SAP Security Notes, June 2019
Note 2748699 provides instructions for securing the credentials of the standard user SM_EXTERN_WS in SAP Solution Manager. SM_EXTERN_WS is used by CA Introscope Enterprise Manager (EM) to collect monitoring metrics from mainly non-ABAP components in SAP landscapes. The metrics are collected via the Introscope Push web service. The credentials for SM_EXTERN_WS including the automatically generated password are stored in a file that is referenced with property dpcpush.credentials.file in file <EM_install_dir>/sap/<SolMan_SID>.e2emai.properties. The credentials in the file are insufficiently protected against attackers. However, dialog logon with SM_EXTERN_WS is not possible since the user is a system user type. Also, SM_EXTERN_WS does not have administrative privileges.
Note 2748699 recommends deploying the LM-SERVICE software component and patching the Management Module for Enterprise Manager. Also, it includes instructions for enabling encryption to protect the password file.
Switchable authorization checks were introduced by notes 2524203, 2527346 and 2496977 to supplement checks performed using authorization object S_RFC for critical Remote-enabled Function Modules (RFMs) in components of SAP ERP. This includes RFMs in Accounts Receivable and Payable, Materials Management, and Sales and Distribution.