final Security Check
After completing the hardening implementation, you need to check whether it has been implemented
without omission. Use Microsoft Baseline Security Analyzer (MBSA) to check the security of your
Microsoft products. With this tool, you can make a simple security check of Windows Server 2003, IIS
and SQL Server.
For the details about Microsoft Baseline Security Analyzer (MBSA), see
• Whitepaper: Microsoft Baseline Security Analyzer V1.2
www.microsoft.com/technet/security/tools/mbsawp.mspx
2.8 Other Methods for Checking Hardening Implementation

You can also check your hardening implementation by using tools such as Ping, Event Viewer and
group policy resultant sets.
Summary
This chapter has explained how to implement hardening to improve your Windows Server-
based SAP systems.
1. Hardening is a solution that brings significant benefits to SAP system

administrators.
Hardening enables you to enhance security, ensure availability, and reduce the operating
cost of the system.
2. Hardening is not a sufficient security measure in and of itself.

To keep an SAP system secure, you should also include patch management in the
implementation.

3 Patch Management
This chapter describes how to implement patch management for your Windows Server-based SAP
system, from collecting information about security vulnerability to monitoring the results of security
update programs. In this whitepaper, the focus is on the risk assessment used to determine whether
you should apply a security update program depending on the system.
Contents of this Chapter

This chapter describes how to implement patch management for your Windows
Server-based SAP system.
1. What Is Patch Management?

2. Collecting Information
3. Assessing Risks
4. Applying the Security Update Program
5. Monitoring the result
6. Summary
Microsoft and SAP work closely during the release cycle for service packs as Microsoft provides SAP
all pending services packs prior to their release. Thorough testing occurs by SAP before Microsoft
releases a particular service pack to ensure that installation will not cause a disruption of a running SAP
system. See SAP Note #663621 (“Supporting Microsoft Hot Fixes with Windows Update”) for more
information on SAP support of service packs.
Specific SAP support statements for Microsoft Windows Server service packs can be found at SAP
Note #30478 (“Support Packs on Windows”).
3.1 What Is Patch Management?

Patch management is comprehensively controlling the application of released security update programs
from the perspective of the processes involved and of your team (organization). This whitepaper
concentrates on the security update programs. In an environment in which you have appropriately
implemented hardening as described in Chapter 2 "Hardening", you may often find after implementing a
risk assessment (which is one of the patch management steps), that it is not urgent to apply the patch
immediately to protect against both known and new security vulnerabilities.
Patch management can be divided into four major processes: 1) "Collecting Information", where you
periodically check announcements about security vulnerability; 2) "Assessing Risks", where you
analyze risks identified through the collected security vulnerability information; 3) "Applying the Security
Update Program", where you test and apply the security update program; and 4) "Monitoring the
Result", where you check that all the necessary security update programs have been applied. The
following sections describe patch management based on these four processes.

Announcement about Risk Analysis
Security Vulnerability
Collecting
Information
3.2
Yes
Have all update No
programs been applied? Security update
No programs need to be
Monitoring the applied?
Result
Assessing
Check that the necessary update Risks
programs have all been applied Yes
3.3
Devise a plan to respond to

Restore system through a the vulnerability
roll-back process
No
Test the security update
Yes program before application
Any problems after
update?
Applying the security Apply the security update

update program program
0
Figure 30 – Example of the Patch Management Processes
3.2 Collecting Information

Before implementing patch management, you must collect information about security vulnerability.
There is a lot of information about security available from the Microsoft Web site. To effectively gather
information, you should predetermine what information you are looking for and organize the latest
information for easy checking and analysis.
Collecting Information about Security Vulnerability

Since October of 2003 when it revised its policy concerning the publication of security vulnerability
information, Microsoft releases information about security vulnerability on the "Microsoft Security
Bulletin Summaries" site the second Tuesday of every month. By using the free "Microsoft Security
Notification Service", you can be notified of the latest updated information by e-mail, eliminating the
need for you to periodically check the site yourself.
The "Microsoft Security Bulletin Summaries" describe in detail the nature of the vulnerability at issue,
any affected software, the maximum severity rating, countermeasures, workarounds, etc. In addition,
you can download any available security update programs as a countermeasure against the security
vulnerability.

Additional information:
In an urgent situation (for example, the threat of infection by a computer virus or worm), Microsoft may
release information about the security vulnerability anytime other than during the second week of the month
in order to publish it as soon as possible. But by also subscribing to the "Microsoft Security Notification
Service" (http://www.microsoft.com/technet/security/bulletin/notify.mspx), you can receive these urgent
unscheduled release notifications by e-mail. We highly recommend use of this service.
Table 15: Sites Providing Information on Security Vulnerability

Site Name Address
Microsoft Security http://www.microsoft.com/technet/security/bulletin/summary.mspx
Bulletin Summaries
Microsoft TechNet http://www.microsoft.com/technet/security/default.mspx
Security Center
Microsoft Security http://www.microsoft.com/technet/security/bulletin/notify.mspx
Notification Service
3.3 Assessing Risks

Risk Assessment means that, according to the system environment for each enterprise, you
comprehensively determine your degree of urgency based on the information gathered in "3.2
Collecting Information"). In the environment for which you have properly implemented hardening as
described in Chapter 2 "Hardening", you will often find that an "urgent application" is unnecessary
because the degree of urgency is lower than that in the environment for which hardening has not been
implemented.
Microsoft applies the severity rating system to each Microsoft report on security vulnerability to help you
determine the urgency of applying the security update program. The following table lists the ratings and
their definitions. However, this rating information is based on the assumption that you have not
implemented hardening for your system. You should determine the degree of urgency for your
enterprise by comprehensively assessing such aspects as the importance of your system and the state
of your hardening implementation. In the environment for which you have properly implemented
hardening as described in Chapter 2 "Hardening", the degree of urgency is less critical than in the
environment for which hardening has not been implemented.

Table 16: Definitions of the Severity Ratings
Rating Definition
Critical Describes vulnerability that, if exploited, could allow propagation of an
Internet worm without user action.
Important Describes vulnerability that, if exploited, could compromise user data
confidentiality, integrity, or availability, as well as compromise the integrity
or availability of processing resources.
Moderate Describes vulnerability for which the possibility of exploitation is
significantly lessened by the existing configuration, or by the difficulty of
infiltration or exploitation.
Low Describes vulnerability that is extremely difficult to exploit or the
exploitation of which has minimal impact.
For more information, see the Microsoft Security Response Center Security Bulletin Severity Rating
System (http://www.microsoft.com/technet/security/bulletin/rating.mspx).
This whitepaper uses four categories to describe the urgency of applying the security update program:
"Urgent application", "Applying during regular operation", "Applying with the service pack", and "No
application". Determine the appropriate emergency assessment category to suit your operation
depending on your system environment and security policies.
Example of the Emergency Assessment Categories

Determine the appropriate emergency assessment category to suit your operation
1. Urgent application
Apply within 1 month.
2. Applying during the regular course of operation

At least once every 3 to 6 months.
3. Applying with the service pack

When installing the next service pack.
4. No application
OS, functionality, product not affected.

Additional information: You can also obtain general emergency assessment from
http://www.microsoft.com/technet/itsolutions/techguide/msm/default.mspx.
However, this example of the emergency assessment categories was written based on actual SAP-
related consulting cases provided by Microsoft Consulting Services with some changes added. You
should consider the trade-offs among various assessment factors, such as your hardening
circumstances, risks, costs, time necessary to assess the security update program, and other
practicalities, when deciding your emergency assessment category.
Assessing the Consequences and Urgency of the Vulnerability

As described above, Microsoft releases information about security vulnerability once a month. But
taking measures against all security vulnerabilities would increase costs and shutdown times for your
system resulting in decreased availability. Since the consequences of the vulnerability vary depending
on the environment, it is important to determine the degree of urgency for your particular situation.
Even if the maximum severity rating of the security vulnerability is "Critical", if you do not use that
particular vulnerable service, in many cases you can respond to the vulnerability by application during
the regular course of operation (once every 3 to 6 months) or by application with the next service pack
(when installing the next service pack). To reduce the operational cost involved in applying the security
update program and to maintain high availability, you can create a matrix as one method for
determining the consequences of the vulnerability and the degree of urgency. It will be referred to as
the vulnerability assessment matrix in this whitepaper.
Example of a Method for Determining the Degree of Urgency

Determine the appropriate emergency assessment category to suit your operation
- Vulnerability Assessment Matrix
What is a Vulnerability Assessment Matrix?

The vulnerability assessment matrix is a matrix that can help you to determine the consequences of the
vulnerability on your system and the countermeasures to take against it, even if your system
environment is complex. You can create the matrix based on the information provided by Microsoft
about the security vulnerability.

Creating the Vulnerability Assessment Matrix
The vulnerability assessment matrix consists of three major parts: "Organizing the information about the
security vulnerability", "Assessing the pros and cons of the risk", and "Determining the degree of
urgency for applying the security update program for each enterprise" (see Table 18: Vulnerability
Assessment Matrix. Once you organize the information about the security vulnerability, you can create
the steps "Organizing the information about the security vulnerability" and "Assessing the pros and cons
of the risk". The portion "Organizing the information about the security vulnerability" is taken from the
monthly Security Bulletin described in section 0, “Collecting Information about Security Vulnerability"
(summarized from http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx, for example),
available from the Microsoft Security Bulletin Summaries at
http://www.microsoft.com/technet/security/bulletin/summary.mspx. For the contents of the excerpt, see
the following section, "Organizing the Information about the Security Vulnerability". The part "Assessing
the pros and cons of the risk" is created based on the information organized in the "Organizing the
Information about the Security Vulnerability" along with your system configuration, and provides the
criteria for determining the degree of urgency. By this determination, you can decide when to apply the
security update program.
To create the vulnerability assessment matrix, you must perform the following steps.
Step 1: Organizing Information about Security Vulnerability
Step 2: Assessing Pros and Cons of Risks
Step 3: Determining Urgency for Each Enterprise
Figure 31 – Process for Creating the Vulnerability Assessment Matrix
Organizing the Information about Security Vulnerability

In this step, you organize the following information about the security vulnerability.
Consequences of the vulnerability
Maximum severity rating
Affected software
Technical details
o Technical description
o Mitigating factors
Workarounds
Information about the security update program
o Restart requirement
o Information about uninstalling the program

Assessing the Pros and Cons of the Risk
Assess each criterion based on the information from the step "Organizing the Information about
Security Vulnerability".
Are there consequences of the vulnerability?
o Is there an affected OS?
o Are there affected products or functionality?
Is it possible for someone to attack anonymously? (simply an open port makes such an attack
possible)
Is it possible for someone to obtain or upgrade privileges?
There is no effective workaround.
Is it possible that the hardening implemented by each enterprise is not effective?
Determining the Degree of Urgency

The degree of urgency for each enterprise is determined by the result of the step "Assessing the Pros
and Cons of the Risk". See below for examples. In the first example, the determination is "Urgent
application" because all the criteria in "Assessing the Pros and Cons of the Risk" apply to the system. In
the second example, the determination is "Applying during regular operation" because the criterion
"Your system is affected by the vulnerability" applies to the system and the maximum severity rating is
"Important". The determination will vary depending on system configurations and environments.
Table 17: Determining Whether to Apply the Security Update Program

Determination Criteria
Urgent application All the criteria in the "Assessing the Pros and Cons of the
Risk" apply to your system.
Applying during regular operation The criterion "Are there consequences of the
vulnerability?" applies to your system and the maximum
severity rating is "Critical" or "Important".
Applying with the service pack The criterion "Are there consequences of the
vulnerability?" applies to your system and the maximum
severity rating is other than "Critical" or "Important".
No application Your system is not affected.

To help in the determination of whether to apply the security update program, you may want to create a
flowchart. Note that the flowchart will vary according to system configurations and environments.
Start
Affected by the NO
Pros/Cons of the
Risk
YES
Pros and Cons of the NO

Risk: All criteria apply
to the system.
YES NO
Maximum severity is
"Critical" or
"Important"
YES
Apply during the regular Apply with the

Urgent application No application
course of operation service pack
Figure 32 – Sample Flowchart for Determining Whether to Apply the

Security Update Program

Table 18: Vulnerability Assessment Matrix
Determination Sample 1 - Hardening has not been Implemented

Step 1: Organizing the Information about Security Vulnerability
Security Bulletin No. MS03-026
URL for information about the vulnerability http://www.microsoft.com/technet/security/bulletin/MS03-
026.mspx
Original release date of the vulnerability information July 17, 2003
report
Time elapsed between information release and -
occurrence of computer virus
Affected software Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0
Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Maximum Severity Rating Critical
Nature of the vulnerability Buffer overruns in RPC interface could allow code execution
(823980) (MS03-026)
Characteristics There is vulnerability in a part of RPC that handles message
exchange over TCP/IP. The issue stems from incorrect
handling of illegal messages.
Mitigating factors In order to exploit this vulnerability, the attacker would need
to have specially altered or sent a request to port 135, 139,
445 on the remote machine, or to another port configured for
RPC.
Restart required Yes
This security update program can be uninstalled Yes
Step 2: Assessing the Pros and Cons of the Risk

Are there consequences of the vulnerability? Yes
Is there an affected OS? Yes
Pros and Cons
Are there affected products or functionality?

of the Risk
Is it possible for someone to attack Yes

anonymously?
Is it possible for someone to obtain privileges? Yes
There is no effective workaround. Yes
Is it possible that the hardening implemented by Yes
each enterprise is not effective?
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise
Determination Urgent application.
(After hardening is implemented, the degree of urgency will
be lessened.)



003.mspx
Original release date of the vulnerability information January 14, 2004

report
Affected software Microsoft Windows
Maximum Severity Rating Important
Nature of the vulnerability Buffer overrun in MDAC function could allow code execution
(832483)
Characteristics Microsoft Data Access Components (MDAC) is a collection

of components that provides the underlying functionality for
a number of database operations, such as connecting to
remote databases and returning data to a client.
Mitigating factors For an attack to be successful, an attacker would have to

simulate an SQL server that is on the same IP subnet as the
target system.
Restart required Yes
This security update program can be uninstalled No

Are there consequences of the vulnerability? Yes
Is there an affected OS? Yes
Pros and Cons
Are there affected products or functionality? -

of the Risk
Is it possible for someone to attack No

anonymously?
Is it possible for someone to obtain privileges? Yes
There is no effective workaround. No
Determination Apply during the regular course of operation.
(After implementing hardening, the degree of urgency will be
lessened.)



006.mspx
Original release date of the vulnerability information February 11, 2004

report
Affected software Microsoft Windows NT Server
Maximum Severity Rating Microsoft Windows 2000 Server
Nature of the vulnerability Microsoft Windows Server 2003
Characteristics Important
Mitigating factors Vulnerability in the Windows Internet Naming Service

(WINS) could allow code execution (830352)
Restart required A security vulnerability exists in the Windows Internet

Naming Service (WINS). This vulnerability exists because of
the method that WINS uses to validate the length of
specially-crafted packets.
This security update program can be uninstalled The WINS service is not installed by default.

Are there consequences of the vulnerability? No
Is there an affected OS? No
Pros and Cons
Are there affected products or functionality? No

of the Risk
Is it possible for someone to attack No

anonymously?
Is it possible for someone to obtain privileges? No
There is no effective workaround. No
Determination Only needs to be applied to the WINS server.
Application to the WINS server during regular operation.
(After hardening is implemented, the degree of urgency will
be lessened.)

Applying the Security Update Program
After you determine that the security update program needs to be applied through the result of risk
assessment of the vulnerability, you should apply it to your system. Applying the security update
program is performed according to the following steps: "Devising a plan for responding to the
vulnerability", "Testing the security update program before applying", "Applying the security update
program", "Verifying the behavior after application", and if problems occur from the application, then
"Restoring through the roll-back process".
Step 1: Devising a plan for responding to the vulnerability
Step 2: Testing the security update program before application
Step 3: Applying the security update program
Step 4: Verifying the behavior after application
Step 5: Restoring through the roll-back process
Figure 33 – Process Flow of Applying the Security Update Program
For the details on applying security update programs, see the document listed below.
Table 21: Reference Information

How To Implement Patch Management
http://msdn.microsoft.com/library/en-us/secmod/html/secmod108.asp
Devising a Plan for Responding to the Vulnerability

To apply the security update program, you should first devise a plan for responding to the vulnerability.
It is important to clarify the required security level since it varies depending on the system environment.
Before applying the security update program, you may want to create a flowchart for managing the
modification. By creating the flowchart, you can implement a better quality application. When devising
the plan, you should refer to SAP Notes 30478, 62988 and 664607 to check whether this security
update program has ever caused problems in the SAP environment.

Start
Emergency?
YES
NO
Normal process Emergency process
Plan the steps for change and Plan the steps for rapid change
restoration and restoration
NO
Test the steps for change and Testing
restoration required?
YES
NO Test quickly
Successful?
YES
NO
Successful?
Adjust before applying to the
production environment
YES
Adjust before applying, then apply

Apply to the production environment to the production environment
Finish Finish
Figure 34 – Sample Flowchart for Managing Changes

3.4 Applying Security Update Program
Points to Consider When Applying Security Patches

Apply revision in order of registration
o Applying the Security Patch and service packs causes old program files to be overwritten
with newer versions. Failure to observe the registration order will result in old modules
being in the place of new modules.
Reapply revision if necessary
o When the system modules of network components and device drivers are added to
Windows NT systems to which the Security Patch and Service Packs have already been
applied, the manager must manually re-apply the Service Packs and Security Patch.
Re-application is also recommended for Windows 2000, XP, and 2003.
Apply only the correct update
o Security Patch and service packs vary with the version of the corresponding product.
Table 22: Security Patch Considerations

System Upgrade Timing of Patch Application to If SAP System is Halted after
Types SAP System Patch Application
Security Patch Problem solving based on SAP
(Windows) Note #664607 (uninstall, etc.)
Immediately after Microsoft
Security Path
releases the Revision Program Contact SAP Support
(SQL Server)
(SAP Note #62988)
Service Packs
Once support is offered by SAP
(with strict change
(SAP Notes #30478, 62988 and
management
hardware/management tool
process and
manufacturers)
testing)

Testing the Security Update Program before Application
There may be rare occasions when a security update program will cause problems to a monitoring tool
or other programs. Therefore, you should test the security update program in a test environment before
applying it to the production environment. The test involves the following steps: "Testing the application
in a test environment", "Verifying the behavior in the test environment", and "Confirming the steps for a
roll-back in the test environment".
Test Steps
Test the security update program in a test environment before applying it to the
production environment.
1. Testing the application in a test environment

2. Verifying the behavior in the test environment
3. Confirming the steps for a roll-back in the test environment
Note: Before applying the security update program

Refer to the SAP Notes (especially 30478, 62988, and 664607) and check whether this security update
program has ever caused problems in the SAP environment.
Testing the Application in a Test Environment

The steps for applying the security update program can vary depending on the enterprise. Before
applying the security update program to the production environment, you need to confirm the
application steps in a test environment and verify the system behavior after application.
Updating via Management Tools

The cost involved in applying a security update program increases in proportion to the number of
machines. To help reduce this cost, Microsoft offers the following tools: Software Update Services
(SUS) which is provided free of charge, and Systems Management Server 2003 (SMS) which requires
licenses.
• Software Update Services (SUS)
SUS automatically provides notification of important updates to Windows computers, and
delivers them to all of the Windows desktop computers and servers in your organization.
For more information about SUS, see the Microsoft Software Update Services Whitepaper
(http://www.microsoft.com/windowsserversystem/sus/susoverview.mspx).

• Systems Management Server 2003 (SMS 2003)
Systems Management Server 2003 (SMS 2003) provides a comprehensive solution for change
and configuration management for the Microsoft platform, enabling you to provide relevant
software and updates quickly.
For more information about Systems Management Server 2003 (SMS 2003), see the Systems
Management Server 2003 Reviewer's Guide
(http://www.microsoft.com/smserver/evaluation/revguide).
Note: Points to observe when applying the security update program

• Reapply as necessary
If a system module was added after application of the security update program or service pack, check the
security vulnerability information report to confirm the need for reapplying the program. Be sure to reapply
when necessary.
• Apply the program that corresponds to your software
You should apply the security update program and service pack that precisely corresponds to your software
because the programs and packs are designed for specific products, versions and languages. For example,
do not apply a service pack for English-version products to Japanese-version products.
3.5 Monitoring the Results
Verifying Behavior in the Test Environment

After applying the security update program, you will need to verify proper operation of your SAP system.
You should check your Windows and SAP system behavior. Verification of the SAP system behavior
consists of basic operation verification, as well as operation verification using a checklist and SAP
transactions. To verify your SAP system's operation, you should check the following:
Verification of Your Windows System (OS, RDBMS, IIS)

You will need to verify proper operation of your SAP system by checking your Windows
system behavior.
1. Checking event logs

2. Checking the logs of various products and functions
3. Verifying the operation of the necessary services
Verification of Your SAP System

You will need to verify proper operation of your SAP system by checking your SAP
system behavior.
1. Verifying operation using the checklist

2. Executing test transactions to verify its operation
3. Verifying the operation of extracted business applications

Confirming the Steps for Roll-Back in the Test Environment
There are steps for confirming a roll-back in the event there are problems caused by the application of
the security update program or by faulty implementation.
If problems are caused by faulty implementation
o Restore from a backup.
If problems are caused by the application of the security update program
o Uninstall the security update program.
Restore from a backup.
Confirming that the Necessary Programs have been Applied

After applying the security update program, you need to verify that it has been applied properly and that
possible problems that might have been caused by the vulnerability have been avoided. Microsoft
provides a free tool, the Microsoft Baseline Security Analyzer (MBSA), for checking whether any
computers have failed to apply the security update program. Microsoft also licenses a tool, the
Systems Management Server 2003 (SMS 2003), that comprehensively performs the implementation
process including applying of the security update programs, to checking and managing them.
• Microsoft Baseline Security Analyzer (MBSA)
For more information, see “Final Security Check”.
• Systems Management Server 2003 (SMS 2003)
For more information, see "Applying the Security Update Program".
Summary
This chapter described how to keep your Windows Server 2003-based SAP system
secure by implementing patch management.
1. Patch management (specifically, risk assessment) minimizes the

cost and risk associated with system changes.
2. It is important to maintain a well-balanced combination of patch
management and hardening practices.

Appendix: Report on Hardening Verification
This following explains the actual settings used for and the results of hardening verification of a
Windows Server 2003-based SAP system.
1.1 Verification Scenarios
Verification environments were constructed for three common SAP configuration patterns: SAP R/3
Enterprise, SAP ITS, and SAP Enterprise Portal.
Verification Scenarios
Verification environments were constructed for three common SAP configuration
patterns.
1. SAP R/3 Enterprise

2. SAP ITS
3. SAP Enterprise Portal
The versions of software systems used for the verification of these configurations are summarized
below.
Table 1 – Software Versions

Category Microsoft Products SAP Products
Directory Windows Server 2003 (Active Directory) -
SAP R/3 Enterprise Windows Server 2003 R/3 Enterprise 4.70 SR1 Ext.2.00, J2EE
Engine 6.30 SP2 (JDK1.3.1_10)
RDBMS (for R/3) Windows Server 2003, SQL Server 2000 -
(SP3+Hotfix 844 + new collation)
SAP ITS – Agate Windows Server 2003 ITS 6.20 SP8
SAP ITS – Wgate Windows Server 2003, IIS 6.0 ITS 6.20 SP8
SAP Enterprise Portal Windows Server 2003 Enterprise Portal 6.0 SP2 Patch3 + hotfix
2,J2EE Engine 6.20 SP20 (JDK1.3.1_10)
RDBMS (for EP) Windows Server 2003, SQL Server 2000 -
(SP3+Hotfix 844 + new collation)
EP IISProxy Windows Server 2003, IIS 6.0 IIS Proxy 1.5.0.0
Note: The latest security update programs as of March 1, 2004 had been applied to the respective
versions of Windows Server 2003 and SQL Server 2000.
Appendix: Report on Hardening Verification 65

1.2 Contents of Verifications
Two types of verification were conducted: network hardening (packet filtering using the IPSec script
policy)" and "service and other hardening (disabling and reconfiguring services using security
templates).
Contents of Verifications
Two types of verification were conducted.
1. Network hardening (packet filtering using the IPSec script policy)

2. Service and other hardening (disabling and reconfiguring services
using security templates)
Table 2 – Contents of Hardening Verifications

Category Description
Network hardening Configurations were implemented such that default communications
(packet filtering using the IPSec script policy) were blocked and communication was granted only for necessary
"communication routes" and "(destination) ports."
Service and other hardening (disabling and Unnecessary services were disabled and proper security configurations
reconfiguring services using security templates) were implemented for each server role.
1.3 Verification Results
For each verification scenario, configurations were set according to the verification contents and
confirmation was made that the SAP system ran without problems.
Verification notes:
• Hardening was carried out after the target system was disconnected from the network and all setup
procedures were completed.
• Tests were carried out on R/3 Enterprise, ITS, and Enterprise Portal in that order.
• For each scenario, single sign-on to an Active Directory was assumed.
Reasons
- "Single sign-on to an Active Directory" is expected to become a mainstream configuration in the future.
- Scenarios without single sign-on can be included.
• Network hardening was carried out after configuration/rollback scripts were prepared.
• A backup copy of the pre-hardening settings was taken whenever a security template was applied.
• For operation verification, hardening checks were made using SAP security checklists, MBSA, and
simple ping commands.

1.4 Network Hardening Settings
Network Hardening in SAP R/3 Enterprise
Packet filtering was implemented using the IPSec script policy in the environment shown below and as
summarized in Table 3 to Table 5.
Figure 1 – SAP R/3 Enterprise Environment

Table 2 – Packet Filtering Settings (1. Domain Controller)
Service Protocol Source Destination Source Destination Action Mirroring Remarks
Port Port Address Address
All Any Any Any Any This Block Yes All blocked by default.
traffic computer
SAP R/3 Any Any Any SAP R/3 This Grant Yes All communications from SAP
Enterprise Enterprise computer R/3 Enterprise granted.
SQL Server (for Any Any Any SQL Server This Grant Yes All communications from SQL
R/3) (for R/3) computer Server (for R/3) granted.
Other Domain Any Any Any Other This Grant Yes All communications from other
Controller Domain computer domain controllers granted.
Controller
ICMP ICMP Any Any This SAP R/3 Grant Yes Communication to SAP R/3
computer Enterprise Enterprise
ICMP ICMP Any Any This SQL Server Grant Yes Communication to SQL
computer (for R/3) Server (for R/3)
Table 3 – Packet Filtering Settings (2. SAP R/3 Enterprise)

traffic computer
SAP DIALOG TCP Any 3200 Any This Grant Yes Communication from SAP
Server computer GUI
SQL Server (for TCP Any 1433 This SQL Server Grant Yes Communication to SQL
R/3) Client computer (for R/3) Server (for R/3)
Domain Member Any Any Any This Domain Grant Yes Communication to Domain
computer Controller Controller
Table 4 – Packet Filtering Settings (3. SQL Server (for R/3))

traffic computer
SQL Server (for TCP Any 1433 SAP R/3 This Grant Yes Communication from SAP R/3
R/3) Enterprise computer Enterprise
Domain Any Any Any This Domain Grant Yes Communication to Domain
Member computer Controller Controller

Network Hardening in SAP ITS
Packet filtering was implemented using the IPSec script policy in the environment shown below and as
summarized in the Table 6to Table 10.
Figure 2 – SAP ITS Environment

traffic computer
SQL Server (for Any Any Any SQL Server This Grant Yes All communications from SQL
R/3) (for R/3) computer Server (for R/3) granted.
SAP ITS - Agate Any Any Any SAP ITS - This Grant Yes All communications from SAP
Agate computer ITS - Agate granted
ICMP ICMP Any Any This SAP R/3 Grant Yes Communication to SAP R/3
computer Enterprise Enterprise
ICMP ICMP Any Any This SQL Server Grant Yes Communication to SQL
computer (for R/3) Server (for R/3)
ICMP ICMP Any Any This SAP ITS - Grant Yes Communication to SAP ITS -
computer Agate Agate

traffic computer
SAP DIALOG TCP Any 3200 SAP ITS - This Grant Yes Communication from SAP ITS
Server Agate computer - Agate
SAP RFC TCP Any 3300 SAP ITS - This Grant Yes Communication from SAP
Server Agate computer RFC/BAPI program
HTTP Server TCP Any 8000 Any This Grant Yes Communication from Web
computer browser
HTTPS Server TCP Any 44300 Any This Grant Yes Communication from Web
computer browser
SQL Server (for TCP Any 1433 This SQL Server Grant Yes Communication to SQL
R/3) Client computer (for R/3) Server (for R/3)
Table 8 – Packet Filtering Settings (3. SQL Server)

traffic computer
SQL Server (for TCP Any 1433 SAP R/3 This Grant Yes Communication from SAP R/3
R/3) Enterprise computer Enterprise

Table 9 – Packet Filtering Settings (4. IIS + SAP ITS WGate)
All traffic Any Any Any Any This computer Block Yes
HTTP Server TCP Any 80 Any This computer Grant Yes
HTTPS Server TCP Any 443 Any This computer Grant Yes
HTTP Server for mgmt TCP Any 8080 Any This computer Grant Yes For administration
purposes
SAP ITS - Agate Client1 TCP Any 3900 This SAP ITS - Agate Grant Yes
computer
SAP ITS - Agate Client2 TCP Any 3910 This SAP ITS - Agate Grant Yes
computer
SAP ITS - Agate Client1 TCP Any 3918 This SAP ITS - Agate Grant Yes For administration
(for Mgmt) computer purposes
SAP ITS - Agate Client2 TCP Any 3928 This SAP ITS - Agate Grant Yes For administration
(for Mgmt) computer purposes
Domain Member Any Any Any This Domain Grant Yes
computer Controller
(oa.corp.com)
Table 10 – Packet Filtering Settings (5. SAP ITS Agate)

SAP ITS - Agate Server1 TCP Any 3900 SAP ITS - This computer Grant Yes
Wgate
SAP ITS - Agate Server2 TCP Any 3910 SAP ITS - This computer Grant Yes
Wgate
SAP ITS - Agate Server1 TCP Any 3918 SAP ITS - This computer Grant Yes For administration
(for Mgmt) Wgate purposes
SAP ITS - Agate Server2 TCP Any 3928 SAP ITS - This computer Grant Yes For administration
(for Mgmt) Wgate purposes
SAP DIALOG Client TCP Any 3200 This SAP DIALOG Grant Yes
computer Server
SAP RFC Client TCP Any 3300 This SAP RFC Grant Yes
computer Server
Domain Member Any Any Any This Domain Grant Yes
computer Controller
(sap.corp.com)

Network Hardening in SAP Enterprise Portal
Packet filtering was conducted using the IPSec script policy in the environment shown below and as
summarized in the Table 11 to Table 18.
Figure 3 - SAP Enterprise Portal Environment

traffic computer
SQL Server Any Any Any SQL Server (for This Grant Yes All communications from SQL
(for R/3) R/3) computer Server (for R/3) granted.
SAP ITS - Any Any Any SAP ITS - Agate This Grant Yes All communications from SAP
Agate computer ITS - Agate granted.
SAP Any Any Any SAP Enterprise This Grant Yes All communications from SAP
Enterprise Portal computer Enterprise Portal granted.
Portal
SQL Server Any Any Any SQL Server This Grant Yes All communications from SQL
(for EP) (for EP) computer Server (for EP) granted.
ICMP ICMP Any Any This computer SAP R/3 Grant Yes Communication to SAP R/3
Enterprise Enterprise
ICMP ICMP Any Any This computer SQL Server Grant Yes Communication to SQL Server
(for R/3) (for R/3)
ICMP ICMP Any Any This computer SAP ITS - Grant Yes Communication to SAP ITS -
Agate Agate
ICMP ICMP Any Any This computer SAP Grant Yes Communication to SAP
Enterprise Enterprise Portal
Portal
ICMP ICMP Any Any This computer SQL Server Grant Yes Communication to SQL Server
(for EP) (for EP)

traffic computer
SAP DIALOG TCP Any 3200 SAP ITS - This Grant Yes Communication from SAP
Server Agate computer ITS - Agate
SAP RFC TCP Any 3300 SAP ITS - This Grant Yes Communication from SAP
Server Agate computer RFC/BAPI program
SAP RFC TCP Any 3300 SAP Enterprise This Grant Yes Communication from SAP
Server Portal computer Enterprise Portal
HTTP Server TCP Any 8000 Any This Grant Yes Communication from Web
computer browser
HTTPS Server TCP Any 44300 Any This Grant Yes Communication from Web
computer browser
SQL Server TCP Any 1433 This computer SQL Server Grant Yes Communication to SQL
(for R/3) Client (for R/3) Server (for R/3)
Domain Any Any Any This computer Domain Grant Yes Communication to Domain
Member Controller Controller

traffic computer
SQL Server TCP Any 1433 SAP R/3 This Grant Yes Communication from
(for R/3) Enterprise computer SAP R/3 Enterprise
Table 14 – Packet Filtering Settings (4. SAP Enterprise Portal 6.0)

All traffic Any Any Any Any This Block Yes All blocked by
computer default.
SAP J2EE Dispatcher TCP Any 50000 Any (EP This Grant Yes
Server (HTTP) IISPROXY) computer
SAP J2EE Dispatcher TCP Any 50001 Any (EP This Grant Yes
Server (HTTPS) IISPROXY) computer
HTTP Client TCP Any 80 This computer SAP ITS - Grant Yes SAP ITS - Wgate
Wgate
HTTPS Client TCP Any 443 This computer SAP ITS - Grant Yes
Wgate
HTTP Client TCP Any 8000 This computer SAP R/3 Grant Yes SAP R/3 Enterprise
Enterprise
HTTPS Client TCP Any 44300 This computer SAP R/3 Grant Yes
Enterprise
RFC Client TCP Any 3300 This computer SAP R/3 Grant Yes
Enterprise
SQL Server (for EP) TCP Any 1433 This computer SQL Server Grant Yes Communication to
Client (for R/3) SQL Server (for R/3)
Domain Member Any Any Any This computer Domain Grant Yes Communication to
Controller Domain Controller

traffic computer
SQL Server TCP Any 1433 SAP Enterprise This Grant Yes Communication from SAP
(for EP) Portal computer Enterprise Portal
Table 16 – Packet Filtering Settings (6. IIS + SAP ITS WGate)

All Any Any Any Any This computer Block Yes

traffic
HTTP Server TCP Any 80 Any This computer Grant Yes
HTTPS Server TCP Any 443 Any This computer Grant Yes
HTTP Server for mgmt TCP Any 8080 Any This computer Grant Yes For administration
purposes
SAP ITS - Agate TCP Any 3900 This SAP ITS - Agate Grant Yes
Client1 computer
SAP ITS - Agate TCP Any 3910 This SAP ITS - Agate Grant Yes
Client2 computer
SAP ITS - Agate TCP Any 3918 This SAP ITS - Agate Grant Yes For administration
Client1 (for Mgmt) computer purposes
SAP ITS - Agate TCP Any 3928 This SAP ITS - Agate Grant Yes For administration
Client2 (for Mgmt) computer purposes
Domain Member Any Any Any This Domain Controller Grant Yes
computer (oa.corp.com)

Table 17 – Packet Filtering Settings (7. SAP ITS Agate)
SAP ITS - Agate TCP Any 3900 SAP ITS - This computer Grant Yes
Server1 Wgate
SAP ITS - Agate TCP Any 3910 SAP ITS - This computer Grant Yes
Server2 Wgate
SAP ITS - Agate TCP Any 3918 SAP ITS - This computer Grant Yes For administration
Server1 (for Mgmt) Wgate purposes
SAP ITS - Agate TCP Any 3928 SAP ITS - This computer Grant Yes For administration
Server2 (for Mgmt) Wgate purposes
SAP DIALOG Client TCP Any 3200 This SAP DIALOG Grant Yes
computer Server
SAP RFC Client TCP Any 3300 This SAP RFC Server Grant Yes
computer
Domain Member Any Any Any This Domain Controller Grant Yes
computer (sap.corp.com)
Table 18 – Packet Filtering Settings (8. IIS + SAP Enterprise Portal IIS Proxy)
All traffic Any Any Any Any This computer Block Yes All Traffic
HTTP Server TCP Any 80 Any This computer Grant Yes HTTP Server
HTTPS Server TCP Any 443 Any This computer Grant Yes HTTPS Server
SAP Enterprise Portal TCP Any 50000 This SAP Enterprise Grant Yes SAP Enterprise Portal
Client for HTTP computer Portal Client for HTTP
SAP Enterprise Portal TCP Any 50001 This SAP Enterprise Grant Yes SAP Enterprise Portal
Client for HTTPS computer Portal Client for HTTPS
Domain Member Any Any Any This Domain Controller Grant Yes Domain Member
computer (oa.corp.com)

1.5 Service and Other Hardening Settings
Service Hardening Using Templates
Security templates suitable for the respective servers (see below) were applied and services were
disabled (see Table 20 to Table 27).
Table 19 – Servers and Applied Security Templates

Servers Role Applied Security Template*
Domain Controller Domain controller High Security - Domain Controller.inf
SAP R/3 Enterprise Member server High Security - Member Server Baseline.inf
SQL Server (for R/3) Member server High Security - Member Server Baseline.inf
SAP ITS - Agate Member server High Security - Member Server Baseline.inf
SAP ITS - Wgate Web server High Security - IIS Server.inf
SAP Enterprise Portal Member server High Security - Member Server Baseline.inf
SQL Server (for EP) Member server High Security - Member Server Baseline.inf
EP IISProxy Web server High Security - IIS Server.inf
* The most secure "high security" template was used as the assumed security environment.
Download security templates from:

http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-
521EA6C7B4DB&displaylang=en#filelist

Table 20 – Domain Controller
Name Status Startup options Log on
Automatic Updates Start Auto Local System
Computer Browser Start Auto Local System
Cryptographic Services Start Auto Local System
Distributed File System Start Auto Local System
DNS Client Start Auto Network Service
DNS Server Start Auto Local System
Event Log Start Auto Local System
File Replication Service Start Auto Local System
Intersite Messaging Start Auto Local System
IPSEC Services Start Auto Local System
Kerberos Key Distribution Center Start Auto Local System
Net Logon Start Auto Local System
NT LM Security Support Provider Start Auto Local System
Plug and Play Start Auto Local System
Protected Storage Start Auto Local System
Remote Procedure Call (RPC) Start Auto Local System
Remote Procedure Call (RPC) Locator Start Auto Network Service
Remote Registry Start Auto Local Service
Security Accounts Manager Start Auto Local System
Server Start Auto Local System
System Event Notification Start Auto Local System
TCP/IP NetBIOS Helper Start Auto Local Service
Terminal Services Start Auto Local System
Windows Installer Start Auto Local System
Windows Management Instrumentation Start Auto Local System
Windows Time Start Auto Local System
Workstation Start Auto Local System
Background Intelligent Transfer Service Manual Local System
COM+ Event System Start Manual Local System
Logical Disk Manager Manual Local System
Logical Disk Manager Administrative Service Manual Local System
Microsoft Software Shadow Copy Provider Manual Local System
Network Connections Start Manual Local System
Network Location Awareness (NLA) Start Manual Local System
Performance Logs and Alerts Manual Network Service
Removable Storage Manual Local System
Volume Shadow Copy Manual Local System
Windows Management Instrumentation Driver Extensions Manual Local System
WMI Performance Adapter Manual Local System
Alerter Disable Local Service
Application Layer Gateway Service Disable Local Service
Application Management Disable Local System
ClipBook Disable Local System
COM+ System Application Disable Local System
DHCP Client Disable Network Service
DHCP Server Disable Local System
Distributed Link Tracking Client Disable Local System
Distributed Link Tracking Server Disable Local System
Distributed Transaction Coordinator Disable Network Service
Error Reporting Service Disable Local System
Help and Support Disable Local System
HTTP SSL Disable Local System
Human Interface Device Access Disable Local System
IMAPI CD-Burning COM Service Disable Local System
Indexing Service Disable Local System

Internet Connection Firewall (ICF) / Internet Connection Sharing Disable Local System
(ICS)
License Logging Disable Network Service
Messenger Disable Local System
NetMeeting Remote Desktop Sharing Disable Local System
Network DDE Disable Local System
Network DDE DSDM Disable Local System
Portable Media Serial Number Service Disable Local System
Print Spooler Disable Local System
Remote Access Auto Connection Manager Disable Local System
Remote Access Connection Manager Disable Local System
Remote Desktop Help Session Manager Disable Local System
Resultant Set of Policy Provider Disable Local System
Routing and Remote Access Disable Local System
Secondary Logon Disable Local System
Shell Hardware Detection Disable Local System
Smart Card Disable Local Service
Special Administration Console Helper Disable Local System
Task Scheduler Disable Local System
Telephony Disable Local System
Telnet Disable Local Service
Terminal Services Session Directory Disable Local System
Themes Disable Local System
Uninterruptible Power Supply Disable Local Service
Upload Manager Disable Local System
Virtual Disk Service Disable Local System
WebClient Disable Local Service
Windows Audio Disable Local System
Windows Image Acquisition (WIA) Disable Local Service
WinHTTP Web Proxy Auto-Discovery Service Disable Local Service
Wireless Configuration Disable Local System

Table 21 – SAP R/3 Enterprise
Distributed File System Start Auto Local System
SAPOSCOL Start Auto SAPSAPServicePO1
Background Intelligent Transfer Service Start Manual Local System
SAPP01_00 Start Manual SAPSAPServicePO1
SAPP01_05 Start Manual SAPSAPServicePO1
File Replication Disable Local System
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Disable Local System
Intersite Messaging Disable Local System

Kerberos Key Distribution Center Disable Local System
Remote Procedure Call (RPC) Locator Disable Network Service

Table 22 – SQL Server (for SAP R/3 Enterprise)
MSSQLSERVER Start Auto Local System
SQLSERVERAGENT Start Auto Local System
Distributed File System Disable Local System

Microsoft Search Disable Local System
MSSQLServerADHelper Disable Local System

Table 23 – SAP ITS Agate
ITS Watchdog Start Auto Local System
SAP IACOR Manager Start Auto Local System
SAP ITS Manager - ADM Start Auto Local System
SAP ITS Manager - P01 Start Auto Local System
Windows Installer Auto Local System


Table 24 – SAP ITS Wgate
HTTP SSL Start Auto Local System
IIS Admin Service Start Auto Local System
SAP IACOR Manager Start Auto Local System
World Wide Web Publishing Service Start Auto Local System
(ICS)


Table 25 – SAP Enterprise Portal
(ICS)


Table 26 – SQL Server (for SAP Enterprise Portal)
MSSQLSERVER Start Auto SAPAdministrator
Symentec Ghost Configuration Server Start Auto Local System
SQLSERVERAGENT Manual SAPAdministrator
(ICS)

Microsoft Search Disable Local System
MSSQLServerADHelper Disable Local System

Table 27 – SAP Enterprise Portal IIS Proxy
HTTP SSL Start Auto Local System
IIS Admin Service Start Auto Local System
World Wide Web Publishing Service Start Auto Local System
(ICS)


Reconfigurations Made After the Application of Security Templates
Impersonate a client after authentication

In SAP R/3 Enterprise and SQL Server (for R/3), Administrators, which was deleted for the high
security template, was entered again for the reconfiguration to be made after the application of security
templates.
Figure 4 – User Rights Assignment Policy

Default Template Newly Applied Template Settings
After High Security is Applied After High Security is Applied
RECONFIGURATION
Figure 5 – Settings
Note: An application that is running as if it were a user can be disguised as a client if it is assigned the
[Impersonate a client after authentication] privilege. The unauthorized user's attempt to credit a client
with an authorized connection with this type of disguise is checked by asking the user for a user
authorization. For example, when an unauthorized user is presented as a client after connecting to a
service that has been created from a remote procedure call (RPC) or a named pipe, the authority level
of unauthorized users is raised to the administrator or system level. The default security group for this
user authority is suitable for the legacy client and enterprise client environments. This user authority in
a high security environment, however, can only be configured with Local Service and Network Service.

Shutdown: Clear virtual memory page file
In SAP R/3 Enterprise, the settings that had been enabled in high security templates were disabled.
Figure 6 – Security Options

Default Template Newly Applied Template Settings
After High Security is Applied After High Security is Applied
RECONFIGURATION
Figure 7 – Settings
Note: The [Shutdown: Clear virtual memory page file] security option determines whether the virtual
memory page file is to be cleared when the system is shut down. When this option is selected, the
system page file is cleared each time the system is shut down. When this security option is activated,
the hibernation file (hiberfil.sys) is also zeroed in a portable computer system if the hibernation state is
disabled. The sequence of shutting down and restarting the server will then take a long time, which will
be noticeable in a server with a large paging file. For this reason, this option is configured as "disabled"
in legacy client and enterprise client environments although it is "enabled" in a high security
environment.
Caution: There is the possibility that an attacker who is physically accessing a server could bypass this
setting by disconnecting the server from the power source.

Sap Hardering For Windows Server

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sap Hardering For Windows Server

Uploaded by

Copyright:

Available Formats

SAP Hardening and Patch Management Guide

for Windows Server

SAP Hardening and Patch Management Guide for Windows Server 4

Purpose of This Whitepaper

SAP Hardening and Patch Management Guide for Windows Server 1

Figure 1 – Security Measures

SAP Hardening and Patch Management Guide for Windows Server 2

Using a multi-layer approach The idea is to protect the system

Data ACL, Encryption

Host Enhancing operation systems, Security Update

Boundaries Firewall, VPN isolation

Policies, Regulations User Education

Figure 2 – Multi-layer Defense

SAP Hardening and Patch Management Guide for Windows Server 3

Table 1: Common Security Measures

Building a secure system Data

Policies, regulations, and

Institutional measures Risk analysis Yes

Risk management procedures

SAP Hardening and Patch Management Guide for Windows Server 4

Contents of this Chapter

2.1 What Is Hardening?

Effect: Enhances security

Effect: Ensures availability

Effect: Reduces operational cost

SAP Hardening and Patch Management Guide for Windows Server 5

Effective hardening methods for SAP systems

1. Network hardening (internal network layer)

2.3 Harding Implementation Steps

Implement network Implement server Implement other

Step-by-step implementation of hardening

Repeat the procedure for each server and hardening

Final security check (*2)

Figure 3 - Hardening Implementation Steps

SAP Hardening and Patch Management Guide for Windows Server 6

Preparations before implementing hardening

1. Clarifying the required security level

2. Checking the system specifications

3. Determining what might need hardening

4. Estimating the cost and the effect of the hardening

5. Determining what to harden

Network Hardening Defined…

Effect: Blocks attacks that use unnecessary communications

SAP Hardening and Patch Management Guide for Windows Server 7

Importance of Network Hardening

Reason: Therefore, hardening networks to the maximum extent makes

SAP Hardening and Patch Management Guide for Windows Server 8

Ports and Packet Filtering

SAP Hardening and Patch Management Guide for Windows Server 9

The following is includes an example of the IPSec script policy:

:IPSec Policy Definition

:IPSec Filter List Definitions

:IPSec Filter Action Definitions

:IPSec Filter Definitions

:IPSec Rule Definitions

netsh ipsec static set policy name="Packet Filters - R3" assign=y

1 Default communication blocked.

SAP Hardening and Patch Management Guide for Windows Server 10

SAP Hardening and Patch Management Guide for Windows Server 11

SAP Hardening and Patch Management Guide for Windows Server 12

SAP Hardening and Patch Management Guide for Windows Server 13

Figure 6 – Ports Used by SAP ITS (Wgate and Agate)