Skip to content

Safe Tuesday with SNOK: The new SAP Security Baseline 2.5 update: a guide to the key changes

In a rapidly changing technology landscape, maintaining a high level of IT system security is not just a challenge - it is above all a necessity. SAP,…

In a rapidly changing technology landscape, maintaining a high level of IT system security is not just a challenge - it is above all a necessity. SAP, aware of these challenges, regularly updates its security standards, which has most recently resulted in the release of SAP Security Baseline 2.5. This update not only strengthens the overall security architecture but also introduces key improvements, particularly in network security, trust management configuration between systems, and default security settings for S/4HANA 2023 and BW/4HANA 2023.

Changes in the new version of SAP Security Baseline 2.5

2.1.2 Operating system and database security

  • OS user privileges on Windows systems: In line with SAP’s recommendations, it is essential to apply specific configurations for Windows system users. Users with administrative rights should hold an appropriate scope of privileges, while service accounts should not have more privileges than necessary to ensure operational security. This restriction aims to reduce the risk associated with excessive privileges, which can lead to unauthorised access and other threats to the system.

  • OS user privileges on Unix/Linux systems: For Unix/Linux systems, SAP recommends carefully controlling user privileges. It is important that system administrators do not have unrestricted access, which is key to preventing potential security risks. Keeping privileges at the minimum necessary level is essential for protection against unauthorised access and other types of attacks.

  • OS user privileges on Windows - securing file shares and network data storage: SAP suggests appropriately securing file shares and network storage, ensuring that only authorised users and system administrators have access, thereby strengthening the protection of shared resources. Ensuring the security of such resources is essential to preserving data integrity and confidentiality, minimising the possibility of access by unauthorised individuals.

2.2.1.2.2 DISCL-H: Information Disclosure - SAP HANA

  • Encryption of data at rest: In the latest version of SAP Security Baseline, the improvements for HANA environments focus on two key aspects of data protection. First, it is recommended to enable data encryption on the HANA platform (HANA Data at Rest Encryption), which represents a fundamental safeguard against unauthorised access to data. Second, it is equally important to adequately secure the keys used for this encryption, ensuring that even if physical data media are accessed, the data remains useless to potential intruders without the correct key.

2.2.1.4.1 Message server security

  • Monitoring the message server from a browser: The latest SAP Security Baseline update introduces a new guideline that prohibits unauthenticated monitoring of the Message Server from a browser. This includes, among other things, not setting the ms/server_port_ profile parameter and ensuring that any changes are strictly monitored using SAP system configuration and monitoring transactions. This measure increases security by preventing unauthorised access to the SAP Message Server process.

2.3.1.4.1 Permitted character sets for ABAP usernames

  • Prohibition on using “wide” spaces in usernames: A new chapter has been added specifically to address the permitted character sets for usernames in ABAP systems. This chapter introduces a standard that prohibits the use of “wide” spaces in usernames. This is controlled through the BNAME_RESTRICT = XXX parameter setting in the PRGN_CUST table. Further details can be found in SAP Note 1731549.

2.3.2.2 Password policy

  • Password policy - ABAP: In the update from version 2.4.1 to 2.5 of the SAP Security Baseline, the recommendation regarding the login/password_max_idle_initial parameter has been removed. This parameter previously required users to change their initial passwords within 1 to 14 days.

  • Password policy - HANA: The new version introduces additional security parameters to the password policy for the SAP HANA platform, improving user access management and password security. These new parameters define the limit on failed login attempts before a user is locked out, specify the lockout duration, and define the minimum password lifetime and the warning period before password expiry. In addition, they include an option to exempt the SYSTEM user from automatic lockout, allowing for more precise management of key user accounts.

2.3.2.1.1 Network communication encryption - ABAP

  • Parameter classification updated to critical: Previously classified as standard, this is now marked as critical. This change highlights the importance of the system/secure_communication = ON profile parameter for securing network communication in ABAP systems. Details are described in SAP Notes 2040644 and 2362078.

2.3.2.4.1 Trusted relationships and trusted destinations - ABAP

  • Securing “Trust Management” in ABAP systems for RFC and HTTP: Key guidelines include:

Defining only the necessary trusted connections and RFCs, and removing unused ones to reduce potential risks,

  • Updating all trusted relationships in line with the latest security methods described in SAP Note 3157268,

  • Using Secure Network Communications (SNC) or TLS for trusted connections as well,

  • Strictly managing authorisations in the context of managing trusted connections, limiting the management of trusted relationships to a small number of administrators, and tightly controlling permissions, with critical settings for authorisation objects such as S_RFC_ADM_TT.

2.3.3.1.1 Critical authorisations - ABAP

  • Authorisation for debugging/replacement: The Security Baseline includes the authorisation object S_DBG with activity 02 for ABAP Platform 2022 based on SAP_BASIS 7.57 or higher. This permission allows users to debug, which is essential for preserving the integrity and security of code in a production environment.

  • Authorisation for creating/changing/deleting users: The Security Baseline includes the authorisation object S_USER_GRP with activities 01, 02, or 06. These permissions allow the management of user accounts, which is critical for maintaining control over system access and its security.

2.3.3.2.1 Authorisation assignment - ABAP

  • Control over role assignment during ABAP transport: When transporting roles in ABAP systems, direct assignment of users is prohibited to prevent unintended changes. This control is implemented through settings in the PRGN_CUST table. To preserve this, the US_ASGM_TRANSPORT parameter should be set to “No” when exporting transports, and the USER_REL_IMPORT parameter should also be set to “No” when importing transports. Further details can be found in SAP Notes 1723881 and 571276.

2.4.3.1.3 Audit settings - HANA

  • A list of configuration-related best practices has been introduced: Audit policies should be defined in accordance with:

Best practices from SAP documentation

  • SAP Note 3016478

SNOK’s role in the context of the new SAP Security Baseline 2.5 update

As a certified SAP Gold Partner, SNOK plays a key role in implementing and adapting the new security recommendations set out in SAP Security Baseline 2.5. Thanks to deep expertise and experience in SAP technologies and cybersecurity, SNOK supports its clients in optimising their IT systems in line with the latest security standards. Working closely with SAP, SNOK offers consulting and technical services that not only ensure ongoing compliance with the latest versions of the SAP Security Baseline, but also contribute to increased operational efficiency and the minimisation of cyber risk within complex enterprise environments. Drawing on its experience, SNOK enables organisations to effectively manage change in the implementation and configuration of security, thereby ensuring that all aspects of security are properly addressed and deployed.

Summary

The new SAP Security Baseline 2.5 update represents an important step towards improving the security of SAP systems, introducing key changes in the areas of user privilege management, data security, and communication within systems. Stay tuned to learn more and effectively secure your SAP environment!

Tematy: Safe Tuesday SAP security SAP S/4HANA SAP HANA

Get in touch