SAPNetWeaver04 SecGuide Windows

7/30/2019 SAPNetWeaver04 SecGuide Windows

1/15

Operating SystemSecurity:SAP SystemSecurity UnderWindowsDocument Version 1.00 April 29, 2004

SAP NetWeaver 04Security Guide


2/15

SAP AGNeurottstrae 1669190 WalldorfGermanyT +49/18 05/34 34 24F +49/18 05/34 34 20www.sap.com

Copyright 2004 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and

other SAP products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of SAP AG

in Germany and in several other countries all over the world. All other

product and service names mentioned are the trademarks of their

respective companies. Data contained in this document serves

informational purposes only. National product specifications may

vary.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors oromissions with respect to the materials. The only warranties for SAP

Group products and services are those that are set forth in the express

warranty statements accompanying such products and services, if any.

Nothing herein should be construed as constituting an additional

warranty.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,

MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,

xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity,Tivoli, and Informix are trademarks or registered trademarks of IBM

Corporation in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group.

Disclaimer

Some components of this product are based on Java. Any code

change in these components may cause unpredictable and severe

malfunctions and is therefore expressively prohibited, as is any

decompilation of these components.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks of

Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C, World Wide Web Consortium, Massachusetts

Institute of Technology.

Any Java Source Code delivered with this product is only to be used

by SAPs Support Services and may not be modified or altered in any

way.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used

under license for technology invented and implemented by Netscape.

Documentation in the SAP Service Marketplace

You can find this documentation at the following Internet address:service.sap.com/securityguide

MaxDB is a trademark of MySQL AB, Sweden.
http://www.sap.com/http://www.sap.com/http://www.sap.com/http://www.sap.com/http://www.sap.com/


3/15

Typographic Conventions Icons

Additional icons are used in SAPLibrary documentation to help youidentify different types of information ata glance. For more information, see

Help on Help General InformationClasses and Information Classes for

Business Information Warehouse onthe first page of any version ofSAP

Library.

Type Style Description

Example Text Words or characters quotedfrom the screen. These includefield names, screen titles,pushbuttons labels, menunames, menu paths, and menuoptions.

Cross-references to otherdocumentation

Example text Emphasized words or phrasesin body text, graphic titles, andtable titles

EXAMPLE TEXT Technical names of systemobjects. These include reportnames, program names,transaction codes, tablenames, and key concepts of aprogramming language whenthey are surrounded by body

text, for example, SELECT andINCLUDE.

Example text Output on the screen. Thisincludes file and directorynames and their paths,messages, names of variablesand parameters, source text,and names of installation,upgrade and database tools.

Example text Exact user entry. These arewords or characters that youenter in the system exactly asthey appear in thedocumentation.

Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, forexample, F2 orENTER.

Icon Meaning

Caution

Example

Note

Recommendation

Syntax


4/15

SAP System Security Under Windows

Contents

SAP System Security Under Windows ............................................5

1Windows Groups and Users in an SAP System Environment .......6

1.1 Assigning Groups .................................................................................. 6

1.2 Protecting the Operating System Users Used in an SAP System...... 7

2 SAP Systems in the Windows Domain Concept ............................11

3SAP System Security When Using Windows Trusted Domains...11

4 Protecting SAP System Resources.................................................13

4.1 Protecting Data Relevant to the SAP System .................................... 13

4.2 Defining Start and Stop Permissions ................................................. 13

4.3 Protecting Shared Memory.................................................................. 14

4.4 Protection for Dynamically-Created Files (Files Created by ABAP) 14

4.5 Protecting Database Files ................................................................... 14

4.6 Setting Rights for an Installation with Several SAP Systems .......... 14

5 Additional Information Windows Security......................................15

4 April 29, 2004


5/15


1 Windows Groups and Users in an SAP System Environment

SAP System Security Under WindowsWindows manages administration tasks and provides access protection over its domain

concept. A domain is a group of several computers that share a common user and security

database. Within each domain, you define and administer your users and groups.

An SAP system that runs under Windows also uses the domain concept to manageadministration tasks and to protect the servers from unauthorized access. The following listprovides an overview of the sections that explain how SAP systems use this concept toprotect its resources, as well as any measures that you should take.

Windows Groups and Users in an SAP System Environment [Page 5]

Assigning Groups [Page 6]

Protecting the Operating System Users Used in an SAP System [Page 7]

SAP Systems in the Windows Domain Concept [Page 10]

Security Measures When Using Windows Trusted Domains [Page 11]

Protecting SAP System Resources [Page 12]

Protecting Data Relevant to the SAP System [Page 13]

Defining Start and Stop Permissions [Page 13]

Protecting Shared Memory [Page 14]

Protection for Dynamically-Created Files (Files Created by ABAP) [Page 14]

Protecting Database Files [Page 14]

Setting Rights for an Installation with Several SAP Systems [Page 14]

Additional Information Windows Security [Page 14]

April 29, 2004 5


6/15



1 Windows Groups and Users in an SAP

System EnvironmentThe following topics introduce the Windows technology for administering the users and usergroups needed to run an SAP system. To simplify your administrative tasks, we suggest youadd all Windows users to user groups that are granted the appropriate rights at the operatingsystem level. In the following topics, you will find the necessary group and user information tooperate your SAP system under Windows securely:

Assigning Groups [Page 6]

Protecting the Operating System Users Used in an SAP System [Page 7]

1. Assigning GroupsWindows supports two levels of groups:

Global groups

You create global groups at the domain level. Global groups are known to all servers

within the domain.

Local Groups

You create local groups on a single server. They are only known on that server.

Exception: If you define a local group of users on one domain controller (PDC or

BDC), the group is known on all domain controllers within the domain.

Global Groups

Global user groups are valid within a Windows domain, not only on one server. Therefore, werecommend you bundle the domain users into different activity groups, depending on theirtasks. The domain administrator may export these activity groups to other domains, so therespective user can access all resources needed to administer the SAP system.

Although you may choose the name of the group as you wish, the standard global group forSAP system administrators is defined as SAP__GlobalAdmin according to the

Installation guide for your SAP component on Windows which you can find in the SAPService Marketplace at service.sap.com/instguides SAP Component

.

6 April 29, 2004


7/15



Local Groups

Local user groups (as well as local users) exist locally on one server. During installation, user

rights are assigned to local users instead of groups. (For example, the useradmreceives the user right Log on as a service.) However, to simplify user administration, we

recommend you assign server resources to local groups instead of single users. You can then

assign the appropriate global users and global groups to the local group.

Local user groups increase the security and validity scope of user rights.However, be careful when using domain controllers. A single local user rightdefined on a domain controller is valid on all domain controllers. We thereforedo not recommend installing SAP systems on a domain controller!

The following relationships are possible between users, local groups and global groups:

A user can be a member of both a local group and a global group.

A global group can be included in a local group. You may also export a global group toanother Windows domain.

If several users need the same rights for a certain set of resources, you can create a group. Itis then no longer necessary to assign each individual user his or her rights to each of the files.Instead, you assign the rights to a group. Thereby, all of the users in the group automaticallyreceive the rights as assigned to the group. The same applies to the users in a global groupthat is itself the member of a local group.

1.2 Protecting the Operating System UsersUsed in an SAP SystemThis chapter shows the users that exist or are needed in an SAP system on Windows, and

the appropriate precautions that you should take for them.

Overview of SAP System-Related Users

April 29, 2004 7

User type User Function and Rights

Windows users Administrator The local superuser who has unlimited

access to all local resources.

Guest A local guest account who has guest

access to all local resources.

SAP system users adm The SAP system administrator who hasunlimited access to all local resourcesrelated to SAP systems.

SAPService A special user who runs the Windows

services related to SAP systems.

For IBM DB2 Universal

Database for UNIX andWindows this user iscalled sapse.


8/15



Windows automatically creates the users Administratorand Guest

during installation. They are not needed for SAP system operations. The database users


9/15



Protecting SAPService

For IBM DB2 Universal Database for UNIX and Windows this user is calledsapse.

SAPService is also created during the SAP system installation. It is usually created

as a domain user to run the SAP system and to manage database resources. This user may

log on locally on all Windows machines in the domain.

Since the SAP system must run even if no user is logged onto the local Windows machine,

the SAP system runs as a Windows service. Therefore, during installation, the userSAPServicereceives the right to Log on as a service on the local machine.

SAPServicealso administers the SAP system and database resources within the

Computing Center Management System (CCMS). Therefore, it needs full access to allinstance-specific and database-specific resources such as files, shares, peripheral devices,

and network resources.

It is rather difficult to change this user's password. To change the password fora Windows service user , you need to stop the service, edit it's start-upproperties, and restart it. Therefore, to change this user's password, you needto stop the SAP system.

To protect SAPService, take the following precautions:

Cancel the users right to Log on locally.

Restrict its access rights to instance-specific and database-specific resources only.

In addition, prevent this special service user from logging on to the system interactively. This

prevents misuse by users who try to access it from the presentation servers. You then do nothave to set an expiration date for the password and you can disable the setting change

passwd at logon.

Protecting and

As with the SAP system itself, the database must also run even if no user is logged on to the

Windows machine. Therefore, the database must run as a service. During the databaseinstallation process, the user receives the right to Log on as a service on the

local machine.

April 29, 2004 9


10/15



Overview of Database-Related Users

In addition, the various databases use various operating system users for their administration.

To protect these users, we recommend to change their passwords. For more information, seethe corresponding topics underDatabase Access Protection [SAP NetWeaver Security Guide].

You should be aware that the userSYSTEM is a virtual user with nopassword. (You cannot logon as userSYSTEM.) However, this user has

complete access to the local Windows system.

10 April 29, 2004

Database Operating System User Function

Oracle Local System Account Runs all Oracle services

sapsid User for SAP system and database

administration

SAPService Runs the SAP system

MS SQL Server Local System Account Runs all MS SQL Server services

sapsid User for SAP system and database

administration

SAPService User for database administration

SAPMssXPUser User for Job System

Informix adm Runs the SAP system

informix Database administrator

MaxDB Local System Account Runs all MaxDB services

adm User for SAP system and database

administration

SAPService Runs the SAP system

IBM DB2 UniversalDatabase for UNIXand Windows

adm SAP system administrator

sapse SAP service account

db2 Database administrator

Connect user:

sapr3

sap

User for SAP system database

objects


11/15


2 SAP Systems in the Windows Domain Concept

2 SAP Systems in the Windows Domain

ConceptIn large systems, we recommend creating two separate domains for your company domain

and your SAP system domain. Between the two domains you can have trusted relationships

which is useful for single sign-on functionality.

In the company domain, you set up your domain users (to include your SAP system

users) and your company domain administrator.

In the SAP domain, you set up your SAP system servers, services and administrators.

These include:

O SAP system application and database servers,

O SAP system or database servicesO SAP system administrators

O Windows administrators

O SAP domain administrator

3 SAP System Security When UsingWindows Trusted DomainsIn the standard installation procedures, especially in large system configurations, werecommend to establish separate domains for your company data and your SAP system. Wealso recommend to use the Windows trusted domain concept as certain SAP-specific featuresand Windows-specific services require trusted relationships between domains for theirpurposes.

There are certain services that require a uni-directional trust relationship only (for example,

network printing with the Print Manager or file transfer batches with operating systemcommands such as xcopy ormove).

There are also services that require using a bi-directional trust relationship, for example,Single Sign-On using Microsoft's LAN Manager Security Service Provider Interface(NTLMSSPI).

April 29, 2004 11


12/15


3 SAP System Security When Using Windows Trusted Domains

When installing your SAP system, the installation tool, called SAPinst, automatically performsall steps that are relevant for proctecting your system against unauthorized access. Forexample, it creates the required user accounts and groups and protects the most importantdirectories.

SAPinst creates the following domain users:

O adm

This is the SAP system administrator account that enables interactive

administration of the system.

O SAPService(this user is not created for Informix installations)

This is the virtual user account that is required to start the SAP system. It hasthe local user right to log on as a service and is a member of the localadministrators group.

SAPinst creates the domain group SAP__GlobalAdmin

SAPinst creates the local group SAP_LocalAdminand includes the domaingroup SAP__GlobalAdmin

SAPinst creates the local administrator group SAP_LocalAdmin on the

transport host.Members of the group have full control over the transport directory

\usr\sap\trans that allows transports to take place between systems. TheSAP__GlobalAdmin group is added to the SAP_LocalAdmingroup.

SAPinst protects the SAP directories \usr, \usr\sap, \usr\sap\trans,

\usr\sap\and its sub-directories by only granting Full controlaccess

rights for the Administratorsand SAP__LocalAdmingroups.

Eliminate any Full controlrights forEveryone to shares on the SAP system servers.

For additional protection, you can eliminate the dynamically-created Windows root

shares on the SAP system server. The server can then only be accessed from the

network over manually created shares.

If you have installed other software on the application server, then make sure that the

access rights for their directories and files are also set properly.

These rights apply specifically for SAP system resources. For details applying to the

database files and directories, see the security instructions from your database

supplier.

12 April 29, 2004


13/15


4 Protecting SAP System Resources

4 Protecting SAP System ResourcesIn the following topics we describe the security measures for protecting the SAP system:

Protecting Data Relevant to the SAP System [Page 13]

Protecting Shared Memory [Page 14]

Protection for Dynamically-Created Files (Files Created by ABAP) [Page 14]

Protecting Database Files [Page 14]

In addition, we describe how to protect resources for an installation that consists of severalSAP systems. For more information, see Setting Rights for an Installation with Several SAPSystems [Page 14].)

1. Protecting Data Relevant to the SAP SystemThe following points apply to the Windows domain concept and the installation of your SAP

system:

Regardless of whether the SAP system is installed centrally or as a distributed system,

we recommend to set up one domain that contains the SAP system application and

database servers.

We strongly recommend that you set up all your SAP system servers in one Windowsdomain. For short-term test installations or demonstration purposes only, you may installa central SAP system that is not located in a Windows domain. However, werecommend this setup for limited use only. It is difficult to introduce the domain concept

to a system that is already in use. In a central installation on a server in a domain, all SAP system administrators are

members of the local group SAP__LocalAdmin.

In a distributed installation with several server machines in the domain, a global group isset up for the SAP system (SAP__GlobalAdmin). This global group itself is

a member of the server's local groups and contains the SAP system administrators.This also simplifies the administration in the client/server environment, since new users

who need SAP system administration rights only need to become members of theglobal group.

2. Defining Start and Stop PermissionsThe permissions for starting and stopping an SAP instance are defined in thesapstartsrv.exe file. To change the start and stop permissions, you can do one of the

following:

Use the Microsoft Management Console [SAP Library] with the SAP Systems Managersnap-in which was developed at SAP and is integrated in the Microsoft ManagementConsole (MMC). Right-click on the SAP instance for which you want to change the startpermissions and choose Properties to adjust the permissions.

In the Windows Explorer right-click on the sapstart.exe file and choose Properties

to adjust the permissions.

April 29, 2004 13


14/15


4 Protecting SAP System Resources

3.Protecting Shared MemoryThe shared memory is used by the SAP system dispatcher and the work processes forcertain activities, such as exchanging administration information. These processes use the

same Access Control List for themselves and the shared memory. Therefore, only membersof this ACL, have access to the shared memory. In general, these are members of theSAP_LocalAdmingroup.

4.Protection for Dynamically-Created Files(Files Created by ABAP)Because SAP systems use ANSI stream file I/O, a file created by ABAP inherits the accessrights from the folder in which it was created. Only the owner of the files or the administrator

can change the access rights. When ABAP statements create these files, they are owned bythe SAP system (admorSAPService).

5. Protecting Database FilesThe database provider or the database administrator is responsible for protecting the data atthe database level. You should therefore consult the documentation supplied by the databasevendor on the subject of data protection and security.

For specifics pertaining to SAP systems, see the appropriate section in Database Access

Protection [SAP NetWeaver Security Guide].

6.Setting Rights for an Installation withSeveral SAP SystemsIf there are several SAP systems on the server(s), it is possible to perform the administration

tasks separately using different local and global groups. Assign the access rightsappropriately for the files in the directory (to include sub-directories) \usr\sap. You can

distinguish between the administrators and groups by using the names of the SAP systems(for example, , and ). All administrators should have access to the

two directories at the \usr\sap top level.

If there are several SAP systems installed on a single server, then an additional area ofshared memory exists. This memory is created by saposcol.exeand is used jointly by the

OS Collector and all SAP systems. Therefore, give Full Controlaccess rights to the

SAP__LocalAdminlocal groups for the executable file saposcol.exe. To avoidaccess conflicts here, start saposcol.exebefore starting the SAP system.

14 April 29, 2004


15/15


5 Additional Information Windows Security

5 Additional Information Windows SecurityFor general information about Windows operating system security, see

www.microsoft.com/security.

For additional information, see the following documentation:

April 29, 2004 15

Title of Documentation Where to find?

Installation Guide:

SAP Web Application Server on Windows:

SAP Service Marketplace at

service.sap.com/instguides SAP

Web Application Server

Installation Guide:

on Windows:

SAP Service Marketplace at

service.sap.com/instguides
http://www.microsoft.com/securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/security

Documents

SAPNetWeaver04 SecGuide Windows