This baseline is a good start, be it just as a bare minimum
Earlier this year, SAP released an updated and revised version of its SAP Security Baseline version 2.0. This new SAP Security Baseline document helps customers in defining a minimum set of requirements to keep their business-critical SAP systems secure with regards to SAP parameters, specific settings, users and their access rights. It also contains checks if components like the kernel, application layer, database layer and operating system layer are on a current version. Details on the new SAP Security Baseline can be found in SAP note 2253549 (Marketplace user is required) but in this blog, we’d like to give some more background on it.
The first version of this document was created around 2015 based on customers feedback requesting a document like this, like other big vendors like Microsoft already released baselines for their products years before. Several customers had a need for a vendor-driven set of best-practice values and settings they could hold their SAP systems against to see if they met these best practices. This led to the first baseline document.
From our experience, at first, we did not see a wide adoption of this document, and especially not a wide range of customers trying to meet these best practices. But lately, more and more customers are asking about this baseline document, so at least they know of its existence. This shows that awareness for the baseline specifically and SAP security awareness, in general, has grown and not only at the big enterprise customers of SAP, but also smaller sized customers take this topic more seriously.
In this newly released version, there are quite some changes compared to the previous one, mainly by restructuring the chapters, by adding classifications like “Critical”, “Standard” and “Extended” and a focus on the Application layer. This meant SAP removed several operating systems, database and SAProuter specific checks. What is great about this new version is the introduction of several Web Dispatcher related checks, as this is an SAP component that is seen at almost all SAP customers and was not properly dealt with in the previous version. Good to know is that Protect4S supports these types or system components now as well. What is less good about this new version is that many checks on the operating system and database layer are removed and that several other topics are labelled as “to be delivered”. Making this SAP Security Baseline 2.0 an application-layer-only subset of checks. And that is not a good thing as SAP Security is a strong as the total set of security on all these layers.
Protect4S offers the SAP Security Baseline 2.0 as one of the templates as of Support package 15. The baseline checks with their recommended values are covered by Protect4S, making it very easy to hold this set of best practices against your SAP systems. Now keep in mind that this baseline is the absolute minimum set of checks and based on your specific situation and risk appetite. We recommend to check for many other items like specific checks on the database and operating system layer, but also within the application layer where Protect4S has many more checks than the baseline covers.
A demonstration video of the SAP Security Baseline template and the output can be found here.
Sources of information
Background information and the current download link to the SAP security baseline template can be found in OSS note 2253549, or by going to https://support.sap.com/sos → Media Library → SAP Security Baseline Template.
To find out what output the baseline or other checks reveal in your SAP systems, try out Protect4S for 30 days for free or request a free demo!
For more SAP security-related news, articles and whitepapers, please follow us on LinkedIn!