Upload
bianfa05
View
228
Download
0
Embed Size (px)
Citation preview
7/30/2019 SAPNetWeaver04 SecGuide Windows
1/15
Operating SystemSecurity:SAP SystemSecurity UnderWindowsDocument Version 1.00 April 29, 2004
SAP NetWeaver 04Security Guide
7/30/2019 SAPNetWeaver04 SecGuide Windows
2/15
SAP AGNeurottstrae 1669190 WalldorfGermanyT +49/18 05/34 34 24F +49/18 05/34 34 20www.sap.com
Copyright 2004 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and
other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG
in Germany and in several other countries all over the world. All other
product and service names mentioned are the trademarks of their
respective companies. Data contained in this document serves
informational purposes only. National product specifications may
vary.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
These materials are subject to change without notice. These materials
are provided by SAP AG and its affiliated companies ("SAP Group")
for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors oromissions with respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional
warranty.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,
MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,
xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity,Tivoli, and Informix are trademarks or registered trademarks of IBM
Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Disclaimer
Some components of this product are based on Java. Any code
change in these components may cause unpredictable and severe
malfunctions and is therefore expressively prohibited, as is any
decompilation of these components.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C, World Wide Web Consortium, Massachusetts
Institute of Technology.
Any Java Source Code delivered with this product is only to be used
by SAPs Support Services and may not be modified or altered in any
way.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by Netscape.
Documentation in the SAP Service Marketplace
You can find this documentation at the following Internet address:service.sap.com/securityguide
MaxDB is a trademark of MySQL AB, Sweden.
http://www.sap.com/http://www.sap.com/http://www.sap.com/http://www.sap.com/http://www.sap.com/7/30/2019 SAPNetWeaver04 SecGuide Windows
3/15
Typographic Conventions Icons
Additional icons are used in SAPLibrary documentation to help youidentify different types of information ata glance. For more information, see
Help on Help General InformationClasses and Information Classes for
Business Information Warehouse onthe first page of any version ofSAP
Library.
Type Style Description
Example Text Words or characters quotedfrom the screen. These includefield names, screen titles,pushbuttons labels, menunames, menu paths, and menuoptions.
Cross-references to otherdocumentation
Example text Emphasized words or phrasesin body text, graphic titles, andtable titles
EXAMPLE TEXT Technical names of systemobjects. These include reportnames, program names,transaction codes, tablenames, and key concepts of aprogramming language whenthey are surrounded by body
text, for example, SELECT andINCLUDE.
Example text Output on the screen. Thisincludes file and directorynames and their paths,messages, names of variablesand parameters, source text,and names of installation,upgrade and database tools.
Example text Exact user entry. These arewords or characters that youenter in the system exactly asthey appear in thedocumentation.
Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.
EXAMPLE TEXT Keys on the keyboard, forexample, F2 orENTER.
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
7/30/2019 SAPNetWeaver04 SecGuide Windows
4/15
SAP System Security Under Windows
Contents
SAP System Security Under Windows ............................................5
1Windows Groups and Users in an SAP System Environment .......6
1.1 Assigning Groups .................................................................................. 6
1.2 Protecting the Operating System Users Used in an SAP System...... 7
2 SAP Systems in the Windows Domain Concept ............................11
3SAP System Security When Using Windows Trusted Domains...11
4 Protecting SAP System Resources.................................................13
4.1 Protecting Data Relevant to the SAP System .................................... 13
4.2 Defining Start and Stop Permissions ................................................. 13
4.3 Protecting Shared Memory.................................................................. 14
4.4 Protection for Dynamically-Created Files (Files Created by ABAP) 14
4.5 Protecting Database Files ................................................................... 14
4.6 Setting Rights for an Installation with Several SAP Systems .......... 14
5 Additional Information Windows Security......................................15
4 April 29, 2004
7/30/2019 SAPNetWeaver04 SecGuide Windows
5/15
SAP System Security Under Windows
1 Windows Groups and Users in an SAP System Environment
SAP System Security Under WindowsWindows manages administration tasks and provides access protection over its domain
concept. A domain is a group of several computers that share a common user and security
database. Within each domain, you define and administer your users and groups.
An SAP system that runs under Windows also uses the domain concept to manageadministration tasks and to protect the servers from unauthorized access. The following listprovides an overview of the sections that explain how SAP systems use this concept toprotect its resources, as well as any measures that you should take.
Windows Groups and Users in an SAP System Environment [Page 5]
Assigning Groups [Page 6]
Protecting the Operating System Users Used in an SAP System [Page 7]
SAP Systems in the Windows Domain Concept [Page 10]
Security Measures When Using Windows Trusted Domains [Page 11]
Protecting SAP System Resources [Page 12]
Protecting Data Relevant to the SAP System [Page 13]
Defining Start and Stop Permissions [Page 13]
Protecting Shared Memory [Page 14]
Protection for Dynamically-Created Files (Files Created by ABAP) [Page 14]
Protecting Database Files [Page 14]
Setting Rights for an Installation with Several SAP Systems [Page 14]
Additional Information Windows Security [Page 14]
April 29, 2004 5
7/30/2019 SAPNetWeaver04 SecGuide Windows
6/15
SAP System Security Under Windows
1 Windows Groups and Users in an SAP System Environment
1 Windows Groups and Users in an SAP
System EnvironmentThe following topics introduce the Windows technology for administering the users and usergroups needed to run an SAP system. To simplify your administrative tasks, we suggest youadd all Windows users to user groups that are granted the appropriate rights at the operatingsystem level. In the following topics, you will find the necessary group and user information tooperate your SAP system under Windows securely:
Assigning Groups [Page 6]
Protecting the Operating System Users Used in an SAP System [Page 7]
1. Assigning GroupsWindows supports two levels of groups:
Global groups
You create global groups at the domain level. Global groups are known to all servers
within the domain.
Local Groups
You create local groups on a single server. They are only known on that server.
Exception: If you define a local group of users on one domain controller (PDC or
BDC), the group is known on all domain controllers within the domain.
Global Groups
Global user groups are valid within a Windows domain, not only on one server. Therefore, werecommend you bundle the domain users into different activity groups, depending on theirtasks. The domain administrator may export these activity groups to other domains, so therespective user can access all resources needed to administer the SAP system.
Although you may choose the name of the group as you wish, the standard global group forSAP system administrators is defined as SAP__GlobalAdmin according to the
Installation guide for your SAP component on Windows which you can find in the SAPService Marketplace at service.sap.com/instguides SAP Component
.
6 April 29, 2004
7/30/2019 SAPNetWeaver04 SecGuide Windows
7/15
SAP System Security Under Windows
1 Windows Groups and Users in an SAP System Environment
Local Groups
Local user groups (as well as local users) exist locally on one server. During installation, user
rights are assigned to local users instead of groups. (For example, the useradmreceives the user right Log on as a service.) However, to simplify user administration, we
recommend you assign server resources to local groups instead of single users. You can then
assign the appropriate global users and global groups to the local group.
Local user groups increase the security and validity scope of user rights.However, be careful when using domain controllers. A single local user rightdefined on a domain controller is valid on all domain controllers. We thereforedo not recommend installing SAP systems on a domain controller!
The following relationships are possible between users, local groups and global groups:
A user can be a member of both a local group and a global group.
A global group can be included in a local group. You may also export a global group toanother Windows domain.
If several users need the same rights for a certain set of resources, you can create a group. Itis then no longer necessary to assign each individual user his or her rights to each of the files.Instead, you assign the rights to a group. Thereby, all of the users in the group automaticallyreceive the rights as assigned to the group. The same applies to the users in a global groupthat is itself the member of a local group.
1.2 Protecting the Operating System UsersUsed in an SAP SystemThis chapter shows the users that exist or are needed in an SAP system on Windows, and
the appropriate precautions that you should take for them.
Overview of SAP System-Related Users
April 29, 2004 7
User type User Function and Rights
Windows users Administrator The local superuser who has unlimited
access to all local resources.
Guest A local guest account who has guest
access to all local resources.
SAP system users adm The SAP system administrator who hasunlimited access to all local resourcesrelated to SAP systems.
SAPService A special user who runs the Windows
services related to SAP systems.
For IBM DB2 Universal
Database for UNIX andWindows this user iscalled sapse.
7/30/2019 SAPNetWeaver04 SecGuide Windows
8/15
SAP System Security Under Windows
1 Windows Groups and Users in an SAP System Environment
Windows automatically creates the users Administratorand Guest
during installation. They are not needed for SAP system operations. The database users
7/30/2019 SAPNetWeaver04 SecGuide Windows
9/15
SAP System Security Under Windows
1 Windows Groups and Users in an SAP System Environment
Protecting SAPService
For IBM DB2 Universal Database for UNIX and Windows this user is calledsapse.
SAPService is also created during the SAP system installation. It is usually created
as a domain user to run the SAP system and to manage database resources. This user may
log on locally on all Windows machines in the domain.
Since the SAP system must run even if no user is logged onto the local Windows machine,
the SAP system runs as a Windows service. Therefore, during installation, the userSAPServicereceives the right to Log on as a service on the local machine.
SAPServicealso administers the SAP system and database resources within the
Computing Center Management System (CCMS). Therefore, it needs full access to allinstance-specific and database-specific resources such as files, shares, peripheral devices,
and network resources.
It is rather difficult to change this user's password. To change the password fora Windows service user , you need to stop the service, edit it's start-upproperties, and restart it. Therefore, to change this user's password, you needto stop the SAP system.
To protect SAPService, take the following precautions:
Cancel the users right to Log on locally.
Restrict its access rights to instance-specific and database-specific resources only.
In addition, prevent this special service user from logging on to the system interactively. This
prevents misuse by users who try to access it from the presentation servers. You then do nothave to set an expiration date for the password and you can disable the setting change
passwd at logon.
Protecting and
As with the SAP system itself, the database must also run even if no user is logged on to the
Windows machine. Therefore, the database must run as a service. During the databaseinstallation process, the user receives the right to Log on as a service on the
local machine.
April 29, 2004 9
7/30/2019 SAPNetWeaver04 SecGuide Windows
10/15
SAP System Security Under Windows
1 Windows Groups and Users in an SAP System Environment
Overview of Database-Related Users
In addition, the various databases use various operating system users for their administration.
To protect these users, we recommend to change their passwords. For more information, seethe corresponding topics underDatabase Access Protection [SAP NetWeaver Security Guide].
You should be aware that the userSYSTEM is a virtual user with nopassword. (You cannot logon as userSYSTEM.) However, this user has
complete access to the local Windows system.
10 April 29, 2004
Database Operating System User Function
Oracle Local System Account Runs all Oracle services
sapsid User for SAP system and database
administration
SAPService Runs the SAP system
MS SQL Server Local System Account Runs all MS SQL Server services
sapsid User for SAP system and database
administration
SAPService User for database administration
SAPMssXPUser User for Job System
Informix adm Runs the SAP system
informix Database administrator
MaxDB Local System Account Runs all MaxDB services
adm User for SAP system and database
administration
SAPService Runs the SAP system
IBM DB2 UniversalDatabase for UNIXand Windows
adm SAP system administrator
sapse SAP service account
db2 Database administrator
Connect user:
sapr3
sap
User for SAP system database
objects
7/30/2019 SAPNetWeaver04 SecGuide Windows
11/15
SAP System Security Under Windows
2 SAP Systems in the Windows Domain Concept
2 SAP Systems in the Windows Domain
ConceptIn large systems, we recommend creating two separate domains for your company domain
and your SAP system domain. Between the two domains you can have trusted relationships
which is useful for single sign-on functionality.
In the company domain, you set up your domain users (to include your SAP system
users) and your company domain administrator.
In the SAP domain, you set up your SAP system servers, services and administrators.
These include:
O SAP system application and database servers,
O SAP system or database servicesO SAP system administrators
O Windows administrators
O SAP domain administrator
3 SAP System Security When UsingWindows Trusted DomainsIn the standard installation procedures, especially in large system configurations, werecommend to establish separate domains for your company data and your SAP system. Wealso recommend to use the Windows trusted domain concept as certain SAP-specific featuresand Windows-specific services require trusted relationships between domains for theirpurposes.
There are certain services that require a uni-directional trust relationship only (for example,
network printing with the Print Manager or file transfer batches with operating systemcommands such as xcopy ormove).
There are also services that require using a bi-directional trust relationship, for example,Single Sign-On using Microsoft's LAN Manager Security Service Provider Interface(NTLMSSPI).
April 29, 2004 11
7/30/2019 SAPNetWeaver04 SecGuide Windows
12/15
SAP System Security Under Windows
3 SAP System Security When Using Windows Trusted Domains
When installing your SAP system, the installation tool, called SAPinst, automatically performsall steps that are relevant for proctecting your system against unauthorized access. Forexample, it creates the required user accounts and groups and protects the most importantdirectories.
SAPinst creates the following domain users:
O adm
This is the SAP system administrator account that enables interactive
administration of the system.
O SAPService(this user is not created for Informix installations)
This is the virtual user account that is required to start the SAP system. It hasthe local user right to log on as a service and is a member of the localadministrators group.
SAPinst creates the domain group SAP__GlobalAdmin
SAPinst creates the local group SAP_LocalAdminand includes the domaingroup SAP__GlobalAdmin
SAPinst creates the local administrator group SAP_LocalAdmin on the
transport host.Members of the group have full control over the transport directory
\usr\sap\trans that allows transports to take place between systems. TheSAP__GlobalAdmin group is added to the SAP_LocalAdmingroup.
SAPinst protects the SAP directories \usr, \usr\sap, \usr\sap\trans,
\usr\sap\and its sub-directories by only granting Full controlaccess
rights for the Administratorsand SAP__LocalAdmingroups.
Eliminate any Full controlrights forEveryone to shares on the SAP system servers.
For additional protection, you can eliminate the dynamically-created Windows root
shares on the SAP system server. The server can then only be accessed from the
network over manually created shares.
If you have installed other software on the application server, then make sure that the
access rights for their directories and files are also set properly.
These rights apply specifically for SAP system resources. For details applying to the
database files and directories, see the security instructions from your database
supplier.
12 April 29, 2004
7/30/2019 SAPNetWeaver04 SecGuide Windows
13/15
SAP System Security Under Windows
4 Protecting SAP System Resources
4 Protecting SAP System ResourcesIn the following topics we describe the security measures for protecting the SAP system:
Protecting Data Relevant to the SAP System [Page 13]
Protecting Shared Memory [Page 14]
Protection for Dynamically-Created Files (Files Created by ABAP) [Page 14]
Protecting Database Files [Page 14]
In addition, we describe how to protect resources for an installation that consists of severalSAP systems. For more information, see Setting Rights for an Installation with Several SAPSystems [Page 14].)
1. Protecting Data Relevant to the SAP SystemThe following points apply to the Windows domain concept and the installation of your SAP
system:
Regardless of whether the SAP system is installed centrally or as a distributed system,
we recommend to set up one domain that contains the SAP system application and
database servers.
We strongly recommend that you set up all your SAP system servers in one Windowsdomain. For short-term test installations or demonstration purposes only, you may installa central SAP system that is not located in a Windows domain. However, werecommend this setup for limited use only. It is difficult to introduce the domain concept
to a system that is already in use. In a central installation on a server in a domain, all SAP system administrators are
members of the local group SAP__LocalAdmin.
In a distributed installation with several server machines in the domain, a global group isset up for the SAP system (SAP__GlobalAdmin). This global group itself is
a member of the server's local groups and contains the SAP system administrators.This also simplifies the administration in the client/server environment, since new users
who need SAP system administration rights only need to become members of theglobal group.
2. Defining Start and Stop PermissionsThe permissions for starting and stopping an SAP instance are defined in thesapstartsrv.exe file. To change the start and stop permissions, you can do one of the
following:
Use the Microsoft Management Console [SAP Library] with the SAP Systems Managersnap-in which was developed at SAP and is integrated in the Microsoft ManagementConsole (MMC). Right-click on the SAP instance for which you want to change the startpermissions and choose Properties to adjust the permissions.
In the Windows Explorer right-click on the sapstart.exe file and choose Properties
to adjust the permissions.
April 29, 2004 13
7/30/2019 SAPNetWeaver04 SecGuide Windows
14/15
SAP System Security Under Windows
4 Protecting SAP System Resources
3.Protecting Shared MemoryThe shared memory is used by the SAP system dispatcher and the work processes forcertain activities, such as exchanging administration information. These processes use the
same Access Control List for themselves and the shared memory. Therefore, only membersof this ACL, have access to the shared memory. In general, these are members of theSAP_LocalAdmingroup.
4.Protection for Dynamically-Created Files(Files Created by ABAP)Because SAP systems use ANSI stream file I/O, a file created by ABAP inherits the accessrights from the folder in which it was created. Only the owner of the files or the administrator
can change the access rights. When ABAP statements create these files, they are owned bythe SAP system (admorSAPService).
5. Protecting Database FilesThe database provider or the database administrator is responsible for protecting the data atthe database level. You should therefore consult the documentation supplied by the databasevendor on the subject of data protection and security.
For specifics pertaining to SAP systems, see the appropriate section in Database Access
Protection [SAP NetWeaver Security Guide].
6.Setting Rights for an Installation withSeveral SAP SystemsIf there are several SAP systems on the server(s), it is possible to perform the administration
tasks separately using different local and global groups. Assign the access rightsappropriately for the files in the directory (to include sub-directories) \usr\sap. You can
distinguish between the administrators and groups by using the names of the SAP systems(for example, , and ). All administrators should have access to the
two directories at the \usr\sap top level.
If there are several SAP systems installed on a single server, then an additional area ofshared memory exists. This memory is created by saposcol.exeand is used jointly by the
OS Collector and all SAP systems. Therefore, give Full Controlaccess rights to the
SAP__LocalAdminlocal groups for the executable file saposcol.exe. To avoidaccess conflicts here, start saposcol.exebefore starting the SAP system.
14 April 29, 2004
7/30/2019 SAPNetWeaver04 SecGuide Windows
15/15
SAP System Security Under Windows
5 Additional Information Windows Security
5 Additional Information Windows SecurityFor general information about Windows operating system security, see
www.microsoft.com/security.
For additional information, see the following documentation:
April 29, 2004 15
Title of Documentation Where to find?
Installation Guide:
SAP Web Application Server on Windows:
SAP Service Marketplace at
service.sap.com/instguides SAP
Web Application Server
Installation Guide:
on Windows:
SAP Service Marketplace at
service.sap.com/instguides
http://www.microsoft.com/securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/security