Null Meet Ppt
1 like407 views
SAP provides various business solutions including CRM, ERP, PLM, SCM and GRC. It consists of integrated modules running on the Netweaver platform across multiple operating systems. While SAP aims to provide centralized information, weaknesses in its default security configurations and common practices like weak passwords and direct database access leave systems vulnerable to compromise. Proper security measures such as regular password changes, limiting SAP_ALL access, and disabling auto-unlocking can help address these risks.
Null Meet Ppt
- 1. Presented by Anand Tanksali.
- 2. SAP – (Systems Application and Products) Provides different solutions: CRM, ERP, PLM, SCM, GRC, Business One… ERP Solutions consist of : FI,CO (Finance and Controlling) SD (Sales Distribution) HR (Human Resources) MM (Materials Management) etc… Modules integrated together using Netweaver platform SAP runs on multiple Operating Systems
- 5. Instances & Systems Admin entity groups related components providing one or more services Systems are identified by SAP System ID (SID) System instances parameterization done in Profiles Client Transaction Authorization Client default (000, 001 and 006) Transaction code (SU01, SE16, FK01, PA20) Authorizations Users assigned roles as per profiles and contains authorizations ABAP, Reports/Programs, Function Modules, RFC
- 6. SAP_ALL profile = SAP GOD Many profiles may enable and allow user to be GOD Each SAP system uses its own DB SAP processes run under <sid>adm or SAPService <SID> user accounts Direct access to DB means SAP compromised!!!! Connections between systems always based on TRUST Many customer interfaces implemented using FTP (cleartext, weak passwords)
- 7. Why do you need SAP Security? Errr What about Security I don’t care SAP should be up and running by Tuesday we have to take care of user passwords Umm What Security we have enough guards no more excuses SAP should be up on Tuesday
- 8. What the CFO does not realize : Weak security controls can result in Business and Financial Loss / Frauds CSO does not realize: SAP Security is much more than User Roles, Responsibilities & Authorizations
- 9. Security configurations of SAP is usually left to default By default many configurations are not secure Conclusion – SAP systems are not secure
- 10. First SAP Penetration Testing Framework developed by Cybsec -Labs Provides support for platform discovery investigation and exploitation Current versions available on Windows / Linux
- 16. SAP designed to interact with external systems Integrated Centralized information Communicating with other systems ALE EDI HTTP RFC FTP XML ……
- 17. In early years SAP implemented IBM CPI-C interface to communicate with other systems CPI-C allowed data transfer Complex apps needed to call functions on other servers resulting in SAP Remote function Call interface RFC is the key component of SAP apps
- 26. Vulnerabilities published by SAP
- 27. Admin should change passwords at regular intervals Ensure user should not have SAP_ALL access rights Adhere to SAP best practices Disable auto unlocking Enforce a strong password policy Restrict access to Database
- 28. RFC is the weakest link in SAP and needs to be secured SAP admin must apply patches and harden the servers Network admin should apply rules on firewall and deny ports not required to be used for day-to-day operations Network admin should monitor logs regularly Advanced attacks should be avoided with proper configurations and patch management
- 29. Thank You! Anand Tanksali.