In this blog i will try to explain about “Securing the SAP Fiori Environment” in high level.
It’s important to secure the SAP Environment when our SAP ERP Business Processes are exposed to outside world (Internet) via Fiori Applications. Attackers are Everywhere!
Most of the cases, we will be exposing the Fiori (Gateway) to outside world. Just Imagine, if any attacker able to execute stopsap script on Gateway Instance and take it down?
It Makes the Instance unavailable and the users will not be able to access the Systems. This will directly effect the productivity. To Avoid this, always make sure to patch and harden the message server. Avoid to use message server as a load balancer, always use SAP Web Dispatcher for load balancing.
What if a Purchase Requisitions or Purchase Orders Worth of Million Dollars are reached to a wrong person and approved without the consent of right decision makers?
This would effect the data integrity and could also have a material impact on the Organizational Finances. To Avoid this, always make sure to establish a strong authentication to ensure not to happen incorrect business transactions.
When the Fiori is Accessed from a mobile device, unintentionally We do share lot of Business documents (Attachments like images, PDFs, etc.,) by downloading, copying and sharing or forwarding on insecure message apps. This can lead to information breach as per the organization policies applicable.
We can control the Security by adapting Some Guidelines on Administrative and Technical Levels.
- Designing Administrative Policies, Processes, Procedures, Guidelines and educating the end users to ensure awareness.
- Applying Strict Password Policies, Roles, Authorizations, Antivirus on Gateway Instance level and Firewalls, Web Content Filters on web-dispatcher level.
- It’s always a good option to encrypt the data between end client (Mobile/Tablet/Desktop) and Gateway Server to make it more secure.
We need to strongly consider the below Key Areas when Securing SAP Fiori.
- Landscape Network Architecture: Configure Firewalls and demilitarized zones (DMZs).
- Encrypt the Communication (GW <==> End Client) using X.509 certificate authentication.
- Endpoint Security: Organizations should have a policy to protect the data that has been downloaded on users mobile devices.
- Secure Software Development: Always make sure to follow best coding practices when developing objects.
- Vulnerability Detection and Management: Always check for latest patches and recommended Security configurations to adapt changes in threat environment.
- Authorization: Design the end user role matrix with the Security Perspective. Avoid Adding *(star) in Authorization Values.
- Authentication: Genuinely check the identity of the Logged in User. Never Hard code the user id in Trusted RFCs. Always check the Logged in User.
- Log Monitoring: There are several logs (System, Application, etc.,) that helps in tracking the issues, monitoring the usage.
On High Level, to have a Secure Fiori Environment. We need to look into 3 Areas.
Area 1: Network
» Identify and Terminate untrusted Connections on a Frontend Server in the DMZ.
» Setup Firewall Rules between Clients & Servers.
» Implement Web Application Firewalls in blocking mode between untrusted networks and Gateway Server.
» Implement the Web Dispatcher to technically restrict the ICF Services accessible from untrusted network.
Area 2: Software
The most commonly attacked web application vulnerabilities are
- Broken authentication and session management
- Cross-site scripting (XSS)
- Security misconfiguration
- Sensitive data exposure
- Cross-site request forgery
» Always follow the Development Standards when developing UI5 Apps, oData services.
» Train the developers to achieve secure software development.
» Always Implement the Authority Check Objects when calling a BAPI or BADI in your oData Service Developments.
» You can use standard code analysis tool like Code Inspector.
Area 3: 3-Point Secure Configuration
- Gateway Server secure configuration
- SAP Web Dispatcher configuration
- Secure Client configuration
1.Gateway Server secure configuration Steps:
Harden your gateway server:
Gateway Server Core Service listening on Port 33XX (XX is the Instance Value). It’s used for RFC and CPIC Connections.This Service is a Point of Attack for Hackers. Always patch the Server to the latest version to ensure this service is unexposed to external threat sources.
- Disable access to the SAP Gateway service from untrusted devices and networks.
- Disable untrusted gateway connections.
- Disable remote trace on your gateway server.
Harden your message server:
In a HTTP Scenario, either the message server or SAP Web Dispatcher can be used to load balance client requests.When Fiori is exposed to Internet over HTTP, always use only SAP Web dispatcher for load balancing so that message server is not directly accessible from untrusted networks.
- Do not permit direct external connections to your front-end message server at the firewall.
- Ensure SAP Message Server does not accept remote connections from untrusted networks
Harden your ICF server:
ICF Server is the Point of entry for untrusted connections. Always deploy it Securely.
- Only enable services on a demonstrated need-to-have basis.
- Only permit access to SAP Fiori services on the SAP Web Dispatcher
- Disable multiple logons
- Disable unencrypted (HTTP) traffic to the ICM.
- Activate HTTP security session management.
- Ensure ICM error messages do not contain sensitive information.
Harden your ABAP stack:
Always Lock/Deactivate unauthorized user Accounts and set policy parameters in Transaction RZ10.
- Lock down the SAP* account
- Disable multiple logons
- Ensure authority checks cannot be disabled
- Lock down the SAP Management Console
- Set an SAP GUI idle timeout
- Ensure that your password policy is configured to meet or exceed organizational password policy requirements
- Ensure the command field in debugger is disabled
- Ensure CALL SYSTEM is disabled
- Ensure anonymous RFC calls are disabled
- Ensure that RFC connections are configured to not accept expired passwords
- Ensure SSO tickets are encrypted with X.509 certificate Authentication.
- External debugging ABAP over HTTP is disabled
- Ensure Skip First Screen is disabled
Enable the types of logs needed to monitor and identify if any suspicious network based activity.
- Ensure SAP Gateway logging is configured
- Enable SAP message server logging
- Log HTTPS traffic
- Activate table logging
- Activate Transaction SM19 and Transaction SM20 logging
2. SAP Web Dispatcher configuration
When Fiori is exposed to outside world, web dispatchers should be used to load balance the HTTPS Traffic instead of Instance message server.Always make sure that the Web Dispatcher Administrative Functions are not accessible from networks and systems with a demonstrated need to access.
- Disable detailed error logging on SAP Web Dispatcher
- Implement web filtering on SAP Web Dispatcher
- Ensure SAP Web Dispatcher allows only HTTPS
- Ensure administrative access communication is encrypted
- Ensure that administrative access is restricted to trusted network addresses with a demonstrated “need to have” access on the firewall
- Configure SAP Web Dispatcher to restrict administrative access to specific client hosts/networks
3. Secure Client configuration
Managing the Security configuration of the clients (Mobile Devices) is challenging. Currently we don’t have enough configurations on Gateway Server. we need to mandate the end users to secure their mobile devices with a Secure PIN. It’s possible to handle those challenges by implementing some secure solutions from SAP like SAP Afaria, SAP Mobile Secure. This required additional licensing cost.
SAP Afaria has the below Features to adapt Secure Client Configuration.
» Password policies
» Restriction policies
» Hardware and software information
» Application policies
» Exchange account management
» Wi-Fi policy management
The Core Service that launches SAP Fiori Launchpad is USHELL and FLP. Always make sure to have them on Secure HTTP (HTTPS). Always try to use the Secure Authentication other than Basic.