Automating Everyday Tasks with The Onapsis Platform Saves Costs and Frees Up Resources

As a former SAP Basis Administrator, I know firsthand you are responsible for a wide range of tasks geared toward ensuring your SAP systems are running in tip-top shape. During the SAP system lifecycle (installation, upgrade, maintenance), Basis Administrators must validate that system security setting, logging and parameters are configured correctly. To do this, you will utilize documentation ranging from the Netweaver Installation Guides, SAP Security Baseline and SAP Security Notes to your own corporate policy such as ITGC (IT General Controls) SOX (Sarbanes-Oxley) or PCI (Payment Card Industry). This can be an extremely time-consuming task as the SAP landscape is not static; new configurations, programs, clients, instances and systems are constantly being added, all while system and client refreshes are occurring and impacting system settings. 

The average Fortune 1000 company owns several of the diverse set products that SAP offers, running its most critical business applications. Many companies run SAP S/4HANA, CRM, ERP, SOLMAN, PLM, SCM, BI, SRM, BW, BOBJ and EP, to name a few. On top of the variety of applications, these products will have different Netweaver stacks such as ABAP and JAVA. To validate all of these settings, Basis Administrators must manually perform an audit of every system. This requires them to log into as many as 100+ systems, a task that may take many days, sometimes weeks, while still keeping up with their day to day change management and operational tasks to ensure the SAP systems are always running.

In this blog, I am going to show you different ways you can leverage The Onapsis Platform to save up to 90% of the time required to perform tasks during installation, audit and maintenance. In the long run, this is a huge cost saving for the company as it avoids acquiring additional resources and also allows freeing existing personnel to work on other projects/tasks, such as optimizing and modernizing SAP systems and applications.

The table below lists a sample of more than 400 common tasks Basis Administrators must perform manually in each system. It identifies in which phase (installation, audit, or maintenance) tasks are performed, comparing the time they usually take manually with the time savings you will gain by automating these tasks with the Assess and Comply functionality of The Onapsis Platform. Using The Onapsis Platform, you can determine the compliance impact of SAP system misconfigurations, authorizations, vulnerabilities and missing SAP Notes.

Table – Basis Time Cost Savings Matrix

Phase

Audit Task

Business Impact

Manual time per 10 SIDS (mins)

Onapsis time per 10 SIDS (mins)

Time Savings (min)

1. Installation

SAP Message Server ACL file is not secure

An anonymous remote attacker could connect to the Message Server, impersonate an SAP application server and receive any SAP communication, including user access credentials.

100

5

95

2. Installation

Remote unencrypted HTTP connection to Web Service Interface is possible

A malicious party could steal valid access credentials or sensitive information through sniffing or Man-in-the-Middle (MITM) attacks and use them to perform critical operations through the system.

50

5

45

3. Installation

ICM BC WEBRFC service is enabled

An authenticated remote attacker could display and change any business information by executing RFC functions using a web browser.

50

5

45

4. Installation

ICM Webgui BSP application is enabled

 

An authenticated remote attacker could display and change any business information by executing transactions and reports using a web browser.

50

5

45

5. Installation

Insecure SAP GUI communications are accepted

Due to the lack of encryption in the connections, an attacker could intercept sensitive information, such as access credentials or business information, such as customer and vendor lists, sales orders, purchase orders, payments, payroll.

50

5

45

6. Audit/Installation

Standard SAP users exist which are not assigned to the user group “super.”

There are standard SAP users which are not assigned to the user group SUPER.

– DDIC: Perform fraudulent activities concerning business processes, such as creating new vendors, or performing payments – EARLYWATCH: Access configuration and monitoring data.

– SAPCPIC: Execute RFC functions.

– TMSADM: Access transport management system functions.

– SAP*: Full access to the system.

60

5

55

7. Audit/Installation

Users identified with permissions to add, create, activate or generate system profiles.

An unauthorized user with permissions to configure application server parameters could modify critical system parameters, such as password policies, disabling audit features, modify performance related parameters, etc.

50

5

45

8. Audit/Installation

RFC Destinations without encryption

 

There are RFC destinations configured without encryption in the tested clients.

An external attacker with access to the network traffic could access sensitive information, including credentials, sent in the connections.

50

5

45

9. Audit/Installation

System accepts unprotected internal and external RFC connections

An attacker could take advantage of a non-secure connection to perform an attack leading to data leakage.

50

5

45

10. Audit/Installation

Compliance to current Password Policy is not enforced

Under these circumstances, if an administrator makes a change in the current policy, users with incompatible passwords will not be prompted to change their passwords automatically when they next log into the system.

50

5

45

11. Audit/Maintenance

Users with the SAP_ALL profile assigned

 

An anonymous remote attacker could login using an SAP_ALL account, and perform fraud activities against business processes, such as creating new vendors and performing payments, creating fictitious customers and shipping goods to them, etc. These activities are possible because the SAP_ALL profile has high privilege authorizations in the system.

50

5

45

12. Audit/Maintenance

ICM Ping service is enabled

 

The Ping service is enabled in the SAP ICM server. This service can be used to verify if the backend SAP Application Server is available.

This service is located in the ‘/sap/public/ping’ ICF service path.

50

5

45

13. Audit/Maintenance

Insecure invalid logon attempts to session end

 

The number of invalid logon attempts allowed by the SAP GUI without being automatically closed is driven by the profile parameter ‘login/fails_to_session_end’. The current configuration for the number of invalid logon attempts before SAP GUI session is closed is considered insecure.

In this scenario, an attacker will be able to perform a brute force attack on the remote SAP server more easily with an SAP GUI client.

50

5

45

14. Audit/Maintenance

SAP passwords never expire

 

The SAP passwords never expire. In this scenario, an attacker who had previously compromised a valid account, might be able to regain access to the SAP system.

50

5

45

15. Audit/Maintenance

Insecure number of maximum login attempts

 

In this scenario, a remote attacker might be able to launch a brute force attack against some specific users, with the objective to takeover the target SAP system.

50

5

45

16. Maintenance/ Installation

Client not properly locked, changes to the Repository and cross-client Customizing permitted.

Changes are allowed in Production or Testing Clients, therefore an unauthorized user would be able to change critical business process configuration, such as company codes, document types, sales and purchase orders configurations. 

50

5

45

17. Maintenance/ Installation

Multiple SAP GUI logins are enabled

 

An anonymous remote attacker could attack an SAP GUI client in order to gain the privileges of the current user. It could lead in an impersonation of the user.

50

5

45

18. Maintenance/ Installation

CALL SYSTEM instruction is enabled

 

The ABAP SYSTEM command is not disabled in the application server. This situation allows direct execution of operating system commands execution on the application server, when ABAP code execution is possible.

50

5

45

19. Maintenance/ Installation

Table change logging partially enabled for some clients

Table change logging functionality is controlled by the ‘rec/client’ parameter in the SAP system profile. The parameter has been identified as partially enabled for only some clients.

The ‘rec/client’ parameter is used to activate and deactivate client-dependent table logging. Depending on the setting of this parameter, certain change options are either not logged at all (‘rec/client’ = OFF), only logged in certain clients (‘rec/client’ = 001,002,003′) or logged in all clients (‘rec/client = ALL’).

50

5

45

20. Maintenance/ Installation

List message server clients

 

This module will list all the clients attached to the message server

50

5

45

21. Maintenance/ Installation

SAP Message Server admin port detection for ABAP

 

This module will determine if there is an admin port configured in the Message Server. If so, an unauthenticated user would be able to perform several activities over the SAP server, such as modifying parameters and configurations in the service.

50

5

45

22. Maintenance/ Installation

Check missing ABAP, HANA, JAVA, SAP Security Notes

 

If there are SAP Security notes that were not applied, then the affected SAP systems are exposed to well known vulnerabilities. It was possible to identify SAP Security Notes that should be implemented in the target.

50

5

45

23. Maintenance/ Installation

Kernel SAP Security Notes not implemented

The SAP kernel is a core component in any SAP Installation. If kernel SAP security notes are not applied, the affected SAP system will be exposed to well known vulnerabilities, and susceptible to many attacks like buffer overflows and command injection, exposing the SAP system and all the information processed and stored by it. It was possible to identify Kernel SAP Security Notes that should be implemented in the target.

50

5

45

24.  Maintenance/ Installation

Upgrade status of SAP Kernel

 

This module determines the upgrade status of KERNEL in target SAP System.

50

5

45

25. Maintenance/ Installation

Version of SAP ABAP software components

 

These modules will list the version of all installed ABAP components in the target SAP System by reviewing CVERS table.

 

50

5

45

26. Audit/Maintenance

ICMAD

Threat Intel –  This page provides information to help determine if your assets have the vulnerability associated with ICM desynchronization.

  • CVE-2022-22532

  • CVE-2022-22533

  • CVE-2022-22536

50

5

45

27. Audit/Maintenance

10KBLAZE

Threat Intel – This page provides information to help determine if your assets have the misconfiguration associated with 10KBLAZE

 

  • SAP Message’s Server ACL file for ABAP

  • SAP Message Server ACL configuration file for JAVA

  • SAP Gateway secinfo ACL

  • RFC server start allowed via Gateway

50

5

45

Total Time

 

 

1,410

135

1,275

The table above represents only a small sample of 27 tasks that a Basis Administrator must perform throughout the lifecycle of the SAP system. When using The Onapsis Platform, the time savings is significant. Manually performing these tasks would take one Basis Administrator approximately 1,275 mins (21.25) hours for only 10 SIDs. By automating these tasks with The Onapsis Platform, a time savings of over 90% of the manual time is realized, (a savings of 1275 minutes). This savings represents the initial setup time to create the policy, and run the scan the first time. Once this policy is established, running scans would be faster and offer even more time savings and greater efficiencies.

The ease of use and flexibility of The Onapsis Platform will save you time by automating many manual and repetitive everyday tasks that can free up valuable resources to focus on more important projects that support the company. Additionally, you will be able to ensure your company is in compliance with both internal/external security policies and controls, giving you one less thing to worry about. In the next blog, I will show you how to set up policies so that you see how easy it is to operate The Onapsis Platform.

To learn more about how The Onapsis Platform can improve efficiencies and save you time and costs while ensuring application availability, compliance and security, check out our new complimentary assessment services.

 

Editor’s Note: This blog was updated in September 2022.