Do you have an overview of the RFC interfaces in your SAP systems? The larger the company, the more interfaces there are. Unfortunately, these are often not taken into account when securing IT systems, thereby allowing hackers free access to sensitive data. The name of the game for SAP managers is therefore: Clean up and check.
SAP systems nearly always communicate with other SAP or third-party systems in order to exchange data related to production, financials, human resources, customers and more. The SAP standard interface “Remote Function Call“ (RFC) used for this purpose allows a large number of settings for this type of communication. It is up to the operator of the SAP system to decide which settings to implement and whether these are even necessary. Encrypted and unencrypted connections are therefore permitted, as are interfaces that do not have any restrictions on authorization or assignment to a technical user or department.
Potential points of entry for attackers from inside and outside are the result of insufficiently configured and maintained RFC interfaces. An often underestimated issue is the long-term and sustainable maintenance of RFC connections. This makes comprehensive knowledge management of the established connections, the stored users, the passwords used and the authorizations granted in SAP systems all the more important for ensuring IT security in the company. Unfortunately, only very few companies are able to assess this process and to ensure that they are adequately staffed.
Trusted RFC connections: Espionage, data Misuse and hacker attacks made easy
Have you ever thought about the impact of trust relationships between SAP systems (trusted RFC connections)? When a connection of this type is established, the receiving system blindly trusts the sending SAP system and accepts its user authorizations. Unfortunately, this also makes it possible to log on to a supposedly secure SAP system via another system that is not in the same protected zone and to work with the authorizations and programs in this environment. If several such connections exist in a system landscape, then this can also be used as an point of entry across several systems. This includes unhindered access to critical function modules.
RFC pool interfaces: Problems with broadly assigned authorizations
The RFC pool interfaces are an interesting and highly complex subject area. In this special case, which unfortunately can be found quite often, an interface is used for several work and subject areas. The existing authorizations often permit much more than is desired: Combinations of authorizations from more than ten departments or even full authorizations (SAP_ALL or S_RFC) are not uncommon. Woe unto anyone who believes that such an interface can be closed if a lone department considers it obsolete.
Keeping RFC interfaces in view: Eliminate legacy problems and check SAP security
During our RFC analyses with the SAST Interface Management module, we surprisingly encounter RFC interfaces to unknown or unwanted third parties in nearly every SAP system – such as those that arise during the initial installation of the system. These were often forgotten and not removed from the SAP system. Unfortunately, the relics from the past also include interfaces from the SAP installation or even test and demo RFC connections from server adaptations.
As a company grows, its SAP system landscape does, too. However, the number of communication paths increases disproportionately, and there are more and more RFC interfaces to an even greater number of sources and recipients. When dealing with the subject of IT security, the focus is often on only the most important systems. When you really think about it, an analysis of the entire system landscape makes more sense, as synergy effects can be exploited during a cleanup. Changes to RFC interfaces very often require action and checking at both ends of the communication path. Last but not least, the RFC gateway and firewall configurations must be checked. This ensures that the settings are adjusted for multiple systems at the same time and that security is ensured for more than just a single interface, e.g. the ERP production system.
You can use RFC interface analysis to check the interface configuration of the entire SAP landscape as well as identify and eliminate vulnerabilities in your systems.
Do you want to learn more about the SAST Interface Management or would you like to find out more about all round protection of your SAP systems? Check out our SAST SOLUTIONS website or send us an e-mail us at email@example.com
Martin Manns, Senior SAP & IT Security Consultant
(SAST SOLUTIONS of akquinet AG)