Beruflich Dokumente
Kultur Dokumente
SAP AG Neurottstrae 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. These materials are subject to change without notice. These materials IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Disclaimer Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. Documentation in the SAP Service Marketplace You can find this documentation at the following Internet address:
service.sap.com/securityguide
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.
Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Example text Emphasized words or phrases in body text, graphic titles, and table titles Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.
Icons
Icon Meaning Caution Example Note Recommendation Syntax
EXAMPLE TEXT
Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Example text
Example text
<Example text>
EXAMPLE TEXT
Contents
SAP System Security Under Windows ............................................5
1Windows Groups and Users in an SAP System Environment .......6
1.1 Assigning Groups .................................................................................. 6 1.2 Protecting the Operating System Users Used in an SAP System...... 7
2 SAP Systems in the Windows Domain Concept ............................11 3SAP System Security When Using Windows Trusted Domains...11 4 Protecting SAP System Resources.................................................13
4.1 Protecting Data Relevant to the SAP System .................................... 13 4.2 Defining Start and Stop Permissions ................................................. 13 4.3 Protecting Shared Memory.................................................................. 14 4.4 Protection for Dynamically-Created Files (Files Created by ABAP) 14 4.5 Protecting Database Files ................................................................... 14 4.6 Setting Rights for an Installation with Several SAP Systems .......... 14
SAP System Security Under Windows 1 Windows Groups and Users in an SAP System Environment
SAP System Security Under Windows 1 Windows Groups and Users in an SAP System Environment
1.
Assigning Groups
Global groups You create global groups at the domain level. Global groups are known to all servers within the domain.
Local Groups You create local groups on a single server. They are only known on that server. Exception: If you define a local group of users on one domain controller (PDC or BDC), the group is known on all domain controllers within the domain.
Global Groups
Global user groups are valid within a Windows domain, not only on one server. Therefore, we recommend you bundle the domain users into different activity groups, depending on their tasks. The domain administrator may export these activity groups to other domains, so the respective user can access all resources needed to administer the SAP system. Although you may choose the name of the group as you wish, the standard global group for SAP system administrators is defined as SAP_<SAPSID>_GlobalAdmin according to the Installation guide for your SAP component on Windows which you can find in the SAP Service Marketplace at service.sap.com/instguides SAP Component <Release>.
SAP System Security Under Windows 1 Windows Groups and Users in an SAP System Environment
Local Groups
Local user groups (as well as local users) exist locally on one server. During installation, user rights are assigned to local users instead of groups. (For example, the user <sapsid>adm receives the user right Log on as a service.) However, to simplify user administration, we recommend you assign server resources to local groups instead of single users. You can then assign the appropriate global users and global groups to the local group. Local user groups increase the security and validity scope of user rights. However, be careful when using domain controllers. A single local user right defined on a domain controller is valid on all domain controllers. We therefore do not recommend installing SAP systems on a domain controller! The following relationships are possible between users, local groups and global groups: A user can be a member of both a local group and a global group. A global group can be included in a local group. You may also export a global group to another Windows domain.
If several users need the same rights for a certain set of resources, you can create a group. It is then no longer necessary to assign each individual user his or her rights to each of the files. Instead, you assign the rights to a group. Thereby, all of the users in the group automatically receive the rights as assigned to the group. The same applies to the users in a global group that is itself the member of a local group.
SAPService<SAPSID>
For IBM DB2 Universal Database for UNIX and Windows this user is called sapse<sapsid>.
SAP System Security Under Windows 1 Windows Groups and Users in an SAP System Environment User type Database users User <DBservice> Function and Rights One or more special users who run database-specific Windows services or access the database resources with utility programs. Some databases also need certain users at the operating system level.
<DBuser>
Windows automatically creates the users Administrator and Guest during installation. They are not needed for SAP system operations. The database users <DBservice and <DBuser> are typical users. However, the exact users that you need depend on the database you use.
Protecting Administrator
The Windows built-in super user Administrator has unlimited access to all Windows resources. For example, Administrator can: Create, manage, and become the owner of all data files, hard disks, and file shares. Create and manage local users and their rights. Create and manage peripherals, kernel services, and user services.
Change the user name and hide its password. Create other users for administrative tasks and limit their rights to those tasks for which they are used (for example, user administrators, backup operators or server operators).
Protecting <sapsid>adm
<sapsid>adm is the Windows superuser for SAP system administration. This user is created during the SAP system installation process, normally as a domain user for the SAP system. This user can therefore log on to all Windows machines in the domain. <sapsid>adm also needs full access to all instance-specific resources for the SAP system such as files, shares, peripheral devices (for example, tape drives or printers), and network resources (for example, the SAProuter service). To protect this user from unauthorized access, take the following precautions: Change its password regularly. Restrict its access rights to instance-specific resources for the SAP system only. Although <sapsid>adm may access SAP system files, a different user runs the SAP system itself, namely SAPService<SAPSID>.
SAP System Security Under Windows 1 Windows Groups and Users in an SAP System Environment
Protecting SAPService<SAPSID>
For IBM DB2 Universal Database for UNIX and Windows this user is called sapse<sapsid>. SAPService<SID> is also created during the SAP system installation. It is usually created as a domain user to run the SAP system and to manage database resources. This user may log on locally on all Windows machines in the domain. Since the SAP system must run even if no user is logged onto the local Windows machine, the SAP system runs as a Windows service. Therefore, during installation, the user SAPService<SAPSID> receives the right to Log on as a service on the local machine. SAPService<SAPSID> also administers the SAP system and database resources within the Computing Center Management System (CCMS). Therefore, it needs full access to all instance-specific and database-specific resources such as files, shares, peripheral devices, and network resources. It is rather difficult to change this user's password. To change the password for a Windows service user , you need to stop the service, edit it's start-up properties, and restart it. Therefore, to change this user's password, you need to stop the SAP system. To protect SAPService<SAPSID>, take the following precautions: Cancel the users right to Log on locally. Restrict its access rights to instance-specific and database-specific resources only.
In addition, prevent this special service user from logging on to the system interactively. This prevents misuse by users who try to access it from the presentation servers. You then do not have to set an expiration date for the password and you can disable the setting change passwd at logon.
SAP System Security Under Windows 1 Windows Groups and Users in an SAP System Environment
You should be aware that the user SYSTEM is a virtual user with no password. (You cannot logon as user SYSTEM.) However, this user has complete access to the local Windows system.
10
SAP System Security Under Windows 2 SAP Systems in the Windows Domain Concept
SAP system application and database servers, SAP system or database services SAP system administrators W indows administrators SAP domain administrator
11
SAP System Security Under Windows 3 SAP System Security When Using Windows Trusted Domains When installing your SAP system, the installation tool, called SAPinst, automatically performs all steps that are relevant for proctecting your system against unauthorized access. For example, it creates the required user accounts and groups and protects the most important directories. SAPinst creates the following domain users:
O
<sapsid>adm This is the SAP system administrator account that enables interactive administration of the system.
SAPService<SID> (this user is not created for Informix installations) This is the virtual user account that is required to start the SAP system. It has the local user right to log on as a service and is a member of the local administrators group.
SAPinst creates the domain group SAP_<SAPSID>_GlobalAdmin SAPinst creates the local group SAP_<SAPSID>LocalAdmin and includes the domain group SAP_<SAPSID>_GlobalAdmin SAPinst creates the local administrator group SAP_LocalAdmin on the transport host. Members of the group have full control over the transport directory \usr\sap\trans that allows transports to take place between systems. The SAP_<SAPSID>_GlobalAdmin group is added to the SAP_LocalAdmin group. SAPinst protects the SAP directories \usr, \usr\sap, \usr\sap\trans, \usr\sap\<sapsid> and its sub-directories by only granting Full control access rights for the Administrators and SAP_<SAPSID>_LocalAdmin groups. Eliminate any Full control rights for Everyone to shares on the SAP system servers. For additional protection, you can eliminate the dynamically-created Windows root shares on the SAP system server. The server can then only be accessed from the network over manually created shares. If you have installed other software on the application server, then make sure that the access rights for their directories and files are also set properly. These rights apply specifically for SAP system resources. For details applying to the database files and directories, see the security instructions from your database supplier.
12
In addition, we describe how to protect resources for an installation that consists of several SAP systems. For more information, see Setting Rights for an Installation with Several SAP Systems [Page 14].)
1.
The following points apply to the Windows domain concept and the installation of your SAP system:
2.
The permissions for starting and stopping an SAP instance are defined in the sapstartsrv.exe file. To change the start and stop permissions, you can do one of the following: Use the Microsoft Management Console [SAP Library] with the SAP Systems Manager snap-in which was developed at SAP and is integrated in the Microsoft Management Console (MMC). Right-click on the SAP instance for which you want to change the start permissions and choose Properties to adjust the permissions. In the Windows Explorer right-click on the sapstart.exe file and choose Properties to adjust the permissions.
13
5.
The database provider or the database administrator is responsible for protecting the data at the database level. You should therefore consult the documentation supplied by the database vendor on the subject of data protection and security. For specifics pertaining to SAP systems, see the appropriate section in Database Access Protection [SAP NetWeaver Security Guide].
14
15