By introducing new secure by default settings
With the recent release of SAP S/4HANA 2021, SAP introduced a new set of secure by default settings. Read the blog from Bjoern Brencher for more details. This is a step forward in offering a more secure default setup for customers that install or upgrade their SAP systems to the most recent S/4HANA version. Full details on specific settings can be found in the above linked blog, but they include a.o.:
- Activation of table logging for business-critical tables
- Activation of SAP HANA Audit Logging
- More secure defaults for 3 Transport Management parameters
- Activation of the UCON HTTP allow list, which limits the attack surface of your systems
- Kernel default values set to more secure defaults for 18 additional parameters
This is another step towards more secure SAP systems. Especially for new customers or customers that upgrade their systems. However, most SAP customers installed their SAP systems in the past two decades where the default was not secure. In our SAP security assessments and penetration-tests we see that most SAP customers struggle with this often resulting in findings related to insecure settings and defaults. There are good reasons for that, since in the past many parameters had insecure defaults, Access Control Lists were open to “the world” by default and even default accounts with default passwords were introduced when installing SAP systems.
SAP tries to help customers with this new secure by default settings, but this is not enough. Vendors and customers have a shared responsibility here. Or as SAP states on this topic:
“As secure by default settings cannot and will not cover all aspects of security settings in S/4HANA systems, we highly recommend customers to perform additional reviews and validations of their system settings to improve their security posture.”
This is where Protect4S can help. Checking for insecure settings is hard, there are hundreds of parameters and settings to check for per system and doing so requires an enormous effort and specialist knowledge. This is all automated with Protect4S. Providing insight in the security state of your SAP landscape and guiding you towards solutions to lower risk.
Do you want insight in the state of security of your SAP landscape? Let us know and we’re happy to show you how easy and insightful that will be.
