Muokkaa

Jaa


Monitored SAP security parameters for detecting suspicious configuration changes

This article lists the static security parameters in the SAP system that the Microsoft Sentinel solution for SAP applications monitors as part of the SAP - (Preview) Sensitive Static Parameter has Changed analytics rule.

The Microsoft Sentinel solution for SAP applications provides updates for this content according to SAP best practice changes. Add parameters to watch for by changing values according to your organization's needs, and turn off specific parameters in the SAPSystemParameters watchlist.

This article doesn't describe the parameters, and isn't a recommendation to configuring the parameters. For configuration considerations, consult your SAP admins. For parameter descriptions, see the SAP documentation.

Content in this article is intended for your SAP BASIS teams.

Prerequisites

For the Microsoft Sentinel solution for SAP applications to successfully monitor the SAP security parameters, the solution needs to successfully monitor the SAP PAHI table at regular intervals. For more information, see Verify that the PAHI table is updated at regular intervals.

Authentication parameters

Parameter Security value/considerations
auth/no_check_in_some_cases While this parameter might improve performance, it can also pose a security risk by allowing users to perform actions they might not have permission for.
auth/object_disabling_active Can help improve security by reducing the number of inactive accounts with unnecessary permissions.
auth/rfc_authority_check High. Enabling this parameter helps prevent unauthorized access to sensitive data and functions via RFCs.

Gateway parameters

Parameter Security value/considerations
gw/accept_remote_trace_level The parameter can be configured to restrict the trace level accepted from external systems. Setting a lower trace level might reduce the amount of information that external systems can obtain about the internal workings of the SAP system.
gw/acl_mode High. This parameter controls access to the gateway and helps prevent unauthorized access to the SAP system.
gw/logging High. This parameter can be used to monitor and detect suspicious activity or potential security breaches.
gw/monitor
gw/sim_mode Enabling this parameter can be useful for testing purposes and can help prevent any unintended changes to the target system.

Internet Communication Manager (ICM) parameters

Parameter Security value/considerations
icm/accept_remote_trace_level Medium

Allowing remote trace level changes can provide valuable diagnostic information to attackers and potentially compromise system security.

Sign-in parameters

Parameter Security value/considerations
login/accept_sso2_ticket Enabling SSO2 can provide a more streamlined and convenient user experience, but also introduces extra security risks. If an attacker gains access to a valid SSO2 ticket, they might be able to impersonate a legitimate user and gain unauthorized access to sensitive data or perform malicious actions.
login/create_sso2_ticket
login/disable_multi_gui_login This parameter can help improve security by ensuring that users are only logged in to one session at a time.
login/failed_user_auto_unlock
login/fails_to_session_end High. This parameter helps prevent brute-force attacks on user accounts.
login/fails_to_user_lock Helps prevent unauthorized access to the system and helps protect user accounts from being compromised.
login/min_password_diff High. Requiring a minimum number of character differences can help prevent users from choosing weak passwords that can easily be guessed.
login/min_password_digits High. This parameter increases the complexity of passwords and makes them harder to guess or crack.
login/min_password_letters Specifies the minimum number of letters that must be included in a user's password. Setting a higher value helps increase password strength and security.
login/min_password_lng Specifies the minimum length that a password can be. Setting a higher value for this parameter can improve security by ensuring that passwords aren't easily guessed.
login/min_password_lowercase
login/min_password_specials
login/min_password_uppercase
login/multi_login_users Enabling this parameter can help prevent unauthorized access to SAP systems by limiting the number of concurrent logins for a single user. When this parameter is set to 0, only one login session is allowed per user, and other login attempts are rejected. This can help prevent unauthorized access to SAP systems in case a user's login credentials are compromised or shared with others.
login/no_automatic_user_sapstar High. This parameter helps prevent unauthorized access to the SAP system via the default SAP* account.
login/password_change_for_SSO High. Enforcing password changes can help prevent unauthorized access to the system by attackers who might have obtained valid credentials through phishing or other means.
login/password_change_waittime Setting an appropriate value for this parameter can help ensure that users change their passwords regularly enough to maintain the security of the SAP system. At the same time, setting the wait time too short can be counterproductive because users might be more likely to reuse passwords or choose weak passwords that are easier to remember.
login/password_compliance_to_current_policy High. Enabling this parameter can help ensure that users comply with the current password policy when changing passwords, which reduces the risk of unauthorized access to SAP systems. When this parameter is set to 1, users are prompted to comply with the current password policy when changing their passwords.
login/password_downwards_compatibility
login/password_expiration_time Setting this parameter to a lower value can improve security by ensuring that passwords are changed frequently.
login/password_history_size This parameter prevents users from repeatedly using the same passwords, which can improve security.
login/password_max_idle_initial Setting a lower value for this parameter can improve security by ensuring that idle sessions aren't left open for extended periods of time.
login/ticket_only_by_https High. Using HTTPS for ticket transmission encrypts the data in transit, making it more secure.

Remote dispatcher parameters

Parameter Security value/considerations
rdisp/gui_auto_logout High. automatically logging out inactive users can help prevent unauthorized access to the system by attackers who might have access to a user's workstation.
rfc/ext_debugging
rfc/reject_expired_passwd Enabling this parameter can be helpful when enforcing password policies and preventing unauthorized access to SAP systems. When this parameter is set to 1, RFC connections are rejected if the user's password expired, and the user is prompted to change their password before they can connect. This helps ensure that only authorized users with valid passwords can access the system.
rsau/enable High. This Security Audit log can provide valuable information for detecting and investigating security incidents.
rsau/max_diskspace/local Setting an appropriate value for this parameter helps prevent the local audit logs from consuming too much disk space, which could lead to system performance issues or even denial of service attacks. On the other hand, setting a value that's too low might result in the loss of audit log data, which might be required for compliance and auditing.
rsau/max_diskspace/per_day
rsau/max_diskspace/per_file Setting an appropriate value helps manage the size of audit files and avoid storage issues.
rsau/selection_slots Helps ensure that audit files are retained for a longer period of time, which can be useful in a security breach.
rspo/auth/pagelimit This parameter doesn't directly affect the security of the SAP system, but can help to prevent unauthorized access to sensitive authorization data. By limiting the number of entries displayed per page, it can reduce the risk of unauthorized individuals viewing sensitive authorization information.

Secure network communications (SNC) parameters

Parameter Security value/considerations
snc/accept_insecure_cpic Enabling this parameter can increase the risk of data interception or manipulation, because it accepts SNC-protected connections that don't meet the minimum security standards. Therefore, the recommended security value for this parameter is to set it to 0, which means that only SNC connections that meet the minimum security requirements are accepted.
snc/accept_insecure_gui Setting the value of this parameter to 0 is recommended to ensure that SNC connections made through the SAP GUI are secure, and to reduce the risk of unauthorized access or interception of sensitive data. Allowing insecure SNC connections might increase the risk of unauthorized access to sensitive information or data interception, and should only be done when there's a specific need and the risks are properly assessed.
snc/accept_insecure_r3int_rfc Enabling this parameter can increase the risk of data interception or manipulation, because it accepts SNC-protected connections that don't meet the minimum security standards. Therefore, the recommended security value for this parameter is to set it to 0, which means that only SNC connections that meet the minimum security requirements are accepted.
snc/accept_insecure_rfc Enabling this parameter can increase the risk of data interception or manipulation, because it accepts SNC-protected connections that don't meet the minimum security standards. Therefore, the recommended security value for this parameter is to set it to 0, which means that only SNC connections that meet the minimum security requirements are accepted.
snc/data_protection/max Setting a high value for this parameter can increase the level of data protection and reduce the risk of data interception or manipulation. The recommended security value for this parameter depends on the organization's specific security requirements and risk management strategy.
snc/data_protection/min Setting an appropriate value for this parameter helps ensure that SNC-protected connections provide a minimum level of data protection. This setting helps prevent sensitive information from being intercepted or manipulated by attackers. The value of this parameter should be set based on the security requirements of the SAP system and the sensitivity of the data transmitted over SNC-protected connections.
snc/data_protection/use
snc/enable When enabled, SNC provides an extra layer of security by encrypting data transmitted between systems.
snc/extid_login_diag Enabling this parameter can be helpful for troubleshooting SNC-related issues, because it provides extra diagnostic information. However, the parameter might also expose sensitive information about the external security products used by the system, which could be a potential security risk if that information falls into the wrong hands.
snc/extid_login_rfc

Web dispatcher parameters

Parameter Security value/considerations
wdisp/ssl_encrypt High. This parameter ensures that data transmitted over HTTP is encrypted, which helps prevent eavesdropping and data tampering.

For more information, see: