SAP NetWeaver 04 Security Guide

Operating System Security: SAP System Security Under Windows

Document Version 1.00 April 29, 2004

SAP AG Neurottstrae 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. These materials are subject to change without notice. These materials IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Disclaimer Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. Documentation in the SAP Service Marketplace You can find this documentation at the following Internet address:
service.sap.com/securityguide

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.

Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Example text Emphasized words or phrases in body text, graphic titles, and table titles Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.

Icons
Icon Meaning Caution Example Note Recommendation Syntax

EXAMPLE TEXT

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Example text

Example text

<Example text>

EXAMPLE TEXT

SAP System Security Under Windows

Contents
SAP System Security Under Windows ............................................5
1Windows Groups and Users in an SAP System Environment .......6
1.1 Assigning Groups .................................................................................. 6 1.2 Protecting the Operating System Users Used in an SAP System...... 7

2 SAP Systems in the Windows Domain Concept ............................11 3SAP System Security When Using Windows Trusted Domains...11 4 Protecting SAP System Resources.................................................13
4.1 Protecting Data Relevant to the SAP System .................................... 13 4.2 Defining Start and Stop Permissions ................................................. 13 4.3 Protecting Shared Memory.................................................................. 14 4.4 Protection for Dynamically-Created Files (Files Created by ABAP) 14 4.5 Protecting Database Files ................................................................... 14 4.6 Setting Rights for an Installation with Several SAP Systems .......... 14

5 Additional Information Windows Security......................................15

April 29, 2004

SAP System Security Under Windows 1 Windows Groups and Users in an SAP System Environment

SAP System Security Under Windows

Windows manages administration tasks and provides access protection over its domain concept. A domain is a group of several computers that share a common user and security database. Within each domain, you define and administer your users and groups. An SAP system that runs under Windows also uses the domain concept to manage administration tasks and to protect the servers from unauthorized access. The following list provides an overview of the sections that explain how SAP systems use this concept to protect its resources, as well as any measures that you should take. Windows Groups and Users in an SAP System Environment [Page 5] Assigning Groups [Page 6] Protecting the Operating System Users Used in an SAP System [Page 7] SAP Systems in the Windows Domain Concept [Page 10] Security Measures When Using Windows Trusted Domains [Page 11] Protecting SAP System Resources [Page 12] Protecting Data Relevant to the SAP System [Page 13] Defining Start and Stop Permissions [Page 13] Protecting Shared Memory [Page 14] Protection for Dynamically-Created Files (Files Created by ABAP) [Page 14] Protecting Database Files [Page 14] Setting Rights for an Installation with Several SAP Systems [Page 14] Additional Information Windows Security [Page 14]

April 29, 2004

SAP System Security Under Windows 1 Windows Groups and Users in an SAP System Environment

1 Windows Groups and Users in an SAP System Environment

The following topics introduce the Windows technology for administering the users and user groups needed to run an SAP system. To simplify your administrative tasks, we suggest you add all Windows users to user groups that are granted the appropriate rights at the operating system level. In the following topics, you will find the necessary group and user information to operate your SAP system under Windows securely: Assigning Groups [Page 6] Protecting the Operating System Users Used in an SAP System [Page 7]

1.

Assigning Groups
Global groups You create global groups at the domain level. Global groups are known to all servers within the domain.

Windows supports two levels of groups:

Local Groups You create local groups on a single server. They are only known on that server. Exception: If you define a local group of users on one domain controller (PDC or BDC), the group is known on all domain controllers within the domain.

Global Groups
Global user groups are valid within a Windows domain, not only on one server. Therefore, we recommend you bundle the domain users into different activity groups, depending on their tasks. The domain administrator may export these activity groups to other domains, so the respective user can access all resources needed to administer the SAP system. Although you may choose the name of the group as you wish, the standard global group for SAP system administrators is defined as SAP_<SAPSID>_GlobalAdmin according to the Installation guide for your SAP component on Windows which you can find in the SAP Service Marketplace at service.sap.com/instguides SAP Component <Release>.

April 29, 2004

SAP System Security Under Windows 1 Windows Groups and Users in an SAP System Environment

Local Groups
Local user groups (as well as local users) exist locally on one server. During installation, user rights are assigned to local users instead of groups. (For example, the user <sapsid>adm receives the user right Log on as a service.) However, to simplify user administration, we recommend you assign server resources to local groups instead of single users. You can then assign the appropriate global users and global groups to the local group. Local user groups increase the security and validity scope of user rights. However, be careful when using domain controllers. A single local user right defined on a domain controller is valid on all domain controllers. We therefore do not recommend installing SAP systems on a domain controller! The following relationships are possible between users, local groups and global groups: A user can be a member of both a local group and a global group. A global group can be included in a local group. You may also export a global group to another Windows domain.

If several users need the same rights for a certain set of resources, you can create a group. It is then no longer necessary to assign each individual user his or her rights to each of the files. Instead, you assign the rights to a group. Thereby, all of the users in the group automatically receive the rights as assigned to the group. The same applies to the users in a global group that is itself the member of a local group.

1.2 Protecting the Operating System Users Used in an SAP System

This chapter shows the users that exist or are needed in an SAP system on Windows, and the appropriate precautions that you should take for them.

Overview of SAP System-Related Users

User type Windows users User Administrator Guest SAP system users <sapsid>adm Function and Rights The local superuser who has unlimited access to all local resources. A local guest account who has guest access to all local resources. The SAP system administrator who has unlimited access to all local resources related to SAP systems. A special user who runs the Windows services related to SAP systems.

SAPService<SAPSID>

For IBM DB2 Universal Database for UNIX and Windows this user is called sapse<sapsid>.

April 29, 2004

SAP System Security Under Windows 1 Windows Groups and Users in an SAP System Environment User type Database users User <DBservice> Function and Rights One or more special users who run database-specific Windows services or access the database resources with utility programs. Some databases also need certain users at the operating system level.

<DBuser>

Windows automatically creates the users Administrator and Guest during installation. They are not needed for SAP system operations. The database users <DBservice and <DBuser> are typical users. However, the exact users that you need depend on the database you use.

Protecting Administrator
The Windows built-in super user Administrator has unlimited access to all Windows resources. For example, Administrator can: Create, manage, and become the owner of all data files, hard disks, and file shares. Create and manage local users and their rights. Create and manage peripherals, kernel services, and user services.

Change the user name and hide its password. Create other users for administrative tasks and limit their rights to those tasks for which they are used (for example, user administrators, backup operators or server operators).

Protecting <sapsid>adm
<sapsid>adm is the Windows superuser for SAP system administration. This user is created during the SAP system installation process, normally as a domain user for the SAP system. This user can therefore log on to all Windows machines in the domain. <sapsid>adm also needs full access to all instance-specific resources for the SAP system such as files, shares, peripheral devices (for example, tape drives or printers), and network resources (for example, the SAProuter service). To protect this user from unauthorized access, take the following precautions: Change its password regularly. Restrict its access rights to instance-specific resources for the SAP system only. Although <sapsid>adm may access SAP system files, a different user runs the SAP system itself, namely SAPService<SAPSID>.

April 29, 2004

SAP System Security Under Windows 1 Windows Groups and Users in an SAP System Environment

Protecting SAPService<SAPSID>
For IBM DB2 Universal Database for UNIX and Windows this user is called sapse<sapsid>. SAPService<SID> is also created during the SAP system installation. It is usually created as a domain user to run the SAP system and to manage database resources. This user may log on locally on all Windows machines in the domain. Since the SAP system must run even if no user is logged onto the local Windows machine, the SAP system runs as a Windows service. Therefore, during installation, the user SAPService<SAPSID> receives the right to Log on as a service on the local machine. SAPService<SAPSID> also administers the SAP system and database resources within the Computing Center Management System (CCMS). Therefore, it needs full access to all instance-specific and database-specific resources such as files, shares, peripheral devices, and network resources. It is rather difficult to change this user's password. To change the password for a Windows service user , you need to stop the service, edit it's start-up properties, and restart it. Therefore, to change this user's password, you need to stop the SAP system. To protect SAPService<SAPSID>, take the following precautions: Cancel the users right to Log on locally. Restrict its access rights to instance-specific and database-specific resources only.

In addition, prevent this special service user from logging on to the system interactively. This prevents misuse by users who try to access it from the presentation servers. You then do not have to set an expiration date for the password and you can disable the setting change passwd at logon.

Protecting <DBservice> and <DBuser>

As with the SAP system itself, the database must also run even if no user is logged on to the Windows machine. Therefore, the database must run as a service. During the database installation process, the user <DBservice> receives the right to Log on as a service on the local machine.

April 29, 2004

SAP System Security Under Windows 1 Windows Groups and Users in an SAP System Environment

Overview of Database-Related Users

In addition, the various databases use various operating system users for their administration. To protect these users, we recommend to change their passwords. For more information, see the corresponding topics under Database Access Protection [SAP NetWeaver Security Guide]. Database Oracle Operating System User Local System Account sapsid<adm> SAPService<SAPSID> MS SQL Server Local System Account sapsid<adm> SAPService<SAPSID> SAPMssXPUser Informix <sapsid>adm informix MaxDB Local System Account <sapsid>adm SAPService<SAPSID> IBM DB2 Universal Database for UNIX and Windows <sapsid>adm sapse<sapsid> db2<dbsid> Connect user: sapr3 sap<sapsid> Function Runs all Oracle services User for SAP system and database administration Runs the SAP system Runs all MS SQL Server services User for SAP system and database administration User for database administration User for Job System Runs the SAP system Database administrator Runs all MaxDB services User for SAP system and database administration Runs the SAP system SAP system administrator SAP service account Database administrator User for SAP system database objects

You should be aware that the user SYSTEM is a virtual user with no password. (You cannot logon as user SYSTEM.) However, this user has complete access to the local Windows system.

10

April 29, 2004

SAP System Security Under Windows 2 SAP Systems in the Windows Domain Concept

2 SAP Systems in the Windows Domain Concept

In large systems, we recommend creating two separate domains for your company domain and your SAP system domain. Between the two domains you can have trusted relationships which is useful for single sign-on functionality. In the company domain, you set up your domain users (to include your SAP system users) and your company domain administrator. In the SAP domain, you set up your SAP system servers, services and administrators. These include:
O O O O O

SAP system application and database servers, SAP system or database services SAP system administrators W indows administrators SAP domain administrator

3 SAP System Security When Using Windows Trusted Domains

In the standard installation procedures, especially in large system configurations, we recommend to establish separate domains for your company data and your SAP system. We also recommend to use the Windows trusted domain concept as certain SAP-specific features and Windows-specific services require trusted relationships between domains for their purposes. There are certain services that require a uni-directional trust relationship only (for example, network printing with the Print Manager or file transfer batches with operating system commands such as xcopy or move). There are also services that require using a bi-directional trust relationship, for example, Single Sign-On using Microsoft's LAN Manager Security Service Provider Interface (NTLMSSPI).

April 29, 2004

11

SAP System Security Under Windows 3 SAP System Security When Using Windows Trusted Domains When installing your SAP system, the installation tool, called SAPinst, automatically performs all steps that are relevant for proctecting your system against unauthorized access. For example, it creates the required user accounts and groups and protects the most important directories. SAPinst creates the following domain users:
O

<sapsid>adm This is the SAP system administrator account that enables interactive administration of the system.

SAPService<SID> (this user is not created for Informix installations) This is the virtual user account that is required to start the SAP system. It has the local user right to log on as a service and is a member of the local administrators group.

SAPinst creates the domain group SAP_<SAPSID>_GlobalAdmin SAPinst creates the local group SAP_<SAPSID>LocalAdmin and includes the domain group SAP_<SAPSID>_GlobalAdmin SAPinst creates the local administrator group SAP_LocalAdmin on the transport host. Members of the group have full control over the transport directory \usr\sap\trans that allows transports to take place between systems. The SAP_<SAPSID>_GlobalAdmin group is added to the SAP_LocalAdmin group. SAPinst protects the SAP directories \usr, \usr\sap, \usr\sap\trans, \usr\sap\<sapsid> and its sub-directories by only granting Full control access rights for the Administrators and SAP_<SAPSID>_LocalAdmin groups. Eliminate any Full control rights for Everyone to shares on the SAP system servers. For additional protection, you can eliminate the dynamically-created Windows root shares on the SAP system server. The server can then only be accessed from the network over manually created shares. If you have installed other software on the application server, then make sure that the access rights for their directories and files are also set properly. These rights apply specifically for SAP system resources. For details applying to the database files and directories, see the security instructions from your database supplier.

12

April 29, 2004

SAP System Security Under Windows 4 Protecting SAP System Resources

4 Protecting SAP System Resources

In the following topics we describe the security measures for protecting the SAP system: Protecting Data Relevant to the SAP System [Page 13] Protecting Shared Memory [Page 14] Protection for Dynamically-Created Files (Files Created by ABAP) [Page 14] Protecting Database Files [Page 14]

In addition, we describe how to protect resources for an installation that consists of several SAP systems. For more information, see Setting Rights for an Installation with Several SAP Systems [Page 14].)

1.

Protecting Data Relevant to the SAP System

Regardless of whether the SAP system is installed centrally or as a distributed system, we recommend to set up one domain that contains the SAP system application and database servers. We strongly recommend that you set up all your SAP system servers in one Windows domain. For short-term test installations or demonstration purposes only, you may install a central SAP system that is not located in a Windows domain. However, we recommend this setup for limited use only. It is difficult to introduce the domain concept to a system that is already in use. In a central installation on a server in a domain, all SAP system administrators are members of the local group SAP_<SAPSID>_LocalAdmin. In a distributed installation with several server machines in the domain, a global group is set up for the SAP system (SAP_<SAPSID>_GlobalAdmin). This global group itself is a member of the server's local groups and contains the SAP system administrators. This also simplifies the administration in the client/server environment, since new users who need SAP system administration rights only need to become members of the global group.

The following points apply to the Windows domain concept and the installation of your SAP system:

2.

Defining Start and Stop Permissions

The permissions for starting and stopping an SAP instance are defined in the sapstartsrv.exe file. To change the start and stop permissions, you can do one of the following: Use the Microsoft Management Console [SAP Library] with the SAP Systems Manager snap-in which was developed at SAP and is integrated in the Microsoft Management Console (MMC). Right-click on the SAP instance for which you want to change the start permissions and choose Properties to adjust the permissions. In the Windows Explorer right-click on the sapstart.exe file and choose Properties to adjust the permissions.

April 29, 2004

13

SAP System Security Under Windows 4 Protecting SAP System Resources

3.Protecting Shared Memory

The shared memory is used by the SAP system dispatcher and the work processes for certain activities, such as exchanging administration information. These processes use the same Access Control List for themselves and the shared memory. Therefore, only members of this ACL, have access to the shared memory. In general, these are members of the SAP<SAPSID>_LocalAdmin group.

4.Protection for Dynamically-Created Files (Files Created by ABAP)

Because SAP systems use ANSI stream file I/O, a file created by ABAP inherits the access rights from the folder in which it was created. Only the owner of the files or the administrator can change the access rights. When ABAP statements create these files, they are owned by the SAP system (<sapsid>adm or SAPService<SAPSID>).

5.

Protecting Database Files

The database provider or the database administrator is responsible for protecting the data at the database level. You should therefore consult the documentation supplied by the database vendor on the subject of data protection and security. For specifics pertaining to SAP systems, see the appropriate section in Database Access Protection [SAP NetWeaver Security Guide].

6.Setting Rights for an Installation with Several SAP Systems

If there are several SAP systems on the server(s), it is possible to perform the administration tasks separately using different local and global groups. Assign the access rights appropriately for the files in the directory (to include sub-directories) \usr\sap. You can distinguish between the administrators and groups by using the names of the SAP systems (for example, <SAPSID1>, and <SAPSID2>). All administrators should have access to the two directories at the \usr\sap top level. If there are several SAP systems installed on a single server, then an additional area of shared memory exists. This memory is created by saposcol.exe and is used jointly by the OS Collector and all SAP systems. Therefore, give Full Control access rights to the SAP_<SAPSID>_LocalAdmin local groups for the executable file saposcol.exe. To avoid access conflicts here, start saposcol.exe before starting the SAP system.

14

April 29, 2004

SAP System Security Under Windows 5 Additional Information Windows Security

5 Additional Information Windows Security

For general information about Windows operating system security, see www.microsoft.com/security. For additional information, see the following documentation: Title of Documentation Where to find? Installation Guide: SAP Web Application Server on Windows: <Your database> Installation Guide: <SAP Component> on Windows: <Your database> SAP Service Marketplace at service.sap.com/instguides SAP Web Application Server <Release> SAP Service Marketplace at service.sap.com/instguides <SAP Component> <Release>

April 29, 2004

15