New SAP Guidance Recommends Configuration Validation for Security Monitoring
Some of the most critical recommendations issued by SAP in the recently released paper Securing Remote Function Calls include the use of configuration validation in Solution Manager to monitor RFC destination settings. This includes checks for destinations with stored credentials, trusted connections, and authorizations granted to RFC users in target systems. It also includes the review of profile parameters for RFC and secure network communication, as well as access control lists for RFC gateways. The SAP paper lends support for other security functions in Solution Manager such as management dashboards and alerts by pointing out that “an overview of the current security status can be provided in a security dashboard and alerts on noncompliance can be collected in the alert in-box” (p33).
The paper draws together leading practices and SAP recommendations into a single reference document for protecting one of the most vulnerable areas in SAP landscapes that is often targeted by remote attackers. RFC is a proprietary SAP technology that drives cross-system integration. Misconfigurations in RFC destinations and gateways that manage RFC communications can lead to the complete compromise of not just individual SAP systems but entire landscapes. Common mistakes include using destinations with stored logon credentials or trusted connections between systems with differing security classifications, using service or communication user types for RFC destinations rather than system users, granting excessive authorizations to RFC users, failing to limit access to remote-enabled function modules, and non-existent access control lists to control the registration and starting of external RFC servers.
The paper emphasizes the importance of established and well-known counter measures for securing RFCs based on the authorization concept. This includes not granting full access to objects such as R_RFC_ADM, S_RFC_TT, S_ADMI_FCD used to administer RFC destinations and other objects such as S_RFC , S_ICF and S_RFCACL that control access to remote-enabled function modules and logons in trusting systems. The paper also discusses enhancements delivered by SAP in the most recent release of NetWeaver AS ABAP, including unified connectivity (UCON). UCON blocks access to remote-enabled function modules using whitelists configured in so-called communication assemblies. According to SAP, “Typically, less than 5% of all available RFC function modules are used in customer software systems for remote RFC communication” (p14). It also outlines methods for performing short-term and long-term traces to identify authorizations checks performed during the execution of RFC-enabled function modules called remotely. This should be used to reign in access privileges for RFC users. Finally, the paper outlines how to control dangerous RFC callbacks and activate switchable authorization checks that are only enabled in specific RFC scenarios.
Contact an SAP Security Architect at Layer Seven Security for professional services to implement these and related SAP recommendations. Our SAP Cybersecurity Solution includes a gap assessment for all of the recommendations on RFC security issued by SAP in the paper.
To request a copy of the SAP paper Securing Remote Function Calls, email info@layersevensecurity.com.