The global and independent platform for the SAP community.
IT Management, MAG 17-04

Limited access for basic supervisors

If you want to protect your SAP data from misuse, you also have to restrict access rights for SAP Basis administrators. Security tests at customers' sites reveal serious weaknesses in this area.
Thomas Kastner, Virtual Forge
April 19, 2017
Content:
Limited access for basic supervisors
avatar
This text has been automatically translated from German to English.

DBACockpit and DB02 provide SAP Basis employees with two central transactions with which they can monitor, control, configure and manage the SAP databases.

Numerous basic functions can be executed via it, for example, checking system status and operating modes, table extensions or index maintenance and updating of tables.

In addition, both transactions contain the SQL Command Editor, which allows direct access to functional tables via so-called Open SQL commands.

This also allows users to access business-critical information, such as personnel and financial accounting data or even password hashes.

Security patches for SQL Command Editor urgently observed

SAP has delivered numerous security patches for the SQL Command Editor. These security patches must be observed and applied.

To regulate access to SAP data, SAP has also delivered a new authorization (S_TABU_SQL). This allows companies to define which employees are allowed to access which SAP data. Kastner

In addition, a tracking function has been implemented in the SQL Command Editor, which automatically logs every - authorized or unauthorized - command.

If this log data is also transferred to a security information and event management (SIEM) system, such as SAP Enterprise Threat Detection (ETD), and analyzed there, companies gain transparency into all accesses that have taken place.

Possible misuse can thus be counteracted promptly through monitoring and alerting. Although it is also necessary for data protection and compliance reasons to limit access for employees from SAP Basis Administration, the reality is often different.

For example, SAP security tests in companies of all sizes and industries repeatedly identify unpatched vulnerabilities in the SQL Command Editor function of DBACOCKPIT and DB02.

SAP Basis administrators thus have far-reaching possibilities to access sensitive SAP data.

Complete takeover conceivable

To illustrate the potential consequential damage, SAP penetration testing experts from Virtual Forge first read the USR02 table containing user passwords in a selected customer system.

After the testers managed to crack the encrypted passwords using a password cracker tool, they were able to log in to the SAP system without any problems and access the same functions for which the individual users were authorized.

The tests showed: Malicious attacks could have led to the complete compromise of an SAP system.

It is therefore imperative for every SAP user company to regularly import the Security Notes, especially for the SQL Command Editor.

In addition, upgrades should be carried out at least once a year and the latest support packages should be imported, with which SAP provides customers with bug fixes and software adjustments required by law.

External consulting recommended

However, since most companies do not have any designated SAP security experts, it makes sense to bring external service providers on board for the regular import of security patches.

It is essential that the consulting partner has the necessary security and SAP expertise, especially experience in implementing patches, understanding of different SAP releases and upgrade procedures, and knowledge of threat detection and prevention.

Equipped with these competencies, the SAP security provider can support the customer in assessing the criticality of the security patches. In addition, the customer receives advice on the selection of the necessary tests to prevent program and application errors from occurring when the patches are applied.

Since selective testing eliminates the need for time-consuming regression tests across the entire SAP system, the customer saves a great deal of time and money.

Use tools complementary

In the area of prevention, the use of special tools for detecting and correcting errors in the customer-specific SAP system configuration is also an option.

Virtual Forge SystemProfiler (alternatively: with it) can be used to determine all users who have extensive permissions to execute SQL Command Editor (DB02, DBACOCKPIT) and associated table permissions (S_TABU_SQL).

If a customer has connected its SAP systems to SAP Solution Manager, such tools can be used to automatically identify security gaps and vulnerabilities.

For example, regular checks can also be made for all SAP systems to ensure that all the necessary security patches have been applied to completely eliminate the security vulnerabilities in the SQL Command Editor.

https://e3mag.com/partners/virtual-forge-gmbh/

avatar
Thomas Kastner, Virtual Forge

Thomas Kastner is Managing Director and owner of Virtual Forge


All articles of the author

Write a comment

The Hackett Group has recognized Esker in the area of C2C Receivables

Rackspace Technology launches UK Sovereign Services

August-Wilhelm Scheer Institute and BAD Gesundheitsvorsorge und Sicherheitstechnik: The future of healthcare

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.