SAP Security Parameters Overview

Infrastructure in the area of IT enterprises and the constantly growing number of cyber threats are one of the main factors that have a direct influence on the security of the organization. The recently growing trend of transitioning companies to mass remote or hybrid work has put even greater emphasis on monitoring the security of systems used by employees located all around the world. The security of central ERP systems, such as SAP, should be a priority for all companies which include them in their workspace. A comprehensive understanding of SAP system security is crucial for software optimization and additional data security obligations for each user.
A common way to learn about the SAP security methodology is to read the technical documentation provided by the manufacturer. However, it is often a solution much too time-consuming for many people, especially without direct contact with SAP Security and the security terminology of SAP systems. What other solutions to consider in such case? An overview of the most important aspects of SAP security is a good start. What aspects ensure the security of the SAP system? What exactly does SAP security mean?
SAP Security & Authorizations is a system that protects SAP data and applications against unauthorized access and use. SAP provides various security controls to ensure that important data is always protected. SAP systems store confidential information about customers, business partners, and the company itself. Regular audits of SAP systems are essential to ensure full data integrity and security. This also applies to processes and Segregation of Duties (SoD).
One of the key elements of SAP Security that allows the assessment of the current state of the system is the verification of security configuration for areas related to the broadly understood parameters included in BASIS and SAP. It is necessary to focus on a thorough analysis and diagnose the level of their security. It will also allow the organization to identify and eliminate possible imperfections in the system configuration. By detecting and eliminating these elements, each organization is prepared for cyclical security and financial statements audits taking place in companies based on the SAP system.
The previously mentioned security parameters are inclusive components of SAP System Profiles. They are responsible for determining or identifying how to run the instance and configure numerous variables that define how the SAP instance and the system will operate.
There are two types of SAP Profiles:
Default profile – consists of global parameters for all instances in SAP
Instance profile – consists of profile data specific to a particular instance
Terminology and issues related to SAP security parameters are dealt with by the SAP Security team, which publishes an official SAP document called Security Baseline Template.
What is Security Baseline at its core? It is a set of good practices, specifying the security prerequisites that are basically required for any kind of SAP system implementation in an organization, being widely known as the SAP security benchmark. The term “Baseline” can be defined as preconditions that must be met before implementing SAP systems in the organization.
The idea behind the “Security Baseline” also defines all the security measures that are considered “essential” without further analysis within the enterprises.
The last version was updated on November 16, 2021. The documentation is regularly checked and revised by an authorized team that releases new versions now and again.
In the previously mentioned SAP Security Baseline Template article, the parameters were classified into 3 levels of security standards:
- Critical
- Standard
- Extended
All configuration parameters proposed in the publication are recommendations based on best practices, which are not binding system settings. Depending on your individual needs, you can freely change, add or remove security performance requirements at your discretion. However, it is important to make informed decisions and be aware of the risks and the level of security that may result from your own interpretation of the “Security Baseline” version.
In particular, the proposed regulations marked as “Extended” require a broader review. They go beyond critical and standard requirements and extend security standards to higher levels of protection or further areas. Therefore, they may not fit every environment and should be tailored to your internal policies and organization, overall IT landscape, and security needs.
The best practice recommended by the SAP Security team is to start with a fixed but limited set of key requirements and increase the level of SAP security gradually over time, starting with critical and standard requirements, and gradually implementing extended ones in the future.
Security parameters and their values apply to different platforms or technologies used when configuring SAP systems in an enterprise. One of the most common are ABAP, Java and HANA. There are also solutions such as Web Dispatcher or RFC Gateway.
The tables below present a detailed summary of the majority of the previously mentioned SAP security parameters included in the SAP Security Baseline Template (version 2.3).
They were ranked according to priority, starting with critical, then standard and extended.
The columns describe the parameter name, parameter description, risk level, platform/technology, default value and value recommended by the Security Baseline Template (SBT).
Table 1. Critical Parameters
Parameter | Parameter description | Risk
level |
Platform
or Technology |
Default value | SBT recommended value |
ms/acl_info | File with access control list for message server | Critical | ABAP | /usr/sap/GDA/SYS/global/ms_acl_info | no “dummy” entries like: host=* |
ms/acl_info | File with access control list for message server | Critical | JAVA | /usr/sap/GDA/SYS/global/ms_acl_info | no “dummy” entries like: host=* |
listeninterface | Section parameter of the global.ini file on single host systems | Critical | HANA | .local | .local |
listeninterface | Section parameter of the global.ini file on single host systems | Critical | HANA | .local | .internal |
indexserver.ini/sqltrace/level | SQL trace level parameter in the indexserver.ini file | Critical | HANA | – | <> ALL_WITH_RESULTS |
login/no_automatic_user_sapstar | Control of the automatic login user SAP* | Critical | ABAP | 1 | 1 |
login/min_password_lng | Minimum Password Length | Critical | ABAP | 6 | >=8 |
MIN_PASSWORD_LENGTH | Minimum Password Length | Critical | ABAP | 6 | >=8 |
login/password_max_idle_initial | Maximum #days a password (set by the admin) can be unused (idle) | Critical | ABAP | 0 | between 1 and 14 |
MAX_PASSWORD_IDLE_INITIAL | Maximum #days a password (set by the admin) can be unused (idle) | Critical | ABAP | 0 | between 1 and 14 |
login/password_expiration_time | Dates until password must be changed | Critical | ABAP | 0 | 365 |
PASSWORD_CHANGE_INTERVAL | Dates until password must be changed | Critical | ABAP | 0 | 365 |
login/password_downwards_compatibility | Password downwards compatibility (8 / 40 characters, case-sensitivity) | Critical | ABAP | 0 | 0 |
ume.logon.security_policy.password_min_length | Minimum Password Length | Critical | JAVA | 1 | >=8 |
minimal_password_length | Minimum Password Length | Critical | HANA | 8 | >=8 |
maximum_unused_initial_password_lifetime | Maximum #days a password (set by the admin) can be unused (idle) | Critical | HANA | 14 | <=14 |
secinfo | RFC gateway access control list item | Critical | ABAP | $(DIR_DATA)/secinfo | restrict access to RFC servers to expected sources |
reginfo | RFC gateway access control list item | Critical | ABAP | $(DIR_DATA)/reginfo | restrict access to RFC servers to expected sources |
gw/sec_info | External security filename for gateway | Critical | ABAP | /usr/sap/GDA/SYS/global/secinfo | set to filenames of secinfo access control list files |
gw/reg_info | External security filename for gateway | Critical | ABAP | /usr/sap/GDA/D30/data/reginfo | set to filenames of reginfo access control list files |
gw/reg_no_conn_info | Security options | Critical | ABAP | 1 | at least bit 1,2,3 and 4 must be set (bit 1 as of Kernel 7.40); must contain one of the values 15,31,47,63,79,95,111,127,143,159,175,191,207,223,239,255 (respectively 1, 65, 129, 193 as of Kernel 7.40) |
gw/acl_mode | Mode for non existing ACL file | Critical | ABAP | 1 | 1 |
gw/monitor | Enables or disables monitor commands | Critical | ABAP | 1 | 1 |
gw/sim_mode | Start simulation mode for reg_info and sec_info | Critical | ABAP | 0 | 0 |
secinfo | RFC gateway access control list item | Critical | JAVA | $(DIR_DATA)/secinfo | restrict access to RFC servers to expected sources |
reginfo | RFC gateway access control list item | Critical | JAVA | $(DIR_DATA)/reginfo | restrict access to RFC servers to expected sources |
gw/sec_info | External security filename for gateway | Critical | JAVA | /usr/sap/GDA/SYS/global/secinfo | set to filenames of secinfo access control list files |
gw/reg_info | External security filename for gateway | Critical | JAVA | /usr/sap/GDA/D30/data/reginfo | set to filenames of reginfo access control list files |
gw/reg_no_conn_info | Security options | Critical | JAVA | 1 | at least bit 1,2,3 and 4 must be set (bit 1 as of Kernel 7.40); must contain one of the values 15,31,47,63,79,95,111,127,143,159,175,191,207,223,239,255 (respectively 1, 65, 129, 193 as of Kernel 7.40) |
gw/acl_mode | Mode for non existing ACL file | Critical | JAVA | 1 | 1 |
gw/monitor | Enables or disables monitor commands | Critical | JAVA | 1 | 1 |
gw/sim_mode | Start simulation mode for reg_info and sec_info | Critical | JAVA | 0 | 0 |
secinfo | RFC gateway access control list item | Critical | RFC Gateway | $(DIR_DATA)/secinfo | restrict access to RFC servers to expected sources |
reginfo | RFC gateway access control list item | Critical | RFC Gateway | $(DIR_DATA)/reginfo | restrict access to RFC servers to expected sources |
gw/sec_info | External security filename for gateway | Critical | RFC Gateway | /usr/sap/GDA/SYS/global/secinfo | set to filenames of secinfo access control list files |
gw/reg_info | External security filename for gateway | Critical | RFC Gateway | /usr/sap/GDA/D30/data/reginfo | set to filenames of reginfo access control list files |
gw/reg_no_conn_info | Security options | Critical | RFC Gateway | 1 | at least bit 1,2,3 and 4 must be set (bit 1 as of Kernel 7.40); must contain one of the values 15,31,47,63,79,95,111,127,143,159,175,191,207,223,239,255 (respectively 1, 65, 129, 193 as of Kernel 7.40) |
gw/acl_mode | Mode for non existing ACL fileyb dla nieistniejącego pliku ACL | Critical | RFC Gateway | 1 | 1 |
gw/monitor | Enables or disables monitor commands | Critical | RFC Gateway | 1 | 1 |
gw/sim_mode | Start simulation mode for reg_info and sec_info | Critical | RFC Gateway | 0 | 0 |
global_auditing_state | Part of the HANA audit trail | Critical | HANA | TRUE | TRUE |
Table 2. Standard parameters
Parameter | Parameter description | Risk
level |
Platform
or Technology |
Default value | SBT recommended value |
rec/client | Activate profile parameter to create customizing table logs | Standard | ABAP | OFF | <> OFF |
TLOGOCHECK | Activate transport parameter to validate the content of transport files | Standard | ABAP | TRUE | TRUE |
login/show_detailed_errors | Show detailed login error messages | Standard | ABAP | 1 | 0 |
is/HTTP/show_server_header | Should the HTTP header contain the server entry | Standard | ABAP | FALSE | FALSE |
is/HTTP/show_detailed_errors | Form of HTTP error pages (short or detailed)Manager (ICM). | Standard | ABAP | FALSE | FALSE |
icm/SMTP/show_server_header | Prohibits information disclosure by the Internet Communication Manager (ICM) Server Header | Standard | ABAP | FALSE | FALSE |
is/HTTP/show_server_header | Information disclosure for Web Dispatcher and Internet Communication Manager (ICM) must be prohibited by setting profile parameters | Standard | Web Dispatcher | FALSE | FALSE |
is/HTTP/show_detailed_errors | Information disclosure for Web Dispatcher and Internet Communication Manager (ICM) must be prohibited by setting profile parameters | Standard | Web Dispatcher | FALSE | FALSE |
icm/SMTP/show_server_header | Prohibits information disclosure by the Internet Communication Manager (ICM) Server Header | Standard | Web Dispatcher | FALSE | FALSE |
wdisp/permission_table | Text file describing URI permission table (SAP Web Dispatcher) | Standard | Web Dispatcher | – | D /sap/public/icman/* |
wdisp/permission_table | Text file describing URI permission table (SAP Web Dispatcher) | Standard | Web Dispatcher | – | D /sap/public/ping |
wdisp/permission_table | Text file describing URI permission table (SAP Web Dispatcher) | Standard | Web Dispatcher | – | D /sap/public/icf_info/* |
wdisp/permission_table | Text file describing URI permission table (SAP Web Dispatcher) | Standard | Web Dispatcher | – | D /sap/wdisp/information |
icm/HTTP/admin_<num> | Configuration of the web administration interface | Standard | Web Dispatcher | icm(HTTP/admin_0 = PREFIX=/sap/admin, DOCROOT=$(DIR_ICMAN_ROOT)/admin, AUTHFILE=$(icm/authfile) | contains
CLIENTHOST |
icm/HTTP/error_templ_path | The directory where error templates can be found | Standard | Web Dispatcher | /usr/sap/GDA/D30/data/icmandir/error_templ | /usr/sap/<SID>/<Instance>/data/icmerror |
rdisp/TRACE_HIDE_SEC_DATA | Set the stealth mode for developer tracking | Standard | Web Dispatcher | ON | ON |
icm/trace_secured_data | Showing encrypted data in ICM trace file dev_icm | Standard | Web Dispatcher | FALSE | FALSE |
icm/accept_forwarded_cert_via_http | Accepting the X.509 client certificate passed over HTTP | Standard | Web Dispatcher | FALSE | FALSE |
icm/trusted_reverse_proxy_<num> | Configure multiple trusted reverse proxies | Standard | Web Dispatcher | – | no wildcards for SUBJECT or ISSUER |
abap/path_normalization | ABAP profile parameter | Standard | ABAP | OFF | <> OFF |
rdisp/msserv_internal | Internal port for communication with the server |
Standard | ABAP | 3931 | >0000; This port must be blocked by all firewalls between the server network and the client network so that no client can connect to this internal Message Server port |
ms/monitor | Turn on/off the external monitor | Standard | ABAP | 0 | 0 |
ms/admin_port | Administration port for external clients | Standard | ABAP | – | 0 |
rdisp/msserv_internal | Internal port for communication with the server |
Standard | JAVA | 3931 | This port must be blocked by all firewalls between the server network and the client network so that no client can connect to this internal Message Server port |
ms/monitor | Turn on/off the external monitor | Standard | JAVA | 0 | 0 |
ms/admin_port | Administration port for external clients | Standard | JAVA | 0 | 0 |
auth/rfc_authority_check | Option to perform an RFC permission check | Standard | ABAP | 1 | 1 or 6 |
rfc/callback_security_method | Rejecting an RFC callback using a whitelist | Standard | ABAP | 1 | 3 |
rfc/selftrust | Trusted RFC connection | Standard | ABAP | 1 | 0 |
/sap/bc/bsp/sap/bsp_veri/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/certmap/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/gui/sap/its/CERTMAP/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/certreq/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/gui/sap/its/CERTREQ/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/echo/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/error/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/FormToRfc/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/icf/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/srt/Idoc/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/idoc_xml/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/report/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/soap/rfc/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/webrfc/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/xrfc/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/xrfc_test/ | ICF services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/bsp_model/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/htmlb_samples/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/it00/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/it01/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/it02/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/it03/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/it04/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/it05/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/itmvc2/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/itsm/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/sbspext_htmlb/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/sbspext_phtmlb/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/sbspext_table/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/sbspext_xhtmlb/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/system_private/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
/sap/bc/bsp/sap/system_public/ | Critical services as elements of the Business Server Page (BSP) | Standard | ABAP | – | disabled if they exist in the current version (and not used in business scenarios) |
ixml/dtd_restriction | Limitation of DTD processing for iXML | Standard | ABAP | Expansion | Expansion or prohibited |
login/disable_cpic | Disable incoming CPIC communication | Standard | ABAP | 0 | 1 |
wdisp/add_xforwardedfor_header | Including the IP address in the x-forwarded-for header field | Standard | ABAP | FALSE | TRUE |
HttpOnly/SystemCookiesDataProtection | HTTP service property | Standard | Java | FALSE | TRUE |
SystemCookiesHTTPSProtection | HTTP service property | Standard | Java | TRUE | TRUE |
dynp/checkskip1screen | Activate/deactivate start check transaction with “skip first screen” option | Standard | ABAP | OFF | ALL |
dynp/confirmskip1screen | Activate/deactivate user confirmation to start transaction with “skip first screen” | Standard | ABAP | OFF | ALL |
auth/check/calltransaction | Permission control behavior during call transaction | Standard | ABAP | 2 | 2 or 3 |
auth/no_check_in_some_cases | Activating the Profile Generator | Standard | ABAP | Y | Y |
auth/object_disabling_active | The value ‘N’ prohibits disabling authorization objects | Standard | ABAP | Y | N |
rdisp/gui_auto_logout | Maximum idle time for SAP GUI connections | Standard | ABAP | 0 | <=2 hours |
rdisp/vbdelete | Delete old update requests | Standard | ABAP | 50 | 500 |
ume.logon.selfreg | Self-registration of the portal | Standard | JAVA | FALSE | FALSE |
snc/enable | Enable SNC (secure network communication) | Standard | ABAP | 1 | 1 |
snc/data_protection/min | Minimum data protection requirements for incoming calls | Standard | ABAP | 3 | 3 |
snc/data_protection/max | Secure Network Comm data protection limit. | Standard | ABAP | 3 | 3 |
snc/data_protection/use | Data protection level for R/3 initiated connections | Standard | ABAP | 3 | 3 or 9 |
icm/server_port_<num> | The service or port to be used by the protocol | Standard | Web Dispatcher | – | PROT=HTTPS |
icm/HTTP/admin_<num> | Configuration of the web administration interface | Standard | Web Dispatcher | icm(HTTP/admin_0 = PREFIX=/sap/admin, DOCROOT=$(DIR_ICMAN_ROOT)/admin, AUTHFILE=$(icm/authfile) | PORT=HTTPS_PORT |
login/password_compliance_to_current_policy | Enforce compliance of password with current password policy | Standard | ABAP | 0 | 1 |
PASSWORD_COMPLIANCE_TO_CURRENT_POLICY | Enforce compliance of password with current password policy | Standard | ABAP | 0 | 1 |
icf/reject_expired_passwd | Avoid logging in with initial or expired user accounts | Standard | ABAP | 0 | 1 |
rfc/reject_expired_passwd | Prevents login with initial or expired password via RFC | Standard | ABAP | 0 | 1 |
force_first_password_change | Force password change on first login | Standard | HANA | TRUE | TRUE |
login/ticket_only_by_https | Generate a request that will only be sent over https | Standard | ABAP | 0 | 1 |
login/ticket_only_to_host | The request will only be sent back to the creating host | Standard | ABAP | 0 | 1 |
icf/set_HTTPonly_flag_on_cookies | Set only the HTTP flag for cookies | Standard | ABAP | 3 | <> 1 or 3 |
rsau/enable | Enable security audit log | Standard | ABAP | 0 | 1 |
rsau/integrity | Enable integrity file format | Standard | ABAP | 0 | 1 |
rsau/log_peer_address | Log peer address instead of terminal | Standard | ABAP | 0 | 1 |
rsau/selection_slots | The number of selection sites for the security audit | Standard | ABAP | 2 | >=10 |
rsau/user_selection | Defines the user selection method used in kernel functions | Standard | ABAP | 0 | 1 |
icm/HTTP/logging_0 | HTTP logging specification | Standard | ABAP | – | PREFIX=/,LOGFILE=http_%y_%m.log,MAXFILES=2,MAXSIZEKB=50000,SWITCHTF =month, LOGFORMAT=%t %a %u1 \”%r\” %s %b %Lms %{Host}i %w1 %w2 |
icm/HTTP/logging_client_0 | HTTP login control in ICM (or network dispatcher) if ICM is running as server | Standard | ABAP | – | PREFIX=/,LOGFILE=http_client_%y_%m.log,MAXFILES=2,MAXSIZEKB=50000,S WITCHTF=month, LOGFORMAT=%t %a %u1 \”%r\” %s %b %Lms %{Host}i |
icm/security_log | Configuration of the ICM security log | Standard | ABAP | LOGFILE=dev_icm_sec,MAXSIZEKB=10000 | LOGFILE=dev_icm_sec_%y_%m,LEVEL=3,MAXFILES=2,MAXSIZEKB=50000,SWITCH TF=month |
ms/HTTP/logging_0 | Specify HTTP logging to the message server | Standard | ABAP | PREFIX=/, LOGFILE=dev_ms_logging, LOGFORMAT=SAPMSG | PREFIX=/,LOGFILE=$(DIR_LOGGING)/ms-http-%y-%m-%d.log%o,MAXFILES=7,MAXSIZEKB=10000,SWITCHTF=day,LOGFORM AT=%t %a %u %r %s %b %{Host}i |
ms/http_logging | Dynamic HTTP logging changes | Standard | ABAP | 0 | 1 |
Table 3. Extended parameters
Parameter | Parameter description | Risk
level |
Platform
or Technology |
Default value | SBT recommended value |
RECCLIENT | Parameter in transport profile (used by R3trans) | Extended | ABAP | OFF | Defined and not set to OFF |
VERS_AT_EXP | A transport parameter for creating versions of repository objects within transports | Extended | ABAP | TRUE | Use NO_T respective TRUE, YES, ON, or 1 for development systems |
VERS_AT_IMP | A transport parameter for importing objects that are moved without being reassigned to a new package | Extended | ABAP | NEVER | Always (for productive systems) |
TP_RELEASE | Transport parameter element | Extended | ABAP | – | >= 380.44.90 |
TP_VERSION | Transport parameter element | Extended | ABAP | 0 | >= 380 |
sapgui/nwbc_scripting | Protect the application against possible attacks via scripting. | Extended | ABAP | FALSE | FALSE |
sapgui/user_scripting | Enable or disable user scripts in the UI. | Extended | ABAP | FALSE | FALSE |
sapgui/user_scripting_disable_recording | Disabling recording in SAP GUI Scripting | Extended | ABAP | FALSE | TRUE |
sapgui/user_scripting_force_notification | Prevent users from turning off SAP GUI Scripting notifications. | Extended | ABAP | FALSE | TRUE |
sapgui/user_scripting_per_user | Checking user permission to determine if user scripts should be enabled. | Extended | ABAP | FALSE | TRUE |
sapgui/user_scripting_set_readonly | Enable or disable the read-only version of the SAP GUI scripts. | Extended | ABAP | FALSE | TRUE |
snc/accept_insecure_gui | Accept unsecured SAPGUI logins to a server that supports SNC | Extended | ABAP | 1 | U (or 0) |
snc/accept_insecure_rfc | Accept insecure RFC connections to a server that supports SNC | Extended | ABAP | 1 | U (or 0) |
snc/only_encrypted_gui | Enforce encrypted SAPGUI connections | Extended | ABAP | 0 | 1 |
snc/only_encrypted_rfc | Enforce encrypted RFC connections | Extended | ABAP | 0 | 1 |
snc/log_unencrypted_rfc | Security Audit logging for unencrypted RFC connections | Extended | ABAP | 0 | 2 |
system/secure_communication | SSL configuration for internal system communication | Extended | ABAP | ON | ON |
ssl/ciphersuites | Default SSL/TLS server cipher suites (and flags) | Extended | ABAP | 135:PFS:HIGH::EC_P256:EC_HIGH | 135:PFS:HIGH::EC_P256:EC_HIGH |
ssl/client_ciphersuites | Default SSL/TLS client cipher suites (and flags) | Extended | ABAP | 150:PFS:HIGH::EC_P256:EC_HIGH | 150:PFS:HIGH::EC_P256:EC_HIGH |
login/min_password_digits | Minimum number of digits in passwords | Extended | ABAP | 0 | >=1 |
MIN_PASSWORD_DIGITS | Minimum number of digits in passwords | Extended | ABAP | 1 | >=1 |
login/min_password_letters | Minimum number of letters in passwords | Extended | ABAP | 0 | >=1 |
MIN_PASSWORD_LETTERS | Minimum number of letters in passwords | Extended | ABAP | 1 | >=1 |
login/min_password_lowercase | Minimum number of lowercase letters in passwords | Extended | ABAP | 0 | >=1 |
MIN_PASSWORD_LOWERCASE | Minimum number of lowercase letters in passwords | Extended | ABAP | 1 | >=1 |
login/min_password_uppercase | Minimum number of capital letters in passwords | Extended | ABAP | 0 | >=1 |
MIN_PASSWORD_UPPERCASE | Minimum number of capital letters in passwords | Extended | ABAP | 1 | >=1 |
login/min_password_specials | Minimum number of special characters in passwords | Extended | ABAP | 0 | 1 |
MIN_PASSWORD_SPECIALS | Minimum number of special characters in passwords | Extended | ABAP | 0 | 1 |
login/min_password_diff | The minimum number of characters that differ between the old and new password | Extended | ABAP | 1 | >=3 |
MIN_PASSWORD_DIFFERENCE | The minimum number of characters that differ between the old and new password | Extended | ABAP | 1 | >=3 |
login/disable_password_logon | Disable password-based login | Extended | ABAP | 0 | not empty |
DISABLE_PASSWORD_LOGON | Disable password-based login | Extended | ABAP | 0 | not empty |
DISABLE_TICKET_LOGON | Security policy attribute for logging into applications | Extended | ABAP | 0 | not empty |
login/fails_to_user_lock | The number of failed login attempts until the user is locked out | Extended | ABAP | 5 | <=5 |
MAX_FAILED_PASSWORD_LOGON_ATTEMPTS | The number of failed login attempts until the user is locked out | Extended | ABAP | 5 | <=5 |
login/failed_user_auto_unlock | Enable automatic unblocking of a blocked user at midnight | Extended | ABAP | 0 | 0 |
PASSWORD_LOCK_EXPIRATION | Enable automatic unblocking of a blocked user at midnight | Extended | ABAP | 0 | 0 |
login/password_max_idle_productive | Maximum number of days when a password (set by the user) can be unused (idle) | Extended | ABAP | 0 | >=1 and <=180 |
MAX_PASSWORD_IDLE_PRODUCTIVE | Maximum number of days when a password (set by the user) can be unused (idle) | Extended | ABAP | #N/D! | >=1 and <=180 |
login/password_change_waittime | Password change possible after X days (from the last change) | Extended | ABAP | 1 | not empty |
MIN_PASSWORD_CHANGE_WAITTIME | Password change possible after X days (from the last change) | Extended | ABAP | 1 | not empty |
login/password_change_for_SSO | Support for forced password changes in single sign-on situations | Extended | ABAP | 1 | 3 |
PASSWORD_CHANGE_FOR_SSO | Support for forced password changes in single sign-on situations | Extended | ABAP | 1 | 1 |
login/password_history_size | Liczba rekordów, które mają być przechowywane w historii haseł | Extended | ABAP | 5 | >=5 |
PASSWORD_HISTORY_SIZE | Liczba rekordów, które mają być przechowywane w historii haseł | Extended | ABAP | 15 | >=5 |
login/password_hash_algorithm | Encoding and hashing algorithm used for new passwords | Extended | ABAP | encoding=RFC2307, algorithm=iSSHA-1, iterations=1024, saltsi | encoding=RFC2307, algorithm=iSSHA – 512, iterations=15000, saltsize=256 |
ume.logon.security_policy.userid_in_password_allowed | The minimum number of digits in the user login ID | Extended | JAVA | FALSE | FALSE |
ume.logon.security_policy.oldpass_in_newpass_allowed | Specifies whether the old password can be part of the new password | Extended | JAVA | FALSE | FALSE |
ume.logon.security_policy.password_alpha_numeric_required | Minimum number of alphabetic and numeric characters in passwords | Extended | JAVA | 1 | Individually defining rules |
ume.logon.security_policy.password_mix_case_required | Minimum number of uppercase and lowercase letters in passwords | Extended | JAVA | 0 | Individually defining rules |
ume.logon.security_policy.password_special_char_required | Minimum number of special characters in passwords | Extended | JAVA | 0 | Individually defining rules |
gw/rem_start | Gateway area parameter to specify the start of a remote CPIC program | Extended | ABAP | REMOTE_SHELL | DISABLED or SSH_SHELL |
gw/rem_start | Gateway area parameter to specify the start of a remote CPIC program | Extended | JAVA | REMOTE_SHELL | DISABLED or SSH_SHELL |
gw/rem_start | Gateway area parameter to specify the start of a remote CPIC program | Extended | RFC Gateway | REMOTE_SHELL | DISABLED or SSH_SHELL |
ume.logon.security.enforce_secure_cookie | Secure cookie user management property | Extended | JAVA | TRUE | TRUE |
ume.logon.httponlycookie | Browser cookie parameter that prevents client-side scripts from accessing data | Extended | JAVA | FALSE | TRUE |
login.ticket_lifetime | Validity period of login requests | Extended | JAVA | 8 | <=8 |
enable.xml.hardener | Enabling XML Hardener for Application Server Java | Extended | JAVA | TRUE | TRUE |
There are, of course, many more broadly understood parameters in the SAP environment and they go beyond the scope of the discussed Security Baseline material. In this article, we focused mainly on those responsible for the understood spectrum of the system’s “security”.
In conclusion, a general awareness of SAP security parameter terminology and related background information is an important prerequisite for achieving the expected level of system security. Of course, not everyone has to be a security expert, but it’s worth being involved and keeping track of SAP Security updates. This will allow you to identify threats and assess when the help of experts in verifying security settings may be necessary. Ignoring, avoiding or even trying to circumvent the security mechanisms may pose a threat to the entire SAP environment. Transparency and simplicity are the keys to successful implementation of security parameters.
It is also worth remembering that SAP security is not a one-time approach, but a continuous process of improvement.
SAP also provides dedicated tools that allow you to monitor security parameters such as SAP Focused Run, Enterprise Threat Detection or SAP Access Control. If you are interested in their operation, please visit our website www.grcadvisory.com and follow our blog grc.ninja.