Favored target for cyber attacks: SAP archive systems.


Checklist to secure your SAP systems.

Do you know at any time who accesses the sensitive data of your SAP archive servers? In our penetration tests we experiencing it again and again: attacks on SAP archive systems are mostly successful, not recognized and therefore not logged and reported.

What is the reason? Archive and content systems are often not involved in tests or data security concepts. There is a lack of infrastructure hardening as well as an administration and access concept. The archive systems are completely unprotected against manipulations or cyberattacks, if reliable security monitoring and integration into the SIEM monitoring does not exist.

There are no special requirements for archived data from the legislature. Thus, protection requirements and hardening measures for archive systems are usually not defined and implemented because these are not in the scope of ex- or internal audits. As a result, sensitive data is often unprotected in the archive systems and allows unauthorized access.

Tip 1: Secure your SAP archive system
Make a protection requirement rating for the entire system and for each archive object. On this basis, configure the authorizations and the monitoring.
– Protect your network, operating systems and databases.
– Use fraud resistant URLs and SecKeys in combination with SSL / TLS.
– Encrypt the data transfer between your productive and archive systems.

Tip 2: Optimize your SAP authorizations
– Minimize access to your archive systems and restrict CSADMIN access.
– Use the default authorization objects S_ARCHIVE und S_BDS_**.
– Do not allow read access to sheet TOA**.
– Not placing the object S_GUI for downloads generally.
– Lock the reports RSCMSEC, RSCMSIM, and SRCMSPWS or related transactions.

Tip 3: Securing your temporary files and your file storage
– Allow only one SIDADM user access to archive files.
– Access via SAP tools such as AL11 may only be possible for archive administrators.
– Delete temporary files after completing the archive run.
– Monitor downloads of archive files.

Tip 4: Recognize access and abuse with SIEM tools
– Evaluate the network and the operating system as well as the data base, security audit and archive server logs.
– Document administrative access attempts and unusual accesses and track them.
– Record changes to users and permissions.
– Analyze critical and mass downloads.
– Retain changes to checked-in documents.

You can significantly improve the security of your SAP archive systems, with these recommendations for unique configurations and permanent monitoring.

Security tools, such as SAST SECURITY RADAR of the AKQUINET GRC-Suite SAST, are a perfect addition. The SAST module is more comprehensive, specialized in securing SAP systems, in contrast to normal SIEM tools and also allows monitoring of peripheral components such as SAP router, web dispatcher and archive server.

Do you have any questions or need more information? knowhow@akquinet.de

Ralf Kempf
Managing Director, AKQUINET