Security Optimization Self-Service
Transcription
Security Optimization Self-Service
SERVICE REPORT Security Optimization Service Analysis Confidential SAP System ID XXX Solution TEST Processed on Release Service Tool SAP Service Content Update SAP Solution Manager AAA 7.10 SP 0014 ST-SER 720 SP 0000000000 Date of Session Date of Report Author 10.02.2016 10.02.2016 <NAME> not activated Session No. Installation No. Customer No. 2000000270255 0123456789 9876543210 This report contains confidential customer data and may be viewed only by SAP AGS employees, authorized SAP partners, and customer employees. Do not distribute it to other parties. Security Optimization Service 10.02.2016 1 SUMMARY ................................................................................................................................... 7 2 DETECTED ISSUES.......................................................................................................................... 8 3 SPECIAL FOCUS CHECKS................................................................................................................ 12 3.1 XXX CLIENT OVERVIEW ............................................................................................................................................. 12 3.2 ADDITIONAL SUPER USER ACCOUNTS FOUND (0022)................................................................................................... 12 4 AUTHENTICATION ....................................................................................................................... 14 4.1 PASSWORD LOGON IS AT L EAST PARTLY ALLOWED (0139)............................................................................................ 14 4.2 PASSWORD POLICY ................................................................................................................................................... 14 4.2.1 Password Complexity................................................................................................................................... 14 4.2.1.1 Minimum Password Length (0126) ............................................................................................................. 14 4.2.1.2 Trivial Passwords Are Not Sufficiently Prohibited (0125) ............................................................................. 14 4.2.2 Initial Passwords .......................................................................................................................................... 14 4.2.2.1 Users with Initial Passwords Who Have Never Logged On (0009) ................................................................ 14 4.2.2.2 Users with Reset Password Who Have Not Logged On (0140) ..................................................................... 15 4.2.3 Interval for Logon with Productive Password Is Too Long (AU081) ......................................................... 15 4.2.4 Interval for Password Change Is Too Long (0127) ..................................................................................... 15 4.2.5 Security Attack Indicated by Users Locked due to Incorrect Logon Attempts (0141) ............................. 15 4.3 GENERAL AUTHENTICATION ....................................................................................................................................... 16 4.3.1 Users Who Have Not Logged On for an Extended Period of Time (0010)................................................ 16 4.3.2 Security Critical Events for End Users Are Not Logged in the Security Audit Log (0136) ........................ 16 4.3.3 Interval After Which Inactive Users Are Logged Off Is Too Long (0137) .................................................. 16 4.3.4 Multiple Logons Using the Same User ID Is Not Prevented (0138) .......................................................... 16 4.3.5 Users - Other Than User Administrators - Are Authorized to Change Passwords (0121) ....................... 17 4.3.6 Users - Other Than User Administrators - Are Authorized to Lock/Unlock Users (0135)........................ 18 4.4 PASSWORD BASED A UTHENTICATION ADMITS PASSWORD A TTACKS (0591).................................................................... 19 4.5 SAP GUI SINGLE SIGN-ON (SSO).............................................................................................................................. 19 4.5.1 Password Logon Is Allowed to SNC Enabled Servers (0592) ..................................................................... 19 4.5.2 Users - Other Than User Administrators - Are Authorized to Maintain the Mapping of SNC Users to SAP Users (0594) ................................................................................................................................................... 19 4.5.3 SAP User IDs Have More Than One SNC User Attached (0595) ................................................................ 20 4.6 SINGLE SIGN-O N (SSO) TICKET .................................................................................................................................. 21 4.6.1 Unspecified Accepting of SSO Tickets (0603) ............................................................................................. 21 4.6.2 Users - Other Than System Administrators - Are Authorized to Maintain Trusted SSO Ticket Issuing Systems (0605) ...................................................................................................................................................... 21 4.7 CERTIFICATE SSO ..................................................................................................................................................... 22 4.7.1 External Authentication via Client Certificates (0621) .............................................................................. 22 4.7.2 Trusted Certification Authorities (0623)..................................................................................................... 22 4.7.3 Users - Other Than System Administrators - Are Authorized to Maintain Trusted CAs (0624) .............. 24 4.7.4 Users - Other Than System Administrators - Are Authorized to Maintain Table SNCSYSACL via SNC0 (0625)..................................................................................................................................................................... 25 4.7.5 Users - Other Than System Administrators - Are Authorized to Maintain Table SNCSYSACL via Table Maintenance (0626).............................................................................................................................................. 26 4.7.6 Users - Other Than User Administrators - Are Authorized to Maintain the Mapping of X.509 Users to SAP Users (0622) ................................................................................................................................................... 27 5 BASIS ADMINISTRATION AND BASIS AUTHORIZATIONS..................................................................... 29 5.1 BASIS ADMINISTRATION ............................................................................................................................................ 29 5.1.1 Gateway and Message Server Security (BA076)........................................................................................ 29 5.1.1.1 Gateway Security (BA078) .......................................................................................................................... 29 Gateway Access Control Lists (BA081) ............................................................................................................... 29 5.1.2 Users - Other Than System Administrators - Are Authorized to Maintain System Profiles (0152) ........ 29 5.1.3 Users - Other Than System Administrators - Are Authorized to Start/Stop Application Servers (0154) 30 5.1.4 Users - Other Than System Administrators - Are Authorized to Start/Stop Work Processes (0156)...... 31 5.1.5 Users - Other Than System Administrators - Are Authorized to Lock/Unlock Transactions (0157) ....... 32 Summary Confidential 2/143 Security Optimization Service 10.02.2016 5.1.6 Users - Other Than System Administrators - Are Authorized to Maintain Other User's Lock Entries (0159)..................................................................................................................................................................... 33 5.1.7 Users - Other Than System Administrators - Are Authorized to Maintain Own Lock Entries (0166) ..... 34 5.1.8 Users - Other Than System Administrators - Are Authorized to Delete or Reprocess Broken Updates (0161)..................................................................................................................................................................... 35 5.1.9 Users - Other Than System Administrators - Are Authorized to Activate a Trace (0163) ....................... 36 5.1.10 System Profiles Are Not Consistent (0153)............................................................................................... 37 5.1.11 No Timely Accurate Resolution of Erroneous Locks (0160)..................................................................... 37 5.1.12 Security Audit Log is not active (0170) ..................................................................................................... 37 5.1.13 System Recommendations (ABAP) (BA090) ............................................................................................. 38 5.1.14 Sending Trace Data to Remote Client (0169)........................................................................................... 38 5.2 BATCH I NPUT ........................................................................................................................................................... 38 5.2.1 No Timely Accurate Resolution of Failed Batch Input Sessions (0223) .................................................... 38 5.3 SPOOL & PRINTER .................................................................................................................................................... 38 5.3.1 Users - Other Than Spool Administrators - Are Authorized to Display Other Users Spool Requests (0192)..................................................................................................................................................................... 38 5.3.2 Users - Other Than Spool Administrators - Are Authorized to Display Protected Spool Requests of Other Users (0198) ................................................................................................................................................ 39 5.3.3 Users - Other Than Spool Administrators - Are Authorized to Display the TemSe Content (0193) ........ 40 5.3.4 Users - Other Than Spool Administrators - Are Authorized to Change the Owner of Spool Requests (0194)..................................................................................................................................................................... 41 5.3.5 Users - Other Than Spool Administrators - Are Authorized to Redirect a Print Request to Another Printer (0195) ........................................................................................................................................................ 42 5.3.6 Users - Other Than Spool Administrators - Are Authorized to Export a Print Request (0196)................ 43 5.4 BACKGROUND .......................................................................................................................................................... 44 5.4.1 Periodic Background Jobs Scheduled with User of Type Other Than 'SYSTEM' (0211) ........................... 44 5.4.2 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs in SM36 (0212) .... 44 5.4.3 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs in External Commands (0213) ................................................................................................................................................. 45 5.4.4 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs Under Another User Id (0214)................................................................................................................................................................. 46 5.5 OS ACCESS .............................................................................................................................................................. 47 5.5.1 Users - Other Than System Administrators - Are Authorized to Define External OS Commands (0171)47 5.5.2 Users - Other Than System Administrators - Are Authorized to Execute External OS Commands (0172) ................................................................................................................................................................................ 48 5.5.3 Users - Other Than System Administrators - Are Authorized to View Content of OS Files with AL11 (0173)..................................................................................................................................................................... 49 5.6 OUTGOING RFC ....................................................................................................................................................... 50 5.6.1 Unexpected RFC Connections with Complete Logon Data Found (0254)................................................. 50 5.6.2 Users - Other Than System Administrators - Are Authorized to Administer RFC Connections (0255) ... 51 5.6.3 Users - Other Than System Administrators - Are Authorized to Maintain Trusting Systems (0268) ..... 51 5.7 INCOMING RFC........................................................................................................................................................ 52 5.7.1 Users Are Authorized to Run Any RFC Function (0241) ............................................................................. 52 5.7.2 Users - other than Key Users - are Authorized to Visualize All Tables via RFC (0245)............................. 53 5.7.3 Incoming RFC with Expired Password is Allowed (0234)........................................................................... 54 5.7.4 Users authorized for Trusted RFC (Object S_RFCACL) (0239) ................................................................... 54 5.7.5 Users authorized for Trusted RFC which can be called from any calling user (0248) ............................. 55 5.7.6 Unexpected Trusted System Connections Found (0238) ........................................................................... 56 5.7.7 Users - Other Than System Administrators - Are Authorized to Maintain Trusted Systems (0240)....... 57 5.7.8 RFC Security in the Service Marketplace (0247) ........................................................................................ 57 5.8 APPLICATION LINK ENABLING (ALE) ........................................................................................................................... 58 5.8.1 Users - Other Than System Administrators - Allowed to Maintain the ALE Distribution Model (0723) 58 5.8.2 Users - Other Than System Administrators - Allowed to Maintain the Partner Profile (0724)............... 58 6 CHANGE MANAGEMENT .............................................................................................................. 60 6.1 DATA & PROGRAM ACCESS ....................................................................................................................................... 60 6.1.1 Users - Other Than Key Users - Are Authorized to Start All Reports (0512)............................................. 60 Summary Confidential 3/143 Security Optimization Service 10.02.2016 6.1.2 Users - Other Than Key Users - Are Authorized to Display All Tables (0513)........................................... 61 6.1.3 Users Are Authorized to Maintain All Tables (0514) ................................................................................. 61 6.1.4 Users - Other Than System Administrators - Are Authorized to Change the Authorization Group of Tables (0515) ......................................................................................................................................................... 62 6.1.5 Users - Other Than Query Administrators - Are Authorized to Administer Queries (0517) .................... 63 6.1.6 Users Are Authorized to Execute All Function Modules (0520) ................................................................ 64 6.2 CHANGE CONTROL ................................................................................................................................................... 65 6.2.1 System Change Option Not Appropriately Configured in the Production System (0301) ....................... 65 6.2.2 Client Change Option Not Appropriately Configured (0302) .................................................................... 65 6.2.3 Users - Other Than System Administrators - Are Authorized to Change the System Change Option (0303)..................................................................................................................................................................... 66 6.2.4 Users - Other Than System Administrators - Are Authorized to Change the Client Change Option (0304)..................................................................................................................................................................... 67 6.2.5 Users - Other Than System Administrators - Are Authorized to Create New Clients (0305) .................. 68 6.2.6 Users Are Authorized to Delete Clients (0306)........................................................................................... 69 6.2.7 Users Are Authorized to Development in the Production System (0307) ................................................ 70 6.2.8 Users Are Authorized to Debug and Replace Field Values in the Production System (0308) ................. 71 6.2.9 Users Are Authorized to Perform Customizing in the Production System (0309).................................... 72 6.2.10 Users Are Authorized to Develop Queries in the Production System (0310) ......................................... 72 6.2.11 Execution of CATTs and eCATTs is Not Prevented by Client Settings (0311) ......................................... 73 6.2.12 Users Are Authorized to Execute CATTs in the Production System (0312)............................................. 74 6.2.13 Users Are Authorized to Execute eCATTs in the Production System (0313)........................................... 75 6.2.14 SAPgui User Scripting Is Enabled (0314) .................................................................................................. 76 6.2.15 Users Are Authorized to Use the Legacy Migration Workbench (0315) ................................................ 76 6.2.16 Users Are Authorized to Modify the Table Logging Flag for Tables (0318) ........................................... 77 6.3 DEVELOPMENT ......................................................................................................................................................... 78 6.3.1 Development Sources Are Not Scanned for Critical Statements (0335)................................................... 78 6.4 TRANSPORT CO NTRO L ............................................................................................................................................... 78 6.4.1 Users - Other Than Transport Administrators - Are Authorized to Change the TMS Configuration (0341)..................................................................................................................................................................... 78 6.4.2 Users - Other Than Transport Administrators - Are Authorized to Start Imports to Production (0342) 79 6.4.3 Users - Other Than Transport Administrators - Are Authorized to Create and Release Transports (0343)..................................................................................................................................................................... 80 6.4.4 Users Are Authorized to Approve Transports (0346)................................................................................. 81 6.4.5 Users - Other Than Transport Administrators - Are Authorized to Apply Patches (0363) ...................... 82 6.4.6 Transports Are Not Scanned for Viruses (0348)......................................................................................... 83 7 USER AUTHORIZATION................................................................................................................. 84 7.1 USER MANAGEMENT ................................................................................................................................................ 84 7.1.1 Users - Other Than the User Administrators - Are Authorized to Maintain Users (0002) ...................... 84 7.1.2 User Administrators Are Authorized to Change Their Own User Master Record (0003) ........................ 85 7.1.3 User Administrators Are Allowed to Maintain Users of Any Group (0004) ............................................. 85 7.1.4 User Master Data Is Not Regularly Synchronized with a Corporate LDAP Directory (0007) .................. 86 7.1.5 Users with Authorizations for User and Role/Profile/Authorization Maintenance (0008) ..................... 86 7.1.6 Reference Users Are Used (0011) ............................................................................................................... 87 7.1.7 Usage of 'Normal' Users as Reference Users Is Not Prohibited (0012) .................................................... 88 7.1.8 Users - Other Than User Administrators - Are Authorized to Access Tables with User Data (0013) ..... 88 7.1.9 Users - Other Than User Administrators - Are Authorized to Call Function Modules for User Admin (0019)..................................................................................................................................................................... 89 7.2 SUPER USERS ........................................................................................................................................................... 90 7.2.1 Users Have Nearly All Authorizations (0023) ............................................................................................. 90 7.2.2 Unexpected Users Are Authorized to Change a Super User Accounts (0026).......................................... 91 7.2.3 Users with Profile SAP_NEW (0031) ........................................................................................................... 92 7.3 STANDARD USERS .................................................................................................................................................... 93 7.3.1 Not all profiles are removed from user SAP* (0042) ................................................................................. 93 7.3.2 User SAP* is neither locked nor expired (0043) ......................................................................................... 93 7.3.3 Usage of the hard coded user SAP* is not disabled (0046)....................................................................... 93 Summary Confidential 4/143 Security Optimization Service 10.02.2016 7.3.4 User SAP*'s activities are not logged in the Security Audit Log (0047).................................................... 93 7.3.5 User DDIC's activities are not logged in the Security Audit Log (0050).................................................... 94 7.3.6 User EARLYWATCH's activities are not logged in the Security Audit Log (0060)..................................... 94 7.3.7 User TMSADM has the default password in some clients (0063)............................................................. 94 7.3.8 User TMSADM Exists in Clients Other Than Client 000 (0064) ................................................................. 94 7.4 ROLE & AUTHORIZATION MANAGEMENT .................................................................................................................... 95 7.4.1 Users Are Authorized to Maintain Roles Directly in the Production System (0072) ................................ 95 7.4.2 Users Are Authorized to Maintain Profiles Directly in the Production System (0073) ............................ 95 7.4.3 Users Are Authorized to Maintain Authorizations Directly in the Production System (0074) ................ 96 7.4.4 SAP Standard Roles Are Assigned to Users (0082) .................................................................................... 97 7.4.5 SAP Standard Profiles Are Assigned to Users (0083) ................................................................................. 97 7.4.6 Profiles on Long Time Locked Users (0089)................................................................................................ 98 7.5 AUTHORIZATIONS ..................................................................................................................................................... 98 7.5.1 Users Are Authorized to Disable Authorization Checks Within Transactions (0102) .............................. 98 7.5.2 Users Are Authorized to Call Any Transaction (0110) ............................................................................... 99 7.5.3 Users Are Authorized to Delete an Authorization Check Before Transaction Start (0111) ...................100 7.5.4 Global Disabling of Authority Checks Is Not Prevented (0104)...............................................................101 7.6 INTERNET COMMUNICATION FRAMEWORK (ICF)........................................................................................................101 7.6.1 Users - Other Than System Administrators - Are Authorized to Activate ICF Services (0655) ..............101 7.6.2 Users - Other Than System Administrators - Are Authorized to Access Table Authorization Group &NC& (0663) .......................................................................................................................................................102 7.7 HTTP CLIENT ..........................................................................................................................................................103 7.7.1 Additional http Client Connections Found (0682)....................................................................................103 7.7.2 No Proxy Used to Connect to http Servers (0683) ...................................................................................103 7.7.3 No Authorization for S_SICF Required for http Client Access (0684)......................................................104 7.7.4 Client Proxy Does Not Require Client Authentication (0685) ..................................................................104 7.7.5 Additional http Connections with Full Logon Data Found (0687)...........................................................105 7.7.6 No Encryption of Outgoing http Communication (0688) ........................................................................105 7.8 INTERNET COMMUNICATION MANAGER (ICM)..........................................................................................................106 7.8.1 Users - Other Than System Administrators - Are Authorized to Administrate the ICM (0701) ............106 7.8.2 Users - Other Than System Administrators - Are Authorized to Display the http Server Cache (0705) ..............................................................................................................................................................................107 7.8.3 Users - Other Than System Administrators - Are Authorized to Configure the ICM Monitor (0706) ...108 7.8.4 ICM (Internet Communication Manager) Is Active (0704) ......................................................................109 7.9 PSE MANAGEMENT ...............................................................................................................................................109 7.9.1 Users - Other Than System Administrators - Are Authorized to Maintain the System PSE's (0711) ....109 7.9.2 J2EE Engines Allowed to Access the Application Server (0881) ..............................................................110 7.9.3 Users Authorized to Maintain the Sending Systems for User Replication (0864) .................................110 8 HUMAN RESOURCES...................................................................................................................112 8.1 HUMAN RESO URCES GENERAL C HECKS .....................................................................................................................112 8.1.1 Users - Other Than HR Administrators - Are Authorized to Maintain Table T77S0 (0922)...................112 8.1.2 Users - Other Than HR Administrators - Are Authorized to Maintain Tables for Organizational Data (0923)...................................................................................................................................................................113 8.1.3 Users - Other Than HR Administrators - Are Authorized to Read the Infotype Change Log (0924) .....114 8.1.4 Users - Other Than HR Administrators - Are Authorized to Read HR Tables with Person Related Data (0925)...................................................................................................................................................................115 8.1.5 Users - Other Than HR Administrators - Are Authorized to Change HR Tables with Person Related Data (0926)...................................................................................................................................................................116 8.1.6 Users - Other Than HR Administrators - Are Authorized to Maintain Client Dependent HR Customizing (0927)...................................................................................................................................................................117 8.1.7 Users - Other Than HR Administrators - Are Authorized to Run All HR Transactions (0928) ...............118 8.1.8 Users - Other Than HR Administrators - Have Broad Authorization on HR Reports (0929)..................119 8.2 PERSONAL ADMINISTRATION ...................................................................................................................................120 8.2.1 Users - Other Than HR Administrators - Are Authorized to Read HR Master Data (0936) ...................120 8.2.2 Users - Other Than HR Administrators - Are Authorized to Change Master Data without Double Verification (0937) ..............................................................................................................................................121 Summary Confidential 5/143 Security Optimization Service 10.02.2016 8.3 PAYROLL ...............................................................................................................................................................122 8.3.1 Users - Other Than HR Administrators - Are Authorized to Read Payroll Results (0946) .....................122 8.3.2 Users - Other Than HR Administrators - Are Authorized to Maintain Personnel Calculation Schemas (0947)...................................................................................................................................................................123 8.3.3 Users - Other Than HR Administrators - Are Authorized to Release a Payroll Run (0950) ...................123 8.3.4 Users - Other Than HR Administrators - Are Authorized to Delete Payroll Results (0951) ...................124 9 APPENDIX .................................................................................................................................126 9.1 GENERAL INFORMATION ABO UT THE SAP SECURITY OPTIMIZATION SERVICE ..................................................................126 9.2 RATING OVERVIEW .................................................................................................................................................127 9.3 CUSTOMIZING OF REPORT O UTPUT T ABLES ...............................................................................................................134 9.4 USED QUESTIONNAIRE ............................................................................................................................................134 10 APPENDED QUESTIONNAIRE - SAP NETWEAVER APPLICATION SERVER ABAP.....................................135 10.1 CLIENTLIST (0000)...............................................................................................................................................135 10.2 PRINT THE USER D ATA (ALL CHECKS)......................................................................................................................135 10.3 USER AUTHORIZATIONS ........................................................................................................................................135 10.3.1 User Segregation (0004) .........................................................................................................................135 10.3.2 Powerful Users .........................................................................................................................................135 10.3.2.1 Super Users (0021)................................................................................................................................. 135 10.3.2.2 System Administration ........................................................................................................................... 136 10.3.2.2.1 System Administrators (0151) ......................................................................................................... 136 10.3.2.2.2 Background Administrators (0217) .................................................................................................. 136 10.3.2.2.3 Spool Administrators (0191) ............................................................................................................ 136 10.3.2.2.4 Transport Administrators (0351) ..................................................................................................... 136 10.3.2.3 User Administration ............................................................................................................................... 137 10.3.2.3.1 Super User Administrators (0025) ................................................................................................... 137 10.3.2.3.2 User Administrators (0001) ............................................................................................................. 137 10.3.2.3.3 Role & Auth Administrators (0071) .................................................................................................. 137 10.3.2.4 Batch Input Administrators (0224) .......................................................................................................... 138 10.3.2.5 Key Users (0511) .................................................................................................................................... 138 10.3.2.6 Query Administrators (0516) .................................................................................................................. 138 10.3.3 Trusted RFC users which can be called by any calling user (0249) .......................................................138 10.4 RFC CONNECTIONS ..............................................................................................................................................139 10.4.1 Trusting Systems (Outgoing) (0271) .......................................................................................................139 10.4.2 Trusted Systems (Incoming) (0246) ........................................................................................................139 10.4.3 RFC Connections with Complete Logon Data (0251).............................................................................139 10.5 SYSTEMS A LLOWED TO ISSUE TRUSTED SSO TICKETS (0602) ....................................................................................139 10.6 TRUSTED CERTIFICATION AUTHORITIES (CAS) FROM WHICH CERTIFICATES ARE ACCEPTED (0629)...................................140 10.7 SCAN OF TRANSPORTS (0348)...............................................................................................................................140 10.8 SCAN OF SOURCE CODE (0335).............................................................................................................................140 10.9 USE OF THE J2EE E NGINE (0771)..........................................................................................................................140 11 APPENDED QUESTIONNAIRE - SAP HUMAN CAPITAL MANAGEMENT ................................................141 11.1 HCM ADMINISTRATORS (0921)............................................................................................................................141 12 APPENDED QUESTIONNAIRE - CUSTOMER DEFINED AUTHORIZATION CHECKS ...................................142 12.1 CUSTOMER DEFINED AUTHORIZATION (9000).........................................................................................................143 Summary Confidential 6/143 Security Optimization Service 10.02.2016 1 Summary Severe critical security issues were found in your system. See the information in the following sections. The SAP Security Optimization service is a comprehensive support service that identifies security risks for your SAP system and helps you to determine the appropriate measures to protect it from these risks. Objective of the SAP Security Optimization Service The objectives of SAP Security Optimization are: - To analyze the technical configuration of your SAP system for security risks - To provide recommendations for implementing measures to mitigate security risks - To provide a compressed overview of the implemented security level - To enable you to protect your business systems from typical security risks The security checks of SAP Security Optimization are performed for the following security aspec ts: - Availability: ensuring that a system is operational and functional at any given moment - Integrity: ensuring that data is valid and cannot be compromised - Authenticity: ensuring that users are who they claim to be - Confidentiality: ensuring that information is not accessed by unauthorized persons - Compliance: ensuring that the system security setup is in accordance with established guidelines Scope of SAP Security Optimization SAP Security Optimization includes a collection of several hundred checks. These checks identify security vulnerabilities in the current setup and configuration of mySAP technology. The checks are performed on the SAP software layer. For a security analysis of the underlying operating system and database, consult your vendor; for a security analysis of the network, contact your preferred network security provider. The SAP Security Optimization service cannot cover customer-specific aspects that require a detailed on-site analysis, such as the following checks: - Segregation of duties for business-critical processes - Security organization (organizational security) - Security administration processes (operational security) For a complete overview of existing security risks to your business system, the topics listed above have to be taken into consideration. SAP's Security Consulting Team can assist you with individual on-site consulting services to obtain guidance on aspects of security. The following list provides an overview of the selected checks that are decisive for the severe critical ("RED") rating of this service. ABAP-SPECIFIC TOPICS Check Name Security Audit Log is not active (0170) Additional Super User Accounts Found (0022) Users Are Authorized to Debug and Replace Field Values in the Production System (0308) Users Are Authorized to Maintain All Tables (0514) Users Are Authorized to Execute All Function Modules (0520) System Change Option Not Appropriately Configured in the Production System (0301) Summary Confidential 7/143 Security Optimization Service 10.02.2016 2 Detected Issues The following list gives you an overview of all checks in the SAP Security Optimization service that are rated with a high risk: Action Items *** Special Focus Checks *** 22 Additional Super User Accounts Found (0022) *** Authentication *** *** Password Policy *** Password Complexity Trivial Passwords Are Not Sufficiently Prohibited (0125) Initial Passwords Users with Initial Passwords Who Have Never Logged On (0009) Users with Reset Password Who Have Not Logged On (0140) Interval for Password Change Is Too Long (0127) *** General Authentication *** Users - Other Than User Administrators - Are Authorized to Change Passwords (0121) Users - Other Than User Administrators - Are Authorized to Lock/Unlock Users (0135) *** SAP GUI Single Sign-On (SSO) *** Users - Other Than User Administrators - Are Authorized to Maintain the Mapping of SNC Users to SAP Users (0594) *** Single Sign-On (SSO) Ticket *** Unspecified Accepting of SSO Tickets (0603) Users - Other Than System Administrators - Are Authorized to Maintain Trusted SSO Ticket Issuing Systems (0605) *** Certificate SSO *** Users - Other Than System Administrators - Are Authorized to Maintain Trusted CAs (0624) Users - Other Than System Administrators - Are Authorized to Maintain Table SNCSYSACL via SNC0 (0625) Users - Other Than System Administrators - Are Authorized to Maintain Table SNCSYSACL via Table Maintenance (0626) Users - Other Than User Administrators - Are Authorized to Maintain the Mapping of X.509 Users to SAP Users (0622) *** Basis Administration and Basis Authorizations *** *** Basis Administration *** 33 Users - Other Than System Administrators - Are Authorized to Maintain System Profiles (0152) 33 Users - Other Than System Administrators - Are Authorized to Start/Stop Application Servers (0154) 279 Users - Other Than System Administrators - Are Authorized to Start/Stop Work Processes (0156) 26 Users - Other Than System Administrators - Are Authorized to Lock/Unlock Transactions (0157) 11625 Users - Other Than System Administrators - Are Authorized to Maintain Other User's Lock Entries (0159) 11618 Users - Other Than System Administrators - Are Authorized to Delete or Reprocess Broken Updates (0161) 11730 Users - Other Than System Administrators - Are Authorized to Activate a Trace (0163) System Profiles Are Not Consistent (0153) Security Audit Log is not active (0170) *** Spool & Printer *** 11726 Users - Other Than Spool Administrators - Are Authorized to Display Other Users Spool Requests (0192) 11726 Users - Other Than Spool Administrators - Are Authorized to Display Protected Spool Requests of Other Users (0 Detected Issues Confidential 8/143 Security Optimization Service 10.02.2016 Action Items 11726 Users - Other Than Spool Administrators - Are Authorized to Display the TemSe Content (0193) 11726 Users - Other Than Spool Administrators - Are Authorized to Change the Owner of Spool Requests (0194) 11726 Users - Other Than Spool Administrators - Are Authorized to Redirect a Print Request to Another Printer (0195) 11726 Users - Other Than Spool Administrators - Are Authorized to Export a Print Request (0196) *** Background *** Periodic Background Jobs Scheduled with User of Type Other Than 'SYSTEM' (0211) 11748 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs in SM36 (0212) 32 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs in External Commands (0213) 11746 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs Under Another User Id (0214) *** OS Access *** 32 Users - Other Than System Administrators - Are Authorized to Define External OS Commands (0171) 11728 Users - Other Than System Administrators - Are Authorized to View Content of OS Files with AL11 (0173) *** Outgoing RFC *** Unexpected RFC Connections with Complete Logon Data Found (0254) 11486 Users - Other Than System Administrators - Are Authorized to Administer RFC Connections (0255) 11620 Users - Other Than System Administrators - Are Authorized to Maintain Trusting Systems (0268) *** Incoming RFC *** 11791 Users Are Authorized to Run Any RFC Function (0241) 274 Users - other than Key Users - are Authorized to Visualize All Tables via RFC (0245) 1271 Users authorized for Trusted RFC which can be called from any calling user (0248) Unexpected Trusted System Connections Found (0238) 11620 Users - Other Than System Administrators - Are Authorized to Maintain Trusted Systems (0240) *** Application Link Enabling (ALE) *** 11618 Users - Other Than System Administrators - Allowed to Maintain the ALE Distribution Model (0723) 11738 Users - Other Than System Administrators - Allowed to Maintain the Partner Profile (0724) *** User Authorization *** *** User Management *** 11602 Users - Other Than the User Administrators - Are Authorized to Maintain Users (0002) 1393 User Administrators Are Authorized to Change Their Own User Master Record (0003) 300 User Administrators Are Allowed to Maintain Users of Any Group (0004) 11561 Users with Authorizations for User and Role/Profile/Authorization Maintenance (0008) Usage of 'Normal' Users as Reference Users Is Not Prohibited (0012) 11747 Users - Other Than User Administrators - Are Authorized to Access Tables with User Data (0013) 11734 Users - Other Than User Administrators - Are Authorized to Call Function Modules for User Admin (0019) *** Super Users *** 111 Unexpected Users Are Authorized to Change a Super User Accounts (0026) 14 Users with Profile SAP_NEW (0031) *** Standard Users *** Usage of the hard coded user SAP* is not disabled (0046) *** Role & Authorization Management *** 11575 Users Are Authorized to Maintain Roles Directly in the Production System (0072) 11564 Users Are Authorized to Maintain Profiles Directly in the Production System (0073) Detected Issues Confidential 9/143 Security Optimization Service 10.02.2016 Action Items 49 Users Are Authorized to Maintain Authorizations Directly in the Production System (0074) SAP Standard Roles Are Assigned to Users (0082) SAP Standard Profiles Are Assigned to Users (0083) *** Authorizations *** 41 Users Are Authorized to Disable Authorization Checks Within Transactions (0102) 24 Users Are Authorized to Call Any Transaction (0110) 11 Users Are Authorized to Delete an Authorization Check Before Transaction Start (0111) *** Change Management *** *** Data & Program Access *** 11636 Users - Other Than Key Users - Are Authorized to Start All Reports (0512) 171 Users - Other Than Key Users - Are Authorized to Display All Tables (0513) 30 Users Are Authorized to Maintain All Tables (0514) 11620 Users - Other Than System Administrators - Are Authorized to Change the Authorization Group of Tables (0515) 11727 Users - Other Than Query Administrators - Are Authorized to Administer Queries (0517) 11735 Users Are Authorized to Execute All Function Modules (0520) *** Change Control *** System Change Option Not Appropriately Configured in the Production System (0301) 24 Users - Other Than System Administrators - Are Authorized to Change the System Change Option (0303) 24 Users - Other Than System Administrators - Are Authorized to Change the Client Change Option (0304) 24 Users - Other Than System Administrators - Are Authorized to Create New Clients (0305) 24 Users Are Authorized to Delete Clients (0306) 67 Users Are Authorized to Development in the Production System (0307) 11695 Users Are Authorized to Debug and Replace Field Values in the Production System (0308) 29 Users Are Authorized to Perform Customizing in the Production System (0309) 11741 Users Are Authorized to Develop Queries in the Production System (0310) *** Transport Control *** 38 Users - Other Than Transport Administrators - Are Authorized to Change the TMS Configuration (0341) 24 Users - Other Than Transport Administrators - Are Authorized to Start Imports to Production (0342) 239 Users - Other Than Transport Administrators - Are Authorized to Create and Release Transports (0343) 18 Users - Other Than Transport Administrators - Are Authorized to Apply Patches (0363) *** Internet Communication Framework (ICF) *** 281 Users - Other Than System Administrators - Are Authorized to Activate ICF Services (0655) 11747 Users - Other Than System Administrators - Are Authorized to Access Table Authorization Group &NC& (0663) *** http Client *** Additional http Client Connections Found (0682) Additional http Connections with Full Logon Data Found (0687) No Encryption of Outgoing http Communication (0688) *** Internet Communication Manager (ICM) *** 280 Users - Other Than System Administrators - Are Authorized to Administrate the ICM (0701) 280 Users - Other Than System Administrators - Are Authorized to Display the http Server Cache (0705) 280 Users - Other Than System Administrators - Are Authorized to Configure the ICM Monitor (0706) *** PSE Management *** 32 Users - Other Than System Administrators - Are Authorized to Maintain the System PSE's (0711) Detected Issues Confidential 10/143 Security Optimization Service 10.02.2016 Action Items 11669 Users Authorized to Maintain the Sending Systems for User Replication (0864) *** Human Resources *** *** Human Resources General Checks *** 11619 Users - Other Than HR Administrators - Are Authorized to Maintain Table T77S0 (0922) 11619 Users - Other Than HR Administrators - Are Authorized to Maintain Tables for Organizational Data (0923) 11636 Users - Other Than HR Administrators - Are Authorized to Read the Infotype Change Log (0924) 11747 Users - Other Than HR Administrators - Are Authorized to Read HR Tables with Person Related Data (0925) 11618 Users - Other Than HR Administrators - Are Authorized to Change HR Tables with Person Related Data (0926) 11618 Users - Other Than HR Administrators - Are Authorized to Maintain Client Dependent HR Customizing (0927) 2 Users - Other Than HR Administrators - Are Authorized to Run All HR Transactions (0928) 11634 Users - Other Than HR Administrators - Have Broad Authorization on HR Reports (0929) *** Personal Administration *** 11663 Users - Other Than HR Administrators - Are Authorized to Read HR Master Data (0936) 11657 Users - Other Than HR Administrators - Are Authorized to Change Master Data without Double Verification (0937) *** Payroll *** 11627 Users - Other Than HR Administrators - Are Authorized to Read Payroll Results (0946) 11618 Users - Other Than HR Administrators - Are Authorized to Maintain Personnel Calculation Schemas (0947) 11618 Users - Other Than HR Administrators - Are Authorized to Release a Payroll Run (0950) 11686 Users - Other Than HR Administrators - Are Authorized to Delete Payroll Results (0951) Recommendation: Look at the list of the action items above very carefully and decide if anything on this list needs to be adjusted in your environment. First, read the complete report, and then decide for each check whether it is advisable for you to change the current situation. Sometimes you will find out that your current situation is sufficient, even if checks are rated with a medium or even high risk. Since every SAP implementation is different, you have to adjust this general report to your particular situation. Detected Issues Confidential 11/143 Security Optimization Service 10.02.2016 3 Special Focus Checks 3.1 XXX Client Overview The following table lists clients that are available in the analyzed system and clients that have been specified in the questionnaire for analysis. Client Not Analyzed Clients Clients Available in Requested in the System Questionnaire 000 All Users Valid Users 000 001 Locked Users Outdated Users 634 614 18 2 457 456 1 0 002 002 2.238 2.205 33 0 004 004 19.222 19.090 9 123 200 200 771 619 152 0 779 762 17 0 211 Clients that are not analyzed are highlighted in yellow. For several key figures, the analysis is restricted to the clients specified in the questionnaire. Recommendation: Review the list and check whether the analyzed clients fulfill your needs. 3.2 Additional Super User Accounts Found (0022) In this system, the following super user accounts were found that were not mentioned in the questionnaire. (These are the users having the profile SAP_ALL). All super user accounts that were found in your system are REMOVED from all the following checks. This means that checks that report 5 authorized users, for example, actually have 5 users and ALL super user accounts authorized for your system. Keep this in mind when you look at all other checks below. Client User Type Last Name First Name Department User Group 000 AANYONE A Anyone Amanda IT SUPER 000 ADMIN A Administrator General IT SUPER 000 DDIC A DDIC DDIC IT 000 FF1 A Fighter Fire IT SUPER 000 FF2 A Fighter Fire IT SUPER 000 SAP* A 000 SAPSUPPORT A Support SAP IT EXTERN 000 WF_BATCH B BATCH WF IT 000 Count : 7 [0%] 002 ADMIN A Administrator General IT 002 DDIC A DDIC DDIC IT 002 FF1 A Fighter Fire IT SUPER 002 SAP* A 002 SAPSUPPORT A Support SAP IT EXTERN 002 WF_BATCH B BATCH WF IT 002 Count : 5 [0%] 004 ADMIN A Administrator General IT 004 DDIC A DDIC DDIC IT 004 FF1 A Fighter Fire IT 004 SAP* A Special Focus Checks Confidential SUPER SUPER SUPER 12/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 004 SAPSUPPORT A Support SAP IT EXTERN 004 WF_BATCH B BATCH WF IT 004 Count : 5 [0%] 200 ADMIN A Administrator General IT 200 DDIC A DDIC DDIC IT 200 FF1 A Fighter Fire IT SUPER 200 SAP* A 200 SAPSUPPORT A Support SAP IT EXTERN 200 WF_BATCH B BATCH WF IT 200 Count : 5 [0%] SUPER Evaluated Risk - High Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. Special Focus Checks Confidential 13/143 Security Optimization Service 10.02.2016 4 Authentication 4.1 Password Logon Is at Least Partly Allowed (0139) Logging on with passwords is at least partially allowed. Allow all users to log on with their password (login/disable_password_logon = 0), or at least special groups that are described in the parameter login/password_logon_usergroup. Recommendation: If you are not using Single Sign-On (SSO), at least think about implementing an SSO solution. To further increase the security of your systems, prevent users from logging on with their passwords . 4.2 Password Policy If password login is allowed for specific instances only, the password policy is checked only for these instances. 4.2.1 Password Complexity 4.2.1.1 Minimum Password Length (0126) PARAMETER: LOGIN/MIN_PASSWORD_LNG Rating Instance Current Value(s) Recommended Value All instances 6 8 Evaluated Risk - Medium The current system settings allow a password length of less than 8 characters. This allows weak passwords. Attackers may successfully recover these passwords and gain unauthorized access to the system. Recommendation: Assign a minimum value of 8 to the profile parameter login/min_password_lng. 4.2.1.2 Trivial Passwords Are Not Sufficiently Prohibited (0125) Parameter Description Current Value Recommendation USR40 Entries Number of entries in USR40 0 100 Evaluated Risk - High No entries are maintained in table USR40. This table is used for preventing passwords from being guessed easily. In this table you could exclude your company name, your town, your products, and so on. You can use the wildcard ("*") for generic entries. Recommendation: Maintain at least 100 values in table USR40. 4.2.2 Initial Passwords 4.2.2.1 Users with Initial Passwords Who Have Never Logged On (0009) Client Initial Passwords [%] 000 7 002 9 004 32 200 7 Evaluated Risk - High Recommendation: Check why so many users have initial passwords. Ask these users to change their passwords using the profile parameter login/password_change_for_SSO, for example. Or delete these users if they do not need access to the SAP system. You can use report RSUSR200 of the User Information System (transaction SUIM) to identity users with Authentication Confidential 14/143 Security Optimization Service 10.02.2016 initial passwords. 4.2.2.2 Users with Reset Password Who Have Not Logged On (0140) Client Reset Passwords [%] 002 11 Evaluated Risk - High Recommendation: Check why so many users have passwords that have been reset. Ask them to change their passwords with, for example profile parameter login/password_change_for_SSO. Or delete these users if they do not need access to the SAP system. 4.2.3 Interval for Logon with Productive Password Is Too Long (AU081) PARAMETER: LOGIN/PASSWORD_MAX_IDLE_PRODUCTIVE Rating Instance Current Value Recommended Value All instances 0 >0 Evaluated Risk - Medium As of SAP NetWeaver 7.00, SAP supports this parameter to encourage your users to create more secure passwords. Recommendation: Activate profile parameter login/password_max_idle_productive. This parameter specifies the maximum period for which a productive password (a password chosen by the user) remains valid if it is not used. After this period has expired, the password can no longer be used for authentication purposes. For more information, see: SAP Note 327917 - New user types as of Release 4.6C SAP Note 862989 - New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0) Online Help – Profile Parameters for Logon and Password (Login Parameters) 4.2.4 Interval for Password Change Is Too Long (0127) PARAMETER: LOGIN/PASSWORD_EXPIRATION_TIME Rating Instance Current Value Recommended Value All instances 0 30 Evaluated Risk - High You are currently using a password change interval of more than 120, or you have deactivated this option completely. Recommendation: Change the profile parameter login/password_expiration_time to 30 (or at least not higher than 60, and definitely not to 0 (disabled)). 4.2.5 Security Attack Indicated by Users Locked due to Incorrect Logon Attempts (0141) Client % locked incorrect logon SAP* or DDIC locked? 000 1X 200 1X Evaluated Risk - Medium SAP* or DDIC users are locked because of incorrect logon attempts or at least 5% of your users are locked in one client. Recommendation: Check who is causing these incorrect logon attempts to attack your system or who cannot remember their Authentication Confidential 15/143 Security Optimization Service 10.02.2016 password. 4.3 General Authentication 4.3.1 Users Who Have Not Logged On for an Extended Period of Time (0010) Client User [%] 000 86 002 49 004 65 200 90 Evaluated Risk - Medium Recommendation: A large number of users have not logged on to the SAP system in the last 2 months. Determine the reason for this. Either there are users registered in the SAP system who never use the system, or there are users in your system who are no longer in your company. Since the SAP license is user-based, we recommend that you check this and either delete or lock some of the users. You can use report RSUSR200 of the User Information System (transaction SUIM) to identity users with initial passwords. 4.3.2 Security Critical Events for End Users Are Not Logged in the Security Audit Log (0136) Client Logging 000 Deactivated 002 Deactivated 004 Deactivated 200 Deactivated Evaluated Risk - Medium Recommendation: Use transaction SM19 to activate logging of failed logon attempts for all your users in all clients. It is then possible to find out who performed which action, and how to detect an unauthorized logon attempt. 4.3.3 Interval After Which Inactive Users Are Logged Off Is Too Long (0137) PARAMETER: RDISP/GUI_AUTO_LOGOUT Rating Instance Current Value Recommended Value All instances 36000 1800 Evaluated Risk - Medium If you deactivate this parameter by setting it to '0' or if you use a value higher than 1 hour, it is likely that users who are no longer in the office remain logged on. If you do not use screen savers at all workstations, this could result in other users accessing these workstations to get to unauthorized information. Recommendation: Set this value to 1800 or 3600, for example, to reduce this risk as far as possible. Also, do not automatically log off users who have been idle for only a few minutes. 4.3.4 Multiple Logons Using the Same User ID Is Not Prevented (0138) PARAMETER: LOGIN/DISABLE_MULTI_ GUI_LOGIN Rating Instance Current Value Recommended Value All instances 0 1 Sharing user accounts does not allow you to trace security violations and may result in users having too many authorizations. Authentication Confidential 16/143 Security Optimization Service 10.02.2016 Recommendation: Set this value to '1' so that each user has to log on with a different account. 4.3.5 Users - Other Than User Administrators - Are Authorized to Change Passwords (0121) The following users are allowed to change and reset passwords. This is very risky because all these users could change the password and log on themselves with any user. The only consequence is that the "real user" would no longer be able to log on, because the password has been changed. This results in the password being reset because there is a chance that the "real user" might think they have forgotten the correct password. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the Authentication Confidential 17/143 Security Optimization Service 10.02.2016 authorization objects listed below. Authorization Objects: Object 1: S_TCODE with TCD=SU01 or TCD=OIBB or TCD=OOUS or TCD=OPF0 or TCD=OPJ0 or TCD=OVZ5 [as well as all relevant parameter transactions] Object 2: S_USER_GRP with ACTVT=05 4.3.6 Users - Other Than User Administrators - Are Authorized to Lock/Unlock Users (0135) Unauthorized system access because it is possible to unlock any user. In addition, interfaces may malfunction which results in the connected user being locked. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the Authentication Confidential 18/143 Security Optimization Service 10.02.2016 authorization objects listed below. Authorization Objects: Object 1: S_TCODE with TCD=SU01 or TCD=OIBB or TCD=OOUS or TCD=OPF0 or TCD=OPJ0 or TCD=OVZ5 [as well as all relevant parameter transactions] Object 2: S_USER_GRP with ACTVT=05 4.4 Password Based Authentication Admits Password Attacks (0591) You have deactivated SNC (snc/enable=0) or at least do not use it for the authentication of SAP GUI users since there are no SNC entries in the table USRACL. SNC enables external authentication and therefore allows a higher security level for your system (by using smart cards with user credentials, for example). Since your system allows password authentication, a password attack is still possible (although you can minimize this risk by enforcing a password policy). 4.5 SAP GUI Single Sign-On (SSO) 4.5.1 Password Logon Is Allowed to SNC Enabled Servers (0592) PARAMETER: SNC/ACCEPT_INSECURE_ GUI Rating Instance Current Value Recommended Value All instances 1 0 You are still allowing access to the system without SSO, even though you have enabled SNC on the server. This means that passwords are still vulnerable to attack. Recommendation: Check whether it is really necessary to allow authentication by means of passwords. At least change this parameter to '0' for general purposes, and to '1' (or, even better, to 'U') on the central instance for administration purposes. 4.5.2 Users - Other Than User Administrators - Are Authorized to Maintain the Mapping of SNC Users to SAP Users (0594) If user mapping can be maintained, access as a different user is possible. This is very critical in an SSO environment. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB Authentication Confidential 19/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: S_TCODE with TCD=SM30 or TCD=SM31 [as well as all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT=02 DICBERCLS=SCUS Object 3: S_USER_GRP with ACTVT=02 4.5.3 SAP User IDs Have More Than One SNC User Attached (0595) Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER Authentication Confidential 20/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] The table above contains all SNC names that are allowed to log on with more than one SAP user. Recommendation: To reduce risk, limit the number of these users. 4.6 Single Sign-On (SSO) Ticket 4.6.1 Unspecified Accepting of SSO Tickets (0603) Client Further System 002 ABC 002 Count: Count 1 Evaluated Risk - High The system found that you accept SSO tickets from more systems than specified in the questionnaire. Recommendation: Check the entries in table TWPSSO2ACL by using transaction SE16 or SM30 or STRUSTSSO2. Table TWPSSO2ACL contains all systems from which you accept SSO tickets. 4.6.2 Users - Other Than System Administrators - Are Authorized to Maintain Trusted SSO Ticket Issuing Systems (0605) Table TWPSSO2ACL contains all systems that are trusted issuers of SSO tickets. Therefore, only system administrators must be authorized to maintain this table. Otherwise the problem arises that more systems could be entered from here. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB Authentication Confidential 21/143 Security Optimization Service 10.02.2016 First Name Department User Group Doe John IT SUPER A Mustermann Max IT SUPER USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Client User Type Last Name 004 Count : 843 [4%] 200 JDOE A 200 MMUSTERM 200 Evaluated Risk - High Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 2: S_TCODE with TCD=SM30 or TCD=SM31 or TCD=SE16 or TCD=SE16N [as well as all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT=02 DICBERCLS=SS Object 3: S_RZL_ADM with ACTVT=01 Object 4: S_ADMI_FCD with S_ADMI_FCD=NADM 4.7 Certificate SSO 4.7.1 External Authentication via Client Certificates (0621) External authentication by means of client certificates to log on to your system is enabled. Therefore, the system performs the following checks to try to reduce the vulnerability of the corresponding settings. 4.7.2 Trusted Certification Authorities (0623) You currently trust the following certification authorities (CA): (This can be changed in transaction STRUST.) Name Category Description Distinguished name Flag valid from valid until DTELEKOM TEST Deutsche CN=Deutsche Telekom Test Root CA 1, Telekom Test OU=Trust Center Deutsche Telekom, O=TRoot CA 1 Systems Enterprise Services GmbH, C=DE 20061122 20141122 DTELEKOM USER Deutsche Telekom OnlinePass CA 19990709 20190709 ENTRUST SERV CN=Entrust.net Secure Server Certification Entrust.net Authority, OU=(c) 1999 Entrust.net Limited, Secure Server OU=www.entrust.net/CPS incorp. by ref. CA (limits liab.), O=Entrust.net, C=US 19990525 20190525 ENTRUST TEST Entrust PKI OU=Entrust PKI Demonstration Certificates, Demonstration O=Entrust, C=US CA 20010907 20210907 USER Entrust.net Secure Personal Server CA 19991012 20191012 ENTRUST CN=Deutsche Telekom Root CA 1, OU=TTeleSec Trust Center, O=Deutsche Telekom AG, C=DE CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS in corp. by ref. limits liab., O=Entrust.net, C=US Authentication Confidential 22/143 Security Optimization Service 10.02.2016 Name Category Description Distinguished name EQUIFAX CA Flag valid from valid until Equifax Secure CA OU=Equifax Secure Certificate Authority, O=Equifax, C=US 19980822 20180822 SAPTRUST SERV SAP Server CA CN=SAPNetCA, OU=SAPNet, O=SAP-AG, C=DE 19980504 20150718 SAPTRUST USER SAP Passport CN=SAP Passport CA, O=SAP Trust CA Community, C=DE 20000718 20150718 SAP_WP SAP CN=mySAP.com Workplace CA (dsa), Workplace CA O=mySAP.com Workplace, C=DE (DSA) 20000101 20380101 TCTRUSTC CA TC TrustCenter Class 2 CA II 20060112 20251231 TCTRUSTC ICA TC CN=TC TrustCenter Class 2 L1 CA XI, TrustCenter OU=TC TrustCenter Class 2 L1 CA, O=TC Class 2 L1 CA TrustCenter GmbH, C=DE XI 20091103 20251231 TCTRUSTC ISRV TC TrustCenter SSL CA I CN=TC TrustCenter SSL CA I, OU=TC TrustCenter SSL CA, O=TC TrustCenter GmbH, C=DE 20080815 20130214 TCTRUSTC SERV TC TrustCenter Class 2 CA EMAIL=certificate@trustcenter.de, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, SP=Hamburg, C=DE 19980309 20110101 TCTRUSTC TEST TC TrustCenter Class 0 CA EMAIL=certificate@trustcenter.de, OU=TC TrustCenter Class 0 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, SP=Hamburg, C=DE 19980309 20110101 TCTRUSTC USER TC TrustCenter Class 1 CA EMAIL=certificate@trustcenter.de, OU=TC TrustCenter Class 1 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, SP=Hamburg, C=DE 19980309 20110101 THAWTE SERV EMAIL=server-certs@thawte.com, Thawte Server CN=Thawte Server CA, OU=Certification CA Services Division, O=Thawte Consulting cc, L=Cape Town, SP=Western Cape, C=ZA 19960801 20201231 THAWTE TEST Thawte Test CA CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, SP=FOR TESTING PURPOSES ONLY, C=ZA 19960801 20201231 VERIC1G1 CA VeriSign OU=Class 1 Public Primary Certification Class 1 Public Authority, O="VeriSign, Inc.", C=US Primary CA 19960129 20280801 CA VeriSign Class 1 Public Primary CA 2nd generation 19980518 20280801 VERIC1G3 CA CN=VeriSign Class 1 Public Primary VeriSign Certification Authority - G3, OU="(c) 1999 Class 1 Public VeriSign, Inc. - For authorized use only", Primary CA OU=VeriSign Trust Network, O="VeriSign, 3rd generation Inc.", C=US 19991001 20360716 VERIC2G1 CA VeriSign OU=Class 2 Public Primary Certification Class 2 Public Authority, O="VeriSign, Inc.", C=US Primary CA 19960129 20280801 VERIC2G2 CA VeriSign OU=VeriSign Trust Network, OU="(c) 1998 Class 2 Public VeriSign, Inc. - For authorized use only", Primary CA - 19980518 20280801 VERIC1G2 SERV CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US Authentication Confidential 23/143 Security Optimization Service Name 10.02.2016 Category Description Distinguished name 2nd generation Flag valid from valid until OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US VERIC2G3 CA CN=VeriSign Class 2 Public Primary VeriSign Certification Authority - G3, OU="(c) 1999 Class 2 Public VeriSign, Inc. - For authorized use only", Primary CA OU=VeriSign Trust Network, O="VeriSign, 3rd generation Inc.", C=US VERIC3G1 CA VeriSign OU=Class 3 Public Primary Certification Class 3 Public Authority, O="VeriSign, Inc.", C=US Primary CA 19960129 20280801 CA VeriSign Class 3 Public Primary CA 2nd generation 19980518 20280801 VERIC3G3 CA CN=VeriSign Class 3 Public Primary VeriSign Certification Authority - G3, OU="(c) 1999 Class 3 Public VeriSign, Inc. - For authorized use only", Primary CA OU=VeriSign Trust Network, O="VeriSign, 3rd generation Inc.", C=US 19991001 20360716 VERISIGN TEST VeriSign Trial CN=VeriSign Trial Secure Server Test Root Secure Server CA, OU=For Test Purposes Only. No Test Root CA assurances., O="VeriSign, Inc.", C=US 20050209 20250208 VERIC3G2 OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US 19991001 20360716 4.7.3 Users - Other Than System Administrators - Are Authorized to Maintain Trusted CAs (0624) If more people are allowed to maintain the trusted certification authorities (CA), the risk arises that fake CAs are trusted as well. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER Authentication Confidential 24/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: S_TCODE with TCD=STRUST [as well as all relevant parameter transactions] Object 2: S_RZL_ADM with ACTVT=01 Object 3: S_ADMI_FCD with S_ADMI_FCD=NADM 4.7.4 Users - Other Than System Administrators - Are Authorized to Maintain Table SNCSYSACL via SNC0 (0625) Table SNCSYSACL contains the SNC name of all ITS AGates that are allowed to pass a user certificate to the system for authentication. Everybody who is allowed to maintain this table can create backdoor access by means of an unauthorized ITS AGate to the SAP system. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER Authentication Confidential 25/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: S_TCODE with TCD=SNC0 [as well as all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT=02, DICBERCLS=SCUS Object 3: S_TABU_CLI with CLIIDMAINT=X Object 4: S_ADMI_FCD with S_ADMI_FCD=NADM 4.7.5 Users - Other Than System Administrators - Are Authorized to Maintain Table SNCSYSACL via Table Maintenance (0626) Table SNCSYSACL contains the SNC name of all ITS AGates that are allowed to pass a user certificate to the system for authentication. Everybody who is allowed to maintain this table can create backdoor access by means of an unauthorized ITS AGate to the SAP system. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER Authentication Confidential 26/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: S_TCODE with TCD=SM30 or TCD=SM31 [as well as all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT=02, DICBERCLS=SCUS Object 3: S_TABU_CLI with CLIIDMAINT=X Object 4: S_ADMI_FCD with S_ADMI_FCD=NADM 4.7.6 Users - Other Than User Administrators - Are Authorized to Maintain the Mapping of X.509 Users to SAP Users (0622) Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB Authentication Confidential 27/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: S_TCODE with TCD=SM30 or TCD=SM31 [as well as all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT=02 DICBERCLS=SCUS Object 3: S_USER_GRP with ACTVT=02 If user mapping can be maintained, access as a different user is possible. This is very critical in an SSO environment. Authentication Confidential 28/143 Security Optimization Service 10.02.2016 5 Basis Administration and Basis Authorizations 5.1 Basis Administration 5.1.1 Gateway and Message Server Security (BA076) 5.1.1.1 Gateway Security (BA078) Gateway Access Control Lists (BA081) PARAMETERS: GW /SEC_INFO GW /REG_INFO Rating Instance Error Condition All instances gw/reg_info and gw/sec_info are defined REG_INFO Rating Instance Error Condition ldcixx_XXX_22 P TP=* ldai4xx_XXX_22 P TP=* ldai2xx_XXX_22 P TP=* ldai3xx_XXX_22 P TP=* ldai1xx_XXX_22 P TP=* File does not exist (default) SEC_INFO Rating Instance Error Condition File does not exist (default) ldcixx_XXX_22 ldai4xx_ XXX_22 ldai2xx_XXX_22 ldai3xx_XXX_22 ldai1xx_XXX_22 Recommendation: The profile parameters gw/sec_info and gw/reg_info provide the file names of the corresponding access control lists. These access control lists are critical to controlling RFC access to your system, including connections to RFC servers. You should create and maintain both access control lists, which you can do using transaction SMGW. For more information, see "Configuring[http://help.sap.com/saphelp_nw74/helpdata/en/48/b2096b7895307be10000000a42189b/cont ent.htm["Configuring Connections between SAP Gateway and External Programs Securely"] on SAP Help Portal. 5.1.2 Users - Other Than System Administrators - Are Authorized to Maintain System Profiles (0152) This authorization allows security-critical system profile parameters to be disabled, otherwise the system might not be able to restart due to an incorrect configuration. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB Basis Administration and Basis Authorizations Confidential 29/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object1: S_TCODE with TCD=RZ10 [as well as all relevant parameter transactions] Object2: S_RZL_ADM with ACTVT=01 5.1.3 Users - Other Than System Administrators - Are Authorized to Start/Stop Application Servers (0154) The system might be unavailable due to unauthorized starting and stopping of servers. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER Basis Administration and Basis Authorizations Confidential 30/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object1: S_TCODE with TCD=RZ03 [as well as all relevant parameter transactions] Object2: S_RZL_ADM with ACTVT=01 5.1.4 Users - Other Than System Administrators - Are Authorized to Start/Stop Work Processes (0156) Unauthorized process administration can result in inconsistencies in processing. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER Basis Administration and Basis Authorizations Confidential 31/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object1: S_TCODE with TCD=SM04 or TCD=SM50 or TCD=SM51 [as well as all relevant parameter transactions] Object2: S_ADMI_FCD with S_ADMI_FCD = PADM 5.1.5 Users - Other Than System Administrators - Are Authorized to Lock/Unlock Transactions (0157) Risk of unavailability of transactions due to incorrect configuration, or access to locked transactions might be possible. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB Basis Administration and Basis Authorizations Confidential 32/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object1: S_TCODE with TCD=SM01 [as well as all relevant parameter transactions] Object2: S_ADMI_FCD with S_ADMI_FCD = TLCK 5.1.6 Users - Other Than System Administrators - Are Authorized to Maintain Other User's Lock Entries (0159) Inconsistencies due to incorrect deletion of locks are possible. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB Basis Administration and Basis Authorizations Confidential 33/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object1: S_TCODE with TCD=SM12 [as well as all relevant parameter transactions] Object2: S_ENQUE with S_ENQ_ACT = * or S_ENQ_ACT=ALL or S_ENQ_ACT = DLFU 5.1.7 Users - Other Than System Administrators - Are Authorized to Maintain Own Lock Entries (0166) Inconsistencies due to incorrect deletion of locks are possible. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - Medium Basis Administration and Basis Authorizations Confidential 34/143 Security Optimization Service 10.02.2016 Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object1: S_TCODE with TCD=SM12 [as well as all relevant parameter transactions] Object2: S_ENQUE with S_ENQ_ACT = * or S_ENQ_ACT=ALL or S_ENQ_ACT = DLOU 5.1.8 Users - Other Than System Administrators - Are Authorized to Delete or Reprocess Broken Updates (0161) Inconsistencies due to incorrect deletion or reprocessing of updates are possible. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles Basis Administration and Basis Authorizations Confidential 35/143 Security Optimization Service 10.02.2016 that include the authorization objects listed below. Authorization objects: Object1: S_TCODE with TCD=SM13 [as well as all relevant parameter transactions] Object2: S_ADMI_FCD with S_ADMI_FCD = UADM 5.1.9 Users - Other Than System Administrators - Are Authorized to Activate a Trace (0163) Low system performance due to activated SQL trace (ST01). Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles Basis Administration and Basis Authorizations Confidential 36/143 Security Optimization Service 10.02.2016 that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD = ST01 or ST05 [as well as all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD = ST0M 5.1.10 System Profiles Are Not Consistent (0153) Evaluated Risk - High The profiles in your system are not synchronized. At least one profile has differences between the database and the file system version. Recommendation: Import the profile from all active servers to get the latest state that is currently used into the database. As of now, ONLY update by using transaction RZ10, and try to activate all changes in the file system soon afterwards. Inconsistency flag X Parameter Parameter enque/table_size is different 5.1.11 No Timely Accurate Resolution of Erroneous Locks (0160) Client Unremoved Locks Older Than 2 Days 000 10 Evaluated Risk - Medium Locks may stay in the database after users terminate their sessions incorrectly. This may result in inconsistencies and other lock issues if nobody maintains old locks and perhaps removes them if an error occurs. Recommendation: Always look for old locks in your system. You can do this by using transaction SM12. If you find locks that are older than 1 day or from yesterday, ask the users what might have caused these locks so that you can prevent them in future. Finally, if you discover that the locks no longer need to be in the system, delete them. 5.1.12 Security Audit Log is not active (0170) The Security Audit Log provides for long-term data access. The audit files are retained until you explicitly delete them. Among others, you can record the following information: - Successful and unsuccessful dialog logon attempts - Successful and unsuccessful RFC logon attempts - RFC calls to function modules - Changes to user master records - Successful and unsuccessful transaction starts - Changes to the audit configuration Other checks within the SOS related to the Security Audit Log: - Normal Users Are Not Logged in the Security Audit Log (0136) - User SAP*'s activities are not logged in the SAL (0047) - User DDIC's activities are not logged in the SAL (0050) - User SAPCPIC's activities are not logged in the SAL (0055) - User EARLYWATCH's activities are not logged in the SAL (0060) - Logging of OSS User Activities in the SAL? (0533) Evaluated Risk - High Rating Instance Current Value Recommended Value All instances 0 1 Recommendation to customize the Security Audit Log. Basis Administration and Basis Authorizations Confidential 37/143 Security Optimization Service 10.02.2016 Settings: - Activate the profile parameter rsau/enable. - Set the profile parameter rsau/selection_slots to its maximum value of 10. - Activate the profile parameter rsau/user_selection. Filter: - Use one filter to log critical events for all users in all clients. - Use other filters to log everything for critical users such as SAP* and support users, including FireFighter users. - Use the remaining filters to log events in special cases. 5.1.13 System Recommendations (ABAP) (BA090) System Recommendations is not used for this system. Recommendation: SAP strongly recommends applying important security fixes as soon as possible. The 'System Recommendations' application provides a detailed recommendation regarding which SAP security notes (ABAP and non-ABAP) should be implemented based on the actual status of the system and the notes already implemented. This is a mandatory prerequisite for setting up a strong security patch process. For more information, refer to http://service.sap.com/sysrec . 5.1.14 Sending Trace Data to Remote Client (0169) PARAMETER: RDISP/ACCEPT_REMOTE_TRACE_LEVEL Rating Instance Current Value Recommended Value All instances 1 0 Evaluated Risk - Medium The parameter rdisp/accept_remote_trace_level allows that the system provides trace data to a remote client. Recommendation: Deactivate the profile parameter if you do not need trace data at a remote client. 5.2 Batch Input 5.2.1 No Timely Accurate Resolution of Failed Batch Input Sessions (0223) Client Failed BI Sessions Older Than 2 Days 002 8 Evaluated Risk - Medium Batch input is a frequently used technique for importing data into the SAP system. This is done on a regular basis. As productive data is imported into the SAP system, it is necessary to check all failed batch input sessions so that no data is lost. Recommendation: Always check whether failed batch input sessions exist by using transaction SM35 on a regular basis and correct them. 5.3 Spool & Printer 5.3.1 Users - Other Than Spool Administrators - Are Authorized to Display Other Users Spool Requests (0192) This authorization allows unauthorized access to sensitive data contained in spool requests. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER Basis Administration and Basis Authorizations Confidential 38/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD = SP01 or SP01O [as well as all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD = SP01 or SP0R Object 3: S_SPO_ACT with SPOACTION = BASE and DISP and SPOAUTH = * or __USER__ 5.3.2 Users - Other Than Spool Administrators - Are Authorized to Display Protected Spool Requests of Other Users (0198) This authorization allows unauthorized access to sensitive data contained in protected spool requests. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB Basis Administration and Basis Authorizations Confidential 39/143 Security Optimization Service 10.02.2016 First Name Department User Group Doe John IT SUPER A Mustermann Max IT SUPER USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Client User Type Last Name 000 Count : 581 [92%] 002 JDOE A 002 MMUSTERM 002 Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD = SP01 or SP01O [as well as all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD = SP01 or SP0R Object 3: S_SPO_ACT with SPOACTION = BASE and DISP and SPOAUTH = * or __USER__ 5.3.3 Users - Other Than Spool Administrators - Are Authorized to Display the TemSe Content (0193) This authorization allows unauthorized access to sensitive data contained in spool requests. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER Basis Administration and Basis Authorizations Confidential 40/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD = SP11 or TCD = SP12 [as well as all relevant parameter transactions] Object 2: S_TMS_ACT with STMSACTION = REA and (STMSOWNER = GRP or OCL) and STMSOBJECT = SPOOL* 5.3.4 Users - Other Than Spool Administrators - Are Authorized to Change the Owner of Spool Requests (0194) This authorization allows unauthorized access to sensitive data contained in spool requests after the ownership has been changed. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB Basis Administration and Basis Authorizations Confidential 41/143 Security Optimization Service 10.02.2016 First Name Department User Group Doe John IT SUPER A Mustermann Max IT SUPER USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Client User Type Last Name 002 Count : 577 [26%] 004 JDOE A 004 MMUSTERM 004 Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You c an use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD = SP01 [as well as all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD = SP01 or SP0R Object 3: S_SPO_ACT with SPOACTION = USER 5.3.5 Users - Other Than Spool Administrators - Are Authorized to Redirect a Print Request to Another Printer (0195) This authorization allows unauthorized access to sensitive data after a request has been redirected. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER Basis Administration and Basis Authorizations Confidential 42/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD = SP01 [as well as all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD = SP01or SP0R Object 3: S_SPO_ACT with SPOACTION = REDI 5.3.6 Users - Other Than Spool Administrators - Are Authorized to Export a Print Request (0196) This authorization allows unauthorized access to sensitive data after the spool request has been exported. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB Basis Administration and Basis Authorizations Confidential 43/143 Security Optimization Service 10.02.2016 First Name Department User Group Doe John IT SUPER A Mustermann Max IT SUPER USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Client User Type Last Name 004 Count : 843 [4%] 200 JDOE A 200 MMUSTERM 200 Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD = SP01 [as well as all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD = SP01or SP0R Object 3: S_SPO_ACT with SPOACTION = DOWN 5.4 Background 5.4.1 Periodic Background Jobs Scheduled with User of Type Other Than 'SYSTEM' (0211) Percentage of jobs 38 Evaluated Risk - High Periodic background jobs must be scheduled under an anonymous user ID,for example Batchuser, and not under the ID of an individual. If an ID of an individual is used for background jobs and at some point the user is deleted or locked, background processing would be affected. Therefore, an anonymous user ID is necessary. In your system, more than 20% of the periodic background jobs are scheduled under a non-anonymous user ID. 5.4.2 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs in SM36 (0212) Unauthorized background administration can result in: - Inconsistencies - Loss of information - Unauthorized execution of critical programs Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER Basis Administration and Basis Authorizations Confidential 44/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SM36 [as well as all relevant parameter transactions] Object 2: S_BTCH_ADM with BTCADMIN=Y OR Object 3: S_BTCH_JOB with JOBACTION = RELE 5.4.3 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs in External Commands (0213) This authorization allows unauthorized execution of external programs or commands. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB Basis Administration and Basis Authorizations Confidential 45/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SM36 [as well as all relevant parameter transactions] Object 2: S_BTCH_ADM with BTCADMIN=Y or S_BTCH_JOB with JOBACTION = RELE Object 3: S_RZL_ADM with ACTVT=01 5.4.4 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs Under Another User Id (0214) This authorization allows you to execute critical reports using another user. The security issue is that this user has more authorization than your own user has. This means using this user you may be able to run critical reports that you otherwise would not be authorized to do. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] Basis Administration and Basis Authorizations Confidential 46/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SM36 [as well as all relevant parameter transactions] Object 2: S_BTCH_NAM with BTCUNAME <> ' ' Object 3: S_BTCH_ADM with BTCADMIN=Y or S_BTCH_JOB with JOBACTION = RELE 5.5 OS Access 5.5.1 Users - Other Than System Administrators - Are Authorized to Define External OS Commands (0171) Unauthorized maintenance of operating system commands can cause malicious commands to be executed. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER Basis Administration and Basis Authorizations Confidential 47/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object1: S_TCODE with TCD=SM69 [as well as all relevant parameter transactions] Object2: S_RZL_ADM with ACTVT=01 5.5.2 Users - Other Than System Administrators - Are Authorized to Execute External OS Commands (0172) Unauthorized execution of dangerous operating system commands mostly as administrator on the application server. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB Basis Administration and Basis Authorizations Confidential 48/143 Security Optimization Service 10.02.2016 First Name Department User Group Doe John IT SUPER A Mustermann Max IT SUPER USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Client User Type Last Name 004 Count : 843 [4%] 200 JDOE A 200 MMUSTERM 200 Evaluated Risk - Medium Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object1: S_TCODE with TCD=SM49 [as well as all relevant parameter transactions] Object2: S_LOG_COM 5.5.3 Users - Other Than System Administrators - Are Authorized to View Content of OS Files with AL11 (0173) Unauthorized access to sensitive data stored in files at operating system level, for example /etc/passwd on UNIX and interface files with sensitive data. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB Basis Administration and Basis Authorizations Confidential 49/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=AL11 [as well as all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD = ST0R Object 3: S_DATASET with PROGRAM = RSWATCH0 ACTVT = 33 5.6 Outgoing RFC 5.6.1 Unexpected RFC Connections with Complete Logon Data Found (0254) The following RFC destinations contain complete logon data. As these connections were not mentioned in the questionnaire, we assume that they were not known to you. In special cases, a direct logon to the target system without any further password check could be possible. Check these destinations in greater detail. RFC Destination RFC Count Destinati Remote host on type Remot Remote Remot e port/syste e Remote user syste m number client m 0LO7HQP_DEST 3 pxxx.xxx.corp 23 001 RUSER 0MB85T3_DEST 3 pxxx.xxx.corp 23 001 RUSER ABD 3 ldaxxx.xxx.corp ABP 000 SAPCPIC ABT 3 ldbxxx.xxx.corp ABP 001 SAPCPIC ABS 3 ldcxxx.xxx.corp 000 XUSER ABP 3 10.11.12.13 001 SAPCPIC C40CLNT001 3 ldexxx.xxx.corp 07 001 ALEREMOTE C40CLNT751 3 07 751 ALEREMOTE C50CLNT001 3 ldfxxx.xxx.corp ldgxxx.xxx.corp 08 001 ALEREMOTE 32 ABP *** The residuary entries can be found in the service session. *** 426 Evaluated Risk - High. There is at least one additional RFC connection with complete logon data. Recommendation Use report RSRFCCHK to analyze RFC destinations with complete logon information. Ensure that the remote users have the correct user type (usually the user type "system" and not "dialog") and have only restricted authorizations, as required. Consider using the "Authorization for Destination", which you can set on the "Logon&Security" tab in transaction SM59, to restrict the use of critical RFC destinations. See SAP Note 1595582 “Deletion of temporary RFC destinations” to delete generated RFC destinations with a 32character GUID as RFC name. Basis Administration and Basis Authorizations Confidential 50/143 Security Optimization Service 10.02.2016 5.6.2 Users - Other Than System Administrators - Are Authorized to Administer RFC Connections (0255) Unauthorized access to other systems. Malfunction of interfaces if invalid connection data is entered. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SM59 Object 2: S_ADMI_FCD with S_ADMI_FCD = NADM Object 3: S_RFC_ADM with ACTVT NE 03 5.6.3 Users - Other Than System Administrators - Are Authorized to Maintain Trusting Systems (0268) This authorization allows users to maintain the trusting systems for outbound trusted RFC communication. A trusted system can afterwards be used for trusted RFC. Client User Type Last Name First Name Department User Group 000 A John IT SUPER JDOE Doe Basis Administration and Basis Authorizations Confidential 51/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SMT2 [as well as all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD = NADM 5.7 Incoming RFC 5.7.1 Users Are Authorized to Run Any RFC Function (0241) An unauthorized remote execution of RFC functions with dialog users was detected. All of the following users are authorized to access all SAP RFC-enabled function modules. This is very critical because there are very many RFC-enabled function modules that can be called. In Release 4.6C, for example, there are approximately 14000 RFC-enabled function modules. Not all of them contain special authorization checks. All of the following users can use some of these function modules without additional authorizations. Client User Type Last Name First Name Department User Group 000 A John IT SUPER JDOE Doe Basis Administration and Basis Authorizations Confidential 52/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object: S_RFC with RFC_NAME = * 5.7.2 Users - other than Key Users - are Authorized to Visualize All Tables via RFC (0245) Unauthorized access to sensitive data by means of RFC. The following users are authorized to access RFC function modules, which allows them to retrieve all SAP tables. As this is a very critical authorization, assign it only as required. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] Basis Administration and Basis Authorizations Confidential 53/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_RFC with RFC_NAME=SDTX Object 2:S_TABU_DIS with ACTVT=03 AND DICBERCLS=* 5.7.3 Incoming RFC with Expired Password is Allowed (0234) PARAMETER: RFC/REJECT_ EXPIRED_PASSWD Rating Instance Current Value Recommended Value All instances 0 1 Evaluated Risk - Medium Recommendation: Set the parameter rfc/reject_expired_passwd to 1 to detect the use of a user ID with an expired password. IMPORTANT: Before you change this parameter, import SAP Note 622464 . 5.7.4 Users authorized for Trusted RFC (Object S_RFCACL) (0239) Unauthorized use of trusted RFC connections. All of the following users are allowed to access the analyzed system using a trusted system connection. We do not rate this check. Check whether the users really need this authorization. Basis Administration and Basis Authorizations Confidential 54/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - Medium Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object: S_RFCACL Please try to specify the values for the "RFC_SYSID" and "RFC_CLIENT" fields for this authorization object to prevent backdoor entries. 5.7.5 Users authorized for Trusted RFC which can be called from any calling user (0248) Unauthorized use of trusted RFC connections. All of the following users can be called using a trusted system connection from any calling user. Check whether the users really require this authorization. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB Basis Administration and Basis Authorizations Confidential 55/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object: S_RFCACL Use specific values for the "RFC_USER" field instead of using a * value and consider using the 'same user' option instead (field RFC_EQUSER=Y). In this case, you can either leave the "RFC_USER" field empty or you can enter a value that is never used as a user ID (such as the character '). 5.7.6 Unexpected Trusted System Connections Found (0238) RFC Destination Count ABD ABS ABP ABT C40 C70 C71 C72 C73 Count : 9 Basis Administration and Basis Authorizations Confidential 56/143 Security Optimization Service 10.02.2016 Evaluated Risk - High. You have defined more trusted systems than you specified in the questionnaire. 5.7.7 Users - Other Than System Administrators - Are Authorized to Maintain Trusted Systems (0240) This authorization allows users to maintain trusted systems. A trusted system can subsequently be used for trusted RFC. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SMT1 [as well as all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD = NADM 5.7.8 RFC Security in the Service Marketplace (0247) RFC is a very critical issue for the security of an SAP installation. The following document explains how to set up an authorization concept to secure the RFC connections in an SAP system landscape. http://service. sap.com/~sapidb/011000358700004954232004E . Basis Administration and Basis Authorizations Confidential 57/143 Security Optimization Service 10.02.2016 5.8 Application Link Enabling (ALE) 5.8.1 Users - Other Than System Administrators - Allowed to Maintain the ALE Distribution Model (0723) Malfunction of ALE communication due to unauthorized changes. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=BD64 [as well as all relevant parameter transactions] Object 2: B_ALE_MODL with ACTVT = 01 or 02 and CUSTMODEL = * 5.8.2 Users - Other Than System Administrators - Allowed to Maintain the Partner Profile (0724) Malfunction of Application Link Enabling (ALE) communication due to unauthorized changes. Basis Administration and Basis Authorizations Confidential 58/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=WE20 [as well as all relevant parameter transactions] Object 2: S_IDOCPART with ACTVT=01 or ACTVT=02 and EDI_TCD=WE20 Basis Administration and Basis Authorizations Confidential 59/143 Security Optimization Service 10.02.2016 6 Change Management 6.1 Data & Program Access 6.1.1 Users - Other Than Key Users - Are Authorized to Start All Reports (0512) Execution of critical function reports that do not contain any authorization checks. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SE38 or TCD=SA38 or TCD=SC38 [as well as all relevant parameter transactions] Object 2: S_PROGRAM with P_ACTION=SUBMIT P_GROUP=* Remark: We also search for the transaction codes used in parameter transactions defined in table TSTCP. (This is done in every check in which object S_TCODE is checked.) Any user who is authorized to call a transaction defined in table TSTCP that is based on transaction SA38 Change Management Confidential 60/143 Security Optimization Service 10.02.2016 appears in this check if they also have authorization for the other objects checked. 6.1.2 Users - Other Than Key Users - Are Authorized to Display All Tables (0513) Unauthorized access to sensitive data. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SE16 or TCD=SE16N or TCD=SE17 or TCD=SM30 or TCD=SM31 [as well as all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT=03 DICBERCLS=* 6.1.3 Users Are Authorized to Maintain All Tables (0514) Unauthorized maintenance of sensitive data. Change Management Confidential 61/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SE16 or TCD=SE16N or TCD=SE17 or TCD=SM30 or TCD=SM31 [as well as all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT=02 DICBERCLS=* 6.1.4 Users - Other Than System Administrators - Are Authorized to Change the Authorization Group of Tables (0515) Unauthorized access to data after change of authorization group. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB Change Management Confidential 62/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SE17 or TCD=SM30 or TCD=SM31 [as well as all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT=02 DICBERCLS=SS 6.1.5 Users - Other Than Query Administrators - Are Authorized to Administer Queries (0517) Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER Change Management Confidential 63/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with (TCD=SQ02 or TCD=SQ03 or TCD=SQ10) [as well as all relevant parameter transactions] Object 2: S_QUERY with ACTVT=23 6.1.6 Users Are Authorized to Execute All Function Modules (0520) Execution of critical function modules that do not contain any authorization checks. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER Change Management Confidential 64/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD = SE37 [as well as all relevant parameter transactions] Object 2: S_DEVELOP with ACTVT = 16 and S_DEVELOP with OBJTYPE = FUGR 6.2 Change Control 6.2.1 System Change Option Not Appropriately Configured in the Production System (0301) Threats that arise with the possibility of development in production systems: - Malfunction of system due to programs that have not been tested properly - Unauthorized data access with modified or self-developed programs Evaluated Risk - High Recommendation: Set the System Change Option to 'Not modifiable' in SE06. 6.2.2 Client Change Option Not Appropriately Configured (0302) Threats that arise with the possibility of development in production systems: - Malfunction of system due to programs that have not been tested properly - Unauthorized data access with modified or self-developed programs Client Modifiable Type 000 O S 002 O T 004 O T 200 O T Flags in table columns Modifiable X - Production client is modifiable O - Non-production client is modifiable - Client is not modifiable Type P - Production client Change Management Confidential 65/143 Security Optimization Service 10.02.2016 D - Demo E - Education S - SAP Standard C - Customizing T - Test Evaluated Risk - Medium Recommendation: Set the Client Change Option to 'Not modifiable' in all clients in your production system. 6.2.3 Users - Other Than System Administrators - Are Authorized to Change the System Change Option (0303) Development is possible in the production system by all of the following persons. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, Change Management Confidential 66/143 Security Optimization Service 10.02.2016 look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SE06 [as well as all relevant parameter transactions] Object 2: S_CTS_ADMI with CTS_ADMFCT=INIT and CTS_ADMFCT=SYSC Object 3: S_TRANSPRT with ACTVT=03 and TTYPE=* 6.2.4 Users - Other Than System Administrators - Are Authorized to Change the Client Change Option (0304) Development is possible in the productive client by all the following persons. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, Change Management Confidential 67/143 Security Optimization Service 10.02.2016 look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SCC4 [as well as all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT=02 DICBERCLS=SS Object 3: S_TABU_CLI with CLIIDMAINT=* Object 4: S_ADMI_FCD with S_ADMI_FCD=T000 6.2.5 Users - Other Than System Administrators - Are Authorized to Create New Clients (0305) Creating a new client means that logons are permitted with the hard-coded user SAP* unless this is prevented by a profile parameter. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, Change Management Confidential 68/143 Security Optimization Service 10.02.2016 look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SCC4 [as well as all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT=01 DICBERCLS=SS Object 3: S_TABU_CLI with CLIIDMAINT=* Object 4: S_ADMI_FCD with S_ADMI_FCD=T000 6.2.6 Users Are Authorized to Delete Clients (0306) All the following users have the authority to delete any of your clients- including the production one. In addition, the default setting is that the T000 entry of the deleted client will not be deleted. Afterwards the hard-coded user SAP* is available with the well-known password PASS, unless this is prevented by a profile parameter. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, Change Management Confidential 69/143 Security Optimization Service 10.02.2016 look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SCC5 [as well as all relevant parameter transactions] Object 2: S_TABU_CLI with CLIIDMAINT=X 6.2.7 Users Are Authorized to Development in the Production System (0307) Threats that arise with the possibility of development in production systems: - Malfunction of system due to programs that have not been tested properly - Unauthorized data access with modified or self-developed programs Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, Change Management Confidential 70/143 Security Optimization Service 10.02.2016 look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SE* Object 2: S_DEVELOP with ACTVT=01 (create) or ACTVT=02 (change) and OBJTYPE=PROG 6.2.8 Users Are Authorized to Debug and Replace Field Values in the Production System (0308) Unauthorized access to data and functions, since any authorization checks can be bypassed with this authorization. In addition, you can change data during processing, which may lead to inconsistent results. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_DEVELOP with ACTVT=02 (change) and OBJTYPE=DEBUG Note: If you do not want to disable development in your system, you have to exclude the OBJTYPE=DEBUG with ACTVT=02 from the profile and allow any other object type for S_DEVELOP. In this way, development and debugging with visualization is still possible. Change Management 71/143 Confidential Security Optimization Service 10.02.2016 You can achieve this by linking 2 authorizations to the object S_DEVELOP. One with all object types (except for "DEBUG") and all activities, and another one for the object type DEBUG only and all activities (except for 02). 6.2.9 Users Are Authorized to Perform Customizing in the Production System (0309) System malfunction due to improperly tested Customizing. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SPRO [as well as all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT=02 (change) and DICBERCLS=* 6.2.10 Users Are Authorized to Develop Queries in the Production System (0310) Data access in queries or by using ABAP programs within queries. Change Management Confidential 72/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with (TCD=SQ00 or TCD=SQ01) [as well as all relevant parameter transactions] Object 2: S_QUERY with ACTVT=02 (change) 6.2.11 Execution of CATTs and eCATTs is Not Prevented by Client Settings (0311) Unauthorized data transfer into the SAP system. In addition, the system could be rendered unstable if testing takes place during production operation. CATTs and eCATTs are very useful tools, but use them in the development and test environment only. Client CATTs allowed 000 Type S 002 X T 004 X T 200 X T Change Management Confidential 73/143 Security Optimization Service 10.02.2016 Flags in table columns CATTs allowed X - CATTs and eCATTs allowed - CATTs and eCATTs not allowed Type P - Production client D - Demo E - Education S - SAP Standard C - Customizing T - Test Evaluated Risk - Medium Recommendation: Disable the execution of CATTs and eCATTs, at least in the production client. 6.2.12 Users Are Authorized to Execute CATTs in the Production System (0312) Unauthorized data transfer into the SAP system. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - Medium Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, Change Management Confidential 74/143 Security Optimization Service 10.02.2016 look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SCAT [as well as all relevant parameter transactions] Object 2: S_DEVELOP with ACTVT=16 and OBJTYPE=SCAT 6.2.13 Users Are Authorized to Execute eCATTs in the Production System (0313) Unauthorized data transfer into the SAP system. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - Medium Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, Change Management Confidential 75/143 Security Optimization Service 10.02.2016 look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=STWB_WORK or SECATT [as well as all relevant parameter transactions] Object 2: S_DEVELOP with OBJTYPE=ECAT ACTVT=16 6.2.14 SAPgui User Scripting Is Enabled (0314) PARAMETER: SAPGUI/USER_SCRIPTING Rating Instance Current Value Recommended Value All instances TRUE FALSE Evaluated Risk - Medium As of SAP GUI 6.20, SAP supports this new parameter for all SAP R/3releases as of Kernel Release 3.1I. This parameter enables you to log your front-end activities. There is the possibility of misuse as it is possible to record sensitive data, for example when creating a new user or changing a user's password. Recommendation: Omit the parameter sapgui/user_scripting or set it to FALSE. For further information, please refer to SAP Note 480149. 6.2.15 Users Are Authorized to Use the Legacy Migration Workbench (0315) With LSMW it is possible to develop ABAP coding, even in a closed system without any development authorizations. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB Change Management Confidential 76/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - Medium Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with LSMW [as well as all relevant parameter transactions] Object 2: B_LSMW with TCD = LSMW and ACTVT = 02 or 16 or 36 Object 3: B_LSMW_PRO with PROJECT = * 6.2.16 Users Are Authorized to Modify the Table Logging Flag for Tables (0318) Lack of information for tracking unauthorized changes to Customizing. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - Medium Change Management Confidential 77/143 Security Optimization Service 10.02.2016 Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SE11 or TCD=SE13 [as well as all relevant parameter transactions] Object 2: S_DEVELOP with ACTVT=02 and OBJTYPE=TABT 6.3 Development 6.3.1 Development Sources Are Not Scanned for Critical Statements (0335) Coding might contain certain statements (listed as "Critical Statements" in the Code Inspector results) that are critical to security or endanger program stability. Examples include: - INSERT REPORT (ABAP command) - EDITOR-CALL FOR REPORT (ABAP command) - DELETE_USER_ON_DB (function module) - BAPI_USER_* (function modules) Evaluated Risk - Medium Recommendation: Run the Code Inspector on a regular basis. The Code Inspector is available, along with some security checks, as of SAP Web AS 6.10. 6.4 Transport Control 6.4.1 Users - Other Than Transport Administrators - Are Authorized to Change the TMS Configuration (0341) Inconsistencies due to incorrectly configured CTS. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] Change Management Confidential 78/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD = STMS [as well as all relevant parameter transactions] Object 2: S_CTS_ADMI with CTS_ADMFCT = TABL 6.4.2 Users - Other Than Transport Administrators - Are Authorized to Start Imports to Production (0342) Misuse of CTS (Change and Transport System) to import insecure programs. Inconsistencies due to incorrect usage of CTS. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB Change Management Confidential 79/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=STMS [as well as all relevant parameter transactions] Object 2: S_CTS_ADMI with CTS_ADMFCT=IMPA or CTS_ADMFCT=IMPS 6.4.3 Users - Other Than Transport Administrators - Are Authorized to Create and Release Transports (0343) the Change and Transport System (CTS) has been used incorrectly to export tables with sensitive data. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Change Management Confidential 80/143 Security Optimization Service 10.02.2016 Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SE01 SE09 SE10 [as well as all relevant parameter transactions] Object 2: S_TRANSPRT with ACTVT=01, 03 and 43 TTYPE=DTRA and TASK 6.4.4 Users Are Authorized to Approve Transports (0346) Import of programs that have not been tested properly. Note: This check should normally run in the Quality System. We assume that if the users have these authorizations in the Productive System, they also have them in the Quality System. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Recommendation: Check the roles and profiles of the users in your QA system that are evaluated by this check. Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this Change Management Confidential 81/143 Security Optimization Service 10.02.2016 check, look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=STMS_QA [as well as all relevant parameter transactions] Object 2: S_CTS_ADMI with CTS_ADMFCT=QTEA 6.4.5 Users - Other Than Transport Administrators - Are Authorized to Apply Patches (0363) System malfunction after import of patches. Functions were not tested properly. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization information system (SUIM) to check the results. For this check, Change Management Confidential 82/143 Security Optimization Service 10.02.2016 look at the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SPAM [as well as all relevant parameter transactions] Object 2: S_TRANSPRT with TTYPE='PATC' 6.4.6 Transports Are Not Scanned for Viruses (0348) Recommendation: Currently, transports into your system are not scanned automatically to avoid the import of non-secure programs. However, SAP provides a function for scanning the transports. Review SAP Note 521087 for a description of how to set up a virus scanner for transport files, as these files are normally stored in a proprietary and compressed SAP format. Change Management Confidential 83/143 Security Optimization Service 10.02.2016 7 User Authorization 7.1 User Management 7.1.1 Users - Other Than the User Administrators - Are Authorized to Maintain Users (0002) Only user administrators should be authorized to create users. You have to prevent users gaining unauthorized system access by using another user's account and also prevent interfaces malfunctioning if the interface user becomes invalid. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SU01, TCD=OIBB, TCD=OOUS, TCD=OPF0, TCD=OPJ0, or TCD=OVZ5 [and all relevant parameter transactions] Object 2: S_USER_GRP with ACTVT <> 03 (display) and ACTVT <> 08 (displ. change documents) and User Authorization Confidential 84/143 Security Optimization Service 10.02.2016 ACTVT <> SPACE 7.1.2 User Administrators Are Authorized to Change Their Own User Master Record (0003) Avoid unauthorized maintenance of user accounts and assignment of authorizations. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization object: S_USER_GRP with ACTVT=02 (change) CLASS = <same as assigned to the user administrator> 7.1.3 User Administrators Are Allowed to Maintain Users of Any Group (0004) If user administration is segregated, prevent unauthorized maintenance of users who belong to a user group that the decentralized user administrator is not in charge of. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER User Authorization Confidential 85/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: S_TCODE with TCD = SU01 or TCD = OIBB or TCD = OOUS or TCD = OPF0 or TCD = OPJ0 or TCD = OVZ5 [as well as all relevant parameter transactions] Object 2: S_USER_GRP with ACTVT = 02 (change) CLASS = * 7.1.4 User Master Data Is Not Regularly Synchronized with a Corporate LDAP Directory (0007) User master data can be synchronized with a corporate directory to avoid inconsistent data. Recommendation: If you use a corporate directory, schedule the report RSLDAPSYNC_USER on a regular basis. This ensures that all user master data is replicated from this corporate directory and is always synchronized. Otherwise the data would not be synchronized as it is stored redundantly. 7.1.5 Users with Authorizations for User and Role/Profile/Authorization Maintenance (0008) User and role maintenance must be segregated so that user administrators cannot change their own authorizations. User Authorization Confidential 86/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we recommend that you examine the roles or profiles that include the authorization objects listed below. Remark: All users are listed who have authorization for check 0073, 0074, 0077, 0080, or 0081 (role and profile management in a production system) and who are also user managers (check 0002). 7.1.6 Reference Users Are Used (0011) Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER User Authorization Confidential 87/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Avoid broad authorizations that are assigned indirectly by means of reference users. Only use reference users in Internet scenarios to assign roles to users who need the same authorizations. Do not use this as a general technique for assigning roles. SUIM reports do not consider authorizations that are assigned by means of reference users. 7.1.7 Usage of 'Normal' Users as Reference Users Is Not Prohibited (0012) Evaluated Risk - High Recommendation: Avoid use of 'normal' users as reference users by setting a customizing switch. For more information, see SAP Note 513694. 7.1.8 Users - Other Than User Administrators - Are Authorized to Access Tables with User Data (0013) Avoid dictionary attacks on passwords stored in table USR02. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER User Authorization Confidential 88/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SE16, TCD=SE16N, or TCD=SE17 [and all relevant parameter transactions] Object 2: S_TABU_DIS with DICBERCLS=SC ACTVT=03 7.1.9 Users - Other Than User Administrators - Are Authorized to Call Function Modules for User Admin (0019) Only user administrators should have authorizations to maintain users. Besides user maintenance in transaction SU01, users can be changed by calling function modules. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] User Authorization Confidential 89/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SE37 [and all relevant parameter transactions] Object 2: S_DEVELOP with OBJTYPE=FUGR ACTVT=03 OBJNAME=SUSB RSUSR002 OR Object 1: S_TCODE with TCD=SE37 [and all relevant parameter transactions] Object 2: S_DEVELOP with OBJTYPE=FUGR ACTVT=03 OBJNAME=SU_USER Object 3: S_USER_GRP with ACTVT=01 (create), ACTVT=02 (change), or ACTVT=06 (delete) Remark for Release 6.40: As of Basis Release 6.40, ACTVT=16 is needed instead of ACTVT=03 for object S_DEVELOP in order to execute a function in SE37. If you are using a system with Basis Release 6.40 and a plug-in ST-A/PI_01E* or older, too many users might appear for this check. 7.2 Super Users 7.2.1 Users Have Nearly All Authorizations (0023) Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB User Authorization Confidential 90/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] No Evaluation These users have more than 80% of all authorizations. They are "superusers." Recommendation: Check which users have these authorizations and decide whether they really need them. 7.2.2 Unexpected Users Are Authorized to Change a Super User Accounts (0026) Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we User Authorization Confidential 91/143 Security Optimization Service 10.02.2016 recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SU01, TCD=OIBB, TCD=OOUS, TCD=OPF0, TCD=OPJ0, or TCD=OVZ5 [and all relevant parameter transactions] Object 2: S_USER_GRP with ACTVT=02 (change) or ACTVT=05 and CLASS=SUPER 7.2.3 Users with Profile SAP_NEW (0031) The profile SAP_NEW cumulates a lot of authorizations. Please use only the subprofile(s) of SAP_NEW corresponding to your last release change. You should then update your own profiles as soon as possible and remove the SAP_NEW profile. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we User Authorization Confidential 92/143 Security Optimization Service 10.02.2016 recommend that you examine the roles or profiles that include the authorization objects listed below. 7.3 Standard Users 7.3.1 Not all profiles are removed from user SAP* (0042) Client SAP* with profiles 000 X 002 X 004 X 200 X Evaluated Risk - Medium Recommendation: Remove the profile(s) from the SAP* user and create another superuser to be used as an emergency user. Possible table values: " ": SAP* has no profiles "X": Profile SAP_ALL is used "O": Another profile is used. 7.3.2 User SAP* is neither locked nor expired (0043) Client Not locked or expired 000 002 X 004 X 200 Evaluated Risk - Medium Recommendation: The user SAP* is unlocked in at least one client. To prevent the usage of SAP*, lock the user account or set an expiration date. Do not delete SAP*. 7.3.3 Usage of the hard coded user SAP* is not disabled (0046) PARAMETER: LOGIN/NO_AUTOMATIC_ USER_SAPSTAR Rating Instance Current Value Recommended Value All instances 0 1 Evaluated Risk - High Recommendation: Set the profile parameter "login/no_automatic_user_sapstar" to 1. Note: The user SAP* is needed for the client copy. Therefore, the parameter has to be changed back to 0 before the client copy is started - at least for the application server that you want to use for logging on to the new client. 7.3.4 User SAP*'s activities are not logged in the Security Audit Log (0047) Client SAL activated 000 002 004 User Authorization Confidential 93/143 Security Optimization Service Client 10.02.2016 SAL activated 200 Evaluated Risk - Medium Recommendation: Log the successful and (at least) the unsuccessful activities for the user SAP* in the Security Audit Log. Possible table values: " ": No events are logged. "S": Successful events are logged. "U": Unsuccessful events are logged. 7.3.5 User DDIC's activities are not logged in the Security Audit Log (0050) Evaluated Risk - Medium Recommendation: Log the successful and (at least) the unsuccessful events for the user DDIC in the Security Audit Log. 7.3.6 User EARLYWATCH's activities are not logged in the Security Audit Log (0060) Client SAL activated 000 002 004 200 Evaluated Risk - Medium Recommendation: Log at least the unsuccessful events for user EARLYWATCH in the Security Audit Log. 7.3.7 User TMSADM has the default password in some clients (0063) Client Password not changed 000 002 004 X 200 Evaluated Risk - Medium Recommendation: Change the standard password for the TMSADM user. (For clients other than client 000, you should delete the user instead.) SAP Note 1414256 describes a support tool for changing the password for the TMSADM user in all systems of the transport domain. SAP Note 1552894 shows how to update the report RSUSR003 for showing the status of TMSADM user, too. 7.3.8 User TMSADM Exists in Clients Other Than Client 000 (0064) Client TMSADM exists 002 X 004 X 200 X Evaluated Risk - Medium Recommendation: Delete the TMSADM user for all clients except client 000. User Authorization Confidential 94/143 Security Optimization Service 10.02.2016 7.4 Role & Authorization Management 7.4.1 Users Are Authorized to Maintain Roles Directly in the Production System (0072) Roles, profiles, and authorizations must always be changed in the development system. Therefore, authorizations for role and authorization maintenance do not need to be assigned in the productive system at all. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=PFCG [and all relevant parameter transactions] Object 2: S_USER_AGR with ACTVT=01 (create) or ACTVT=02 (change) 7.4.2 Users Are Authorized to Maintain Profiles Directly in the Production System (0073) Roles, profiles, and authorizations must always be changed in the development system. Therefore, authorizations for role and authorization maintenance do not need to be assigned in the productive system at all. User Authorization Confidential 95/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SU02 [and all relevant parameter transactions] Object 2: S_USER_PRO with ACTVT=01 (create) or ACTVT=02 (change) or ACTVT=06 (delete). 7.4.3 Users Are Authorized to Maintain Authorizations Directly in the Production System (0074) Roles, profiles, and authorizations must always be changed in the development system. Therefore, authorizations for role and authorization maintenance do not need to be assigned in the productive system at all. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB User Authorization Confidential 96/143 Security Optimization Service 10.02.2016 First Name Department User Group Doe John IT SUPER A Mustermann Max IT SUPER USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Client User Type Last Name 000 Count : 581 [92%] 002 JDOE A 002 MMUSTERM 002 Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SU03 [and all relevant parameter transactions] Object 2: S_USER_AUT with ACTVT=01 (create) or ACTVT=02 (change) 7.4.4 SAP Standard Roles Are Assigned to Users (0082) Client Count 000 45 002 472 004 1.139 200 37 Evaluated Risk - High Recommendation: Only use predefined SAP roles as templates. Do not assign them to users due to the number of authorizations assigned to standard SAP roles. 7.4.5 SAP Standard Profiles Are Assigned to Users (0083) Client Count 000 1 002 6 004 17 User Authorization Confidential 97/143 Security Optimization Service 10.02.2016 Client Count 200 1 Evaluated Risk - High Recommendation: Only use predefined SAP profiles as templates. Do not assign them to users due to the large number of authorizations assigned to standard SAP profiles. 7.4.6 Profiles on Long Time Locked Users (0089) Client Users Found 000 X 002 X 004 X 200 X Evaluated Risk - Medium Recommendation: We found users that have been locked for at least 180 days still with assigned profiles in the marked clients. Remove profiles from users that have been locked for a long period of time (especially if they have left the company). Unlocking a user can give access to broad authorizations. 7.5 Authorizations 7.5.1 Users Are Authorized to Disable Authorization Checks Within Transactions (0102) No user should have authorizations to disable authorization checks for any transaction. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB User Authorization Confidential 98/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE=SU24 [and all relevant parameter transactions] Object 2: S_USER_GRP with ACTVT=* and CLASS=* Object 3: S_DEVELOP with ACTVT=03 and OBJTYPE=SUSO 7.5.2 Users Are Authorized to Call Any Transaction (0110) When all transactions are allowed to be started, access relies completely on authorization checks in the executed report. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High User Authorization Confidential 99/143 Security Optimization Service 10.02.2016 Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization Object: Object S_TCODE with field TCD =* 7.5.3 Users Are Authorized to Delete an Authorization Check Before Transaction Start (0111) In transaction SE93, a basic authorization check can be maintained for every transaction. Deleting this authorization check could create security holes. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the Authorization Info System (SUIM) to check the results. For this check we User Authorization Confidential 100/143 Security Optimization Service 10.02.2016 recommend that you examine the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SE93 [and all relevant parameter transactions] Object 2: S_DEVELOP with OBJTYPE=TRAN and ACTVT = 02 7.5.4 Global Disabling of Authority Checks Is Not Prevented (0104) Evaluated Risk - High Table TOBJ_OFF does not contain deactivated authorization objects but the profile parameter "auth/object_disabling_active" is set to "Y" nonetheless. Recommendation: Set the profile parameter "auth/object_disabling_active" to "N". This means that authorization checks cannot be deactivated globally by users who have the appropriate authorization. 7.6 Internet Communication Framework (ICF) 7.6.1 Users - Other Than System Administrators - Are Authorized to Activate ICF Services (0655) Access to ICF services after unauthorized activation. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High User Authorization Confidential 101/143 Security Optimization Service 10.02.2016 Recommendation: Use the Profile Generator (PFCG) to correct roles, and/or transactions SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the Authorization Info System (SUIM) you can check the results. For this check you should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SICF [and all relevant parameter transactions] Object 2: S_ADMI_FCD = PADM 7.6.2 Users - Other Than System Administrators - Are Authorized to Access Table Authorization Group &NC& (0663) Tables which are not assigned to a specific table authorization group (see transaction SE54 or Table TDDAT) are implicitly part of table authorization group &NC&. This table authorization group contains many tables including critical tables. Example: Access to table ICFSERVICE using standard table maintenance tools like SE16 could be misused to find ICF services with anonymous access. Therefore you should not give access to table authorization group &NC&. If you need access to specific tables you can either assign these tables to a different table authorization group or you can grant authorizations individually using authorization object S_TABU_NAM. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, and/or transactions SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the Authorization Info System (SUIM) you can check the results. For this check you User Authorization Confidential 102/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SE16, TCD=SE16N, TCD=SE17, TCD=SM30, or TCD=SM31 [and all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT=03 DICBERCLASS=&NC& 7.7 http Client 7.7.1 Additional http Client Connections Found (0682) HTTP Connection Count ABS_AWS_EC2 ABS_AWS_S3 RCC_GRID_ENGINE INTEGRATION_DIRECTORY TEST_ODATA_PO ABPCLNT004_HTTP ABTCLNT005_HTTP ABDCLNT002_HTTP EPIC_DUMMY Count : 9 Evaluated Risk - High Recommendation: There is at least one additional HTTP client connection not specified in the questionnaire. We recommend that you check this connection. Check the RFCDES table and search for entries with RFCTYPE = 'H' or 'G'. 7.7.2 No Proxy Used to Connect to http Servers (0683) Client Connection without Proxy Count 000 ABS_AWS_EC2 000 ABS_AWS_S3 000 RCC_GRID_ENGINE 000 INTEGRATION_DIRECTORY 000 TEST_ODATA_PO 000 *** The residuary entries can be found in the service session. *** 000 Count : 002 ABS_AWS_EC2 002 ABS_AWS_S3 002 RCC_GRID_ENGINE 002 INTEGRATION_DIRECTORY 002 TEST_ODATA_PO 002 *** The residuary entries can be found in the service session. *** 002 Count : 004 ABS_AWS_EC2 004 ABS_AWS_S3 004 RCC_GRID_ENGINE 004 INTEGRATION_DIRECTORY 9 9 User Authorization Confidential 103/143 Security Optimization Service 10.02.2016 Client Connection without Proxy Count 004 TEST_ODATA_PO 004 *** The residuary entries can be found in the service session. *** 004 Count : 200 ABS_AWS_EC2 200 ABS_AWS_S3 200 RCC_GRID_ENGINE 200 INTEGRATION_DIRECTORY 200 TEST_ODATA_PO 200 *** The residuary entries can be found in the service session. *** 200 Count : 9 9 Evaluated Risk - Medium Recommendation: We found at least one connection to an HTTP server that does not use a proxy. A proxy works as a security barrier between the internal network and the Internet and should always be used. Check whether the proxy is globally maintained in table PPROXY_G. If not, use of the proxy must be customized in the RFCDES table. 7.7.3 No Authorization for S_SICF Required for http Client Access (0684) http client access without authorization check Count ABS_AWS_EC2 ABS_AWS_S3 RCC_GRID_ENGINE INTEGRATION_DIRECTORY TEST_ODATA_PO ABPCLNT004_HTTP ABTCLNT005_HTTP ABDCLNT002_HTTP EPIC_DUMMY Count : 9 Evaluated Risk - Medium Recommendation: We found at least one HTTP client connection that does not require authorization. You should request authentication for all HTTP clients. Check the customizing in table RFCDES. 7.7.4 Client Proxy Does Not Require Client Authentication (0685) Client Connection without authentication 000 ABS_AWS_EC2 000 ABS_AWS_S3 000 RCC_GRID_ENGINE 000 INTEGRATION_DIRECTORY 000 TEST_ODATA_PO 000 *** The residuary entries can be found in the service session. *** 000 Count : 002 ABS_AWS_EC2 002 ABS_AWS_S3 002 RCC_GRID_ENGINE 9 User Authorization Confidential Count 104/143 Security Optimization Service 10.02.2016 Client Connection without authentication 002 INTEGRATION_DIRECTORY 002 TEST_ODATA_PO 002 *** The residuary entries can be found in the service session. *** 002 Count : 004 ABS_AWS_EC2 004 ABS_AWS_S3 004 RCC_GRID_ENGINE 004 INTEGRATION_DIRECTORY 004 TEST_ODATA_PO 004 *** The residuary entries can be found in the service session. *** 004 Count : 200 ABS_AWS_EC2 200 ABS_AWS_S3 200 RCC_GRID_ENGINE 200 INTEGRATION_DIRECTORY 200 TEST_ODATA_PO 200 *** The residuary entries can be found in the service session. *** 200 Count : Count 9 9 9 Evaluated Risk - Medium Recommendation: We found at least one connection for which the client proxy does not require authentication. You should request authentication for all proxies. Check whether proxy authorization is globally maintained in the PPROXY_G and PPROXY_C tables. If this is not the case, use of the proxy must be customized in the RFCDES table. 7.7.5 Additional http Connections with Full Logon Data Found (0687) HTTP connection Count ABS_AWS_EC2 ABS_AWS_S3 RCC_GRID_ENGINE INTEGRATION_DIRECTORY TEST_ODATA_PO Count : 5 Evaluated Risk - High Recommendation: We found HTTP connections with full logon data that were not specified in the questionnaire. We recommend you check these HTTP connections. 7.7.6 No Encryption of Outgoing http Communication (0688) http connection without encryption Count ABS_AWS_EC2 ABS_AWS_S3 RCC_GRID_ENGINE INTEGRATION_DIRECTORY TEST_ODATA_PO Count : 5 User Authorization Confidential 105/143 Security Optimization Service 10.02.2016 Evaluated Risk - High Recommendation: We found at least one HTTP connection without SSL encryption. This can be dangerous, especially if a password is required for authentication, because the user and password are not transferred in encrypted format if SSL is not used. We recommend that you use SSL encryption for your HTTP connections. Check the connection settings in the RFCDES table. 7.8 Internet Communication Manager (ICM) 7.8.1 Users - Other Than System Administrators - Are Authorized to Administrate the ICM (0701) Unauthorized administration (such as start and stop) of Internet Communication Manager (ICM). Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, and/or transactions SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the Authorization Info System (SUIM) you can check the results. For this check you User Authorization Confidential 106/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SMICM [and all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD=PADM 7.8.2 Users - Other Than System Administrators - Are Authorized to Display the http Server Cache (0705) Unauthorized access to sensitive data. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, and/or transactions SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the Authorization Info System (SUIM) you can check the results. For this check you User Authorization Confidential 107/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SMICM [and all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD=PADM 7.8.3 Users - Other Than System Administrators - Are Authorized to Configure the ICM Monitor (0706) Unauthorized change of ICM services. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, and/or transactions SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the Authorization Info System (SUIM) you can check the results. For this chec k you User Authorization Confidential 108/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=SMICM [and all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD=PADM 7.8.4 ICM (Internet Communication Manager) Is Active (0704) Backdoor entry to the system via the Web Application Server. PARAMETER: RDISP/START_ICMAN Rating Instance Current Value Recommended Value All instances true FALSE Recommendation: The Internet Communication Manager (ICM) is started on your system. Check whether the ICM is used in your environment. If it is not used, deactivate the ICM by setting the profile parameter rdisp/start_icman to false in order to reduce the risk. 7.9 PSE Management 7.9.1 Users - Other Than System Administrators - Are Authorized to Maintain the System PSE's (0711) Unauthorized access to system certificates. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB User Authorization Confidential 109/143 Security Optimization Service 10.02.2016 Client User Type Last Name 200 586 Count : First Name Department User Group [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles, and/or transactions SU02 (Maintain Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the Authorization Info System (SUIM) you can check the results. For this check you should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD=STRUST [and all relevant parameter transactions] Object 2: S_ADMI_FCD with S_ADMI_FCD=NADM Object 3: S_RZL_ADM with ACTVT=01 Object 4: S_TABU_DIS with ACTVT=02 and DICBERCLS=SS 7.9.2 J2EE Engines Allowed to Access the Application Server (0881) J2EE SNC ID Count Count : 0000000003 Recommendation: These J2EE Engines are allowed to access the application server. Check the list. 7.9.3 Users Authorized to Maintain the Sending Systems for User Replication (0864) This authorization allows a user to maintain the access control list for sending systems. Currently, it is possible to create users from a malicious external system. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER User Authorization Confidential 110/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check, you should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE with TCD = SE16, SE17, SM30, or SM31 [and all relevant parameter transactions] Object 2: S_TABU_DIS with ACTVT = 2 and DICBERCLS = SUSR User Authorization Confidential 111/143 Security Optimization Service 10.02.2016 8 Human Resources 8.1 Human Resources General Checks 8.1.1 Users - Other Than HR Administrators - Are Authorized to Maintain Table T77S0 (0922) Users having this authorization can change or deactivate the use of the authorization objects P_PERNR and P_ORGIN in the HR application. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you Human Resources Confidential 112/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TABU_DIS with DICBERCLS = PS and ACTVT = 02 Object 2: S_TCODE with TCD = SE16, SE16N, SE17, SM30, or SM31 [and all relevant parameter transactions] 8.1.2 Users - Other Than HR Administrators - Are Authorized to Maintain Tables for Organizational Data (0923) Users having this authorization can change the logging of infotypes and report starts. Also organizational HR data tables such as T500P T501 or T503K can be changed. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you Human Resources Confidential 113/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TABU_DIS with DICBERCLS = PC and ACTVT = 02 Object 2: S_TCODE with TCD = SE16, SE16N, SE17, SM30, or SM31 [including all relevant parameter transactions] 8.1.3 Users - Other Than HR Administrators - Are Authorized to Read the Infotype Change Log (0924) Users having this authorization can access infotype data without a specific authorization for infotypes. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you Human Resources Confidential 114/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_PROGRAM with P_GROUP =RPUAUD00 and P_ACTION = SUBMIT Object 2: S_TCODE with TCD = SE38 or SA38 or SC38 (and all relevant parameter transactions) Object 3: S_DEVELOP ACTVT = 03 8.1.4 Users - Other Than HR Administrators - Are Authorized to Read HR Tables with Person Related Data (0925) Users with this authorization can read all HR tables with person-related data. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you Human Resources Confidential 115/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TABU_DIS = PA and ACTVT = 03 Object 2: S_TCODE = SE16, SE16N, SE17, SM30, or SM31 [and all relevant parameter transactions] 8.1.5 Users - Other Than HR Administrators - Are Authorized to Change HR Tables with Person Related Data (0926) Users with this authorization can change all HR tables with person-related data. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you Human Resources Confidential 116/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TABU_DIS = PA and ACTVT = 02 Object 2: S_TCODE = SE16, SE16N, SE17, SM30, or SM31 [including all relevant parameter transactions] 8.1.6 Users - Other Than HR Administrators - Are Authorized to Maintain Client Dependent HR Customizing (0927) Users with this authorization can change client-dependent HR customizing. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you Human Resources Confidential 117/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TABU_DIS = PA AND PS and ACTVT = 02 Object 2: S_TCODE = SE16, SE16N, SE17, SM30, or SM31 [and all relevant parameter transactions] 8.1.7 Users - Other Than HR Administrators - Are Authorized to Run All HR Transactions (0928) Users with this authorization can call all HR transactions. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you Human Resources Confidential 118/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object1: S_TCODE = P* Object2: P_TCODE = * 8.1.8 Users - Other Than HR Administrators - Have Broad Authorization on HR Reports (0929) This authorization gives broad authorization for HR Reports. The authorization objects P_ORGIN and P_PERNR can be overruled with this authorization. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you Human Resources Confidential 119/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object1: P_ABAP = with REPID = * and COARS = 2 8.2 Personal Administration 8.2.1 Users - Other Than HR Administrators - Are Authorized to Read HR Master Data (0936) Users with this authorization can read the HR master data. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you Human Resources Confidential 120/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE = PA20 [and all relevant parameter transactions] Object 2: P_ORGIN with AUTHC = R Object 3: P_ORGXX with AUTHC = R (if AUTHSW ORGXX is set to 1 in table ) 8.2.2 Users - Other Than HR Administrators - Are Authorized to Change Master Data without Double Verification (0937) Users with this authorization can change master data without verification through a colleague. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you Human Resources Confidential 121/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object 1: S_TCODE = PA30 [and all relevant parameter transactions] Object 2: P_ORGIN with AUTHC = (D and ( E or S )) OR W Object 3: P_ORGXX with AUTHC = R (if AUTHSW ORGXX = 1 in table T77S0) 8.3 Payroll 8.3.1 Users - Other Than HR Administrators - Are Authorized to Read Payroll Results (0946) Users with this authorization can read the HR payroll results. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you Human Resources Confidential 122/143 Security Optimization Service 10.02.2016 should inspect the roles or profiles that include the authorization objects listed below. Authorization objects: Object1: P_PCLX = with AUTHC = 'R' and RELID = '*' 8.3.2 Users - Other Than HR Administrators - Are Authorized to Maintain Personnel Calculation Schemas (0947) Users having this authorization can maintain the HR personnel calculation schemas. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you should inspect the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: P_TCODE with TCD = PE01 Object 2: S_TCODE with TCD = PE01 [and all relevant parameter transactions] 8.3.3 Users - Other Than HR Administrators - Are Authorized to Release a Payroll Run (0950) Users with this authorization can release a payroll run. Human Resources Confidential 123/143 Security Optimization Service 10.02.2016 Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB 000 Count : 581 [92%] 002 JDOE A Doe John IT SUPER 002 MMUSTERM A Mustermann Max IT SUPER 002 USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you should inspect the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: P_TCODE with TCD = PA03 Object 2: S_TCODE with TCD = PA03 [and all relevant parameter transactions] 8.3.4 Users - Other Than HR Administrators - Are Authorized to Delete Payroll Results (0951) Users with this authorization can delete payroll results. Client User Type Last Name First Name Department User Group 000 JDOE A Doe John IT SUPER 000 MMUSTERM A Mustermann Max IT SUPER 000 USER1 A Lastname_1 Firstname_1 LOB LOB 000 USER2 S Lastname_2 Firstname_2 LOB LOB 000 USER3 B Lastname_3 Firstname_3 LOB LOB Human Resources Confidential 124/143 Security Optimization Service 10.02.2016 First Name Department User Group Doe John IT SUPER A Mustermann Max IT SUPER USER1 A Lastname_1 Firstname_1 LOB LOB 002 USER2 S Lastname_2 Firstname_2 LOB LOB 002 USER3 B Lastname_3 Firstname_3 LOB LOB 002 Count : 577 [26%] 004 JDOE A Doe John IT SUPER 004 MMUSTERM A Mustermann Max IT SUPER 004 USER1 A Lastname_1 Firstname_1 LOB LOB 004 USER2 S Lastname_2 Firstname_2 LOB LOB 004 USER3 B Lastname_3 Firstname_3 LOB LOB 004 Count : 843 [4%] 200 JDOE A Doe John IT SUPER 200 MMUSTERM A Mustermann Max IT SUPER 200 USER1 A Lastname_1 Firstname_1 LOB LOB 200 USER2 S Lastname_2 Firstname_2 LOB LOB 200 USER3 B Lastname_3 Firstname_3 LOB LOB 200 Count : 586 [76%] Client User Type Last Name 000 Count : 581 [92%] 002 JDOE A 002 MMUSTERM 002 Evaluated Risk - High Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. With the authorization info system (SUIM) you can check the results. For this check you should inspect the roles or profiles that include the authorization objects listed below. Authorization Objects: Object 1: S_TCODE = SE38 SA38 SC38 [and all relevant parameter transactions] Object 2: S_PROGRAM with P_GROUP = RPUDEL20 and P_ACTION = SUBMIT Object 3: S_DEVELOP with ACTVT = 03 OR Object 1: S_TCODE = PU01 and P_TCODE = PU01 [and all relevant parameter transactions] Object 2: P_ORGIN with AUTHC = W Human Resources Confidential 125/143 Security Optimization Service 10.02.2016 9 Appendix 9.1 General information about the SAP Security Optimization Service The following contains general information about SAP Security Optimization and will help you to understand and apply the report. How to read this report The objective of this report is to document the vulnerabilities that have been detected by the SAP Security Optimization service. Since we perform several hundred checks in this support service, only actual weaknesses are listed in the report so that it is concise; checks with positive results are not included. In some checks, unexpected users with critical authorizations are determined. If you have indicated in the questionnaire that you want the user ID and the names of the users to be printed, they are listed in the findings of these checks. To keep the report concise, note that no more than 30 users are listed - even if more users have been found. If you want to determine all users who have this authorization, you can do so in transaction ST14. For more information about using this transaction, see SAP Note 696478. For each productive client analyzed, the maximum number of users printed is 20. For other clients (for example, 000 or 066), the maximum number of users printed for each client is 20 divided by the number of checked clients. This ensures that examples of all clients are printed. The number of counted users that we print is reduced by the number of superusers that we found in the system (check 0022). Since superusers (users with the SAP_ALL profile) have all authorizations, they are printed only once at the beginning of the report. The user types in the report are as follows: A = Dialog C = Communication B = System S = Service L = Reference To enable you to identify major security weaknesses and to prioritize the measures to be implemented, an evaluated risk is determined for each check. The evaluated risk is calculated by the severity and the probability of a security violation. The meaning of the evaluated risk is as follows: - HIGH: The severity is high and the probability is high or The severity is high and the probability is medium or The severity is medium and the probability is high - Medium: The severity is high and the probability is low or The severity is medium and the probability is medium or The severity is low and the probability is high - Low: The severity is medium and the probability is low or The severity is low and the probability is medium or The severity is low and the probability is low How to implement the recommended security measures To protect your SAP system from security violations, we recommend that you implement the measures proposed in this report. To do so, proceed as follows: 1. Read this report carefully. 2. Double-check that the identified risks actually apply to your system. (Note that incomplete data in the questionnaire can result in the report indicating more vulnerabilities than are actually in your system.) 3. Prioritize the risks and determine those that are acceptable for you. 4. Determine the effort to implement appropriate measures. 5. If required, perform a cost-benefit analysis before applying the measures. 6. Plan and implement the measures. Do not implement the recommended measures without considering them first. Double-check the impact of the recommended measures before applying them to your system. For example, implementing a new password policy might be confusing to end users if they have not been notified about the new policy. How to obtain support for the implementation In some cases, you may not have the required resources to implement the recommended security measures. If Appendix Confidential 126/143 Security Optimization Service 10.02.2016 you need support when analyzing the results of the Security Optimization, as well as when determining and implementing the appropriate measures, contact SAP's Security Consulting Team for on-site consulting via SecurityCheck@sap.com. How to review the effectiveness of the implemented measures To prove the effectiveness of the implemented measures, you can request an additional complete SAP Security Optimization check. If you are supported by SAP Consulting during the implementation, our security consultants can perform individual checks to prove the effectiveness on-site. How to obtain additional security-related information Recommendations and guidelines concerning the security of SAP systems are included in the SAP Security Guide. This guide consists of three separate volumes, each with different levels of detail. Volume I provides an overview of SAP's security services. Volume II describes the services in detail. Volume III contains security checklists. For more information about these guides, see SAP Service Marketplace at http://service.sap.com/securityguide. For additional security-related information, see SAP Service Marketplace at http://service.sap.com/security. Concluding remark SAP Security Optimization provides only a snapshot of the effectiveness of the implemented security measures. Over time, however, every system faces changes that might impact your overall system security. We therefore recommend that you run SAP Security Optimization at regular intervals. 9.2 Rating Overview The following table provides an overview of the checks performed during this service. Main Chapter Check Special Focus Checks Additional Super User Accounts Found (0022) Authentication Password Complexity Rating Minimum Password Length (0126) Trivial Passwords Are Not Sufficiently Prohibited (0125) Initial Passwords Users with Initial Passwords Who Have Never Logged On (0009) Users with Reset Password Who Have Not Logged On (0140) Interval for Logon with Productive Password Is Too Long (AU081) Interval for Password Change Is Too Long (0127) Too Many Invalid Logon Attempts Allowed Before a Session Is Terminated (0132) Too Many Incorrect Logon Attempts Allowed Before a User Is Locked (0133) User Locks due to Failed Logon Attempts Are Automatically Released at Midnight (0134) Security Attack Indicated by Users Locked due to Incorrect Logon Attempts (0141) Users Who Have Not Logged On for an Extended Period of Time (0010) Security Critical Events for End Users Are Not Logged in the Security Audit Log (0136) Interval After Which Inactive Users Are Logged Off Is Too Long (0137) Users - Other Than User Administrators - Are Authorized to Change Passwords (0121) Appendix Confidential 127/143 Security Optimization Service 10.02.2016 Main Chapter Rating Check Users - Other Than User Administrators - Are Authorized to Lock/Unlock Users (0135) SNC Users Do Not Have to Change Their Initial Password (0606) Users - Other Than User Administrators - Are Authorized to Maintain the Mapping of SNC Users to SAP Users (0594) Unspecified Accepting of SSO Tickets (0603) Users - Other Than System Administrators - Are Authorized to Maintain the SSO Configuration (0604) Users - Other Than System Administrators - Are Authorized to Maintain Trusted SSO Ticket Issuing Systems (0605) SSO Ticket Can Be Sent via an Unsecured Connection (0608) Users - Other Than System Administrators - Are Authorized to Maintain Trusted CAs (0624) Users - Other Than System Administrators - Are Authorized to Maintain Table SNCSYSACL via SNC0 (0625) Users - Other Than System Administrators - Are Authorized to Maintain Table SNCSYSACL via Table Maintenance (0626) Users - Other Than User Administrators - Are Authorized to Maintain the Mapping of X.509 Users to SAP Users (0622) Basis Administration and Basis Authorizations Gateway and Message Server Security (BA076) Kernel Patch Level (BA077) Gateway Security (BA078) Gateway Security Properties (BA079) Enabling an Initial Security Environment (BA080) Gateway Access Control Lists (BA081) Message Server Security (BA083) Separation of Internal and External Message Server Communication (BA084) Message Server Administration Allowed for External Clients (BA085) Message Server Access Control List (BA086) Users - Other Than System Administrators - Are Authorized to Maintain System Profiles (0152) Users - Other Than System Administrators - Are Authorized to Start/Stop Application Servers (0154) Users - Other Than System Administrators - Are Authorized to Start/Stop Work Processes (0156) Users - Other Than System Administrators - Are Authorized to Lock/Unlock Transactions (0157) Users - Other Than System Administrators - Are Authorized to Maintain Other User's Lock Entries (0159) Users - Other Than System Administrators - Are Authorized to Maintain Own Lock Entries (0166) Users - Other Than System Administrators - Are Authorized to Delete or Reprocess Broken Updates (0161) Appendix Confidential 128/143 Security Optimization Service 10.02.2016 Main Chapter Rating Check Users - Other Than System Administrators - Are Authorized to Activate a Trace (0163) System Profiles Are Not Consistent (0153) Table TPFID Contains OS Passwords (0155) No Timely Accurate Resolution of Erroneous Locks (0160) No Timely Accurate Resolution of Broken Updates (0162) Security Audit Log is not active (0170) System Recommendations (ABAP) (BA090) Sending Trace Data to Remote Client (0169) No Timely Accurate Resolution of Failed Batch Input Sessions (0223) Users - Other Than Batch Input Administrators - Are Authorized to Run Batch Input Sessions in Dialog (0221) Users - Other Than Batch Input Administrators - Are Authorized to Administer Batch Input Sessions (0222) Users - Other Than Spool Administrators - Are Authorized to Display Other Users Spool Requests (0192) Users - Other Than Spool Administrators - Are Authorized to Display Protected Spool Requests of Other Users (0198) Users - Other Than Spool Administrators - Are Authorized to Display the TemSe Content (0193) Users - Other Than Spool Administrators - Are Authorized to Change the Owner of Spool Requests (0194) Users - Other Than Spool Administrators - Are Authorized to Redirect a Print Request to Another Printer (0195) Users - Other Than Spool Administrators - Are Authorized to Export a Print Request (0196) Periodic Background Jobs Scheduled with User of Type Other Than 'SYSTEM' (0211) Users - Other Than Background Administrators - Are Authorized to Schedule Jobs in SM36 (0212) Users - Other Than Background Administrators - Are Authorized to Schedule Jobs in External Commands (0213) Users - Other Than Background Administrators - Are Authorized to Schedule Jobs Under Another User Id (0214) Users - Other Than System Administrators - Are Authorized to Define External OS Commands (0171) Users - Other Than System Administrators - Are Authorized to Execute External OS Commands (0172) Users - Other Than System Administrators - Are Authorized to View Content of OS Files with AL11 (0173) Unsecured Outgoing RFC Calls (0252) SNC Protection for encrypted outgoing RFC calls (0253) Unexpected RFC Connections with Complete Logon Data Found (0254) Users - Other Than System Administrators - Are Authorized to Administer RFC Connections (0255) Unexpected Trusting System Connections Found (0267) Appendix Confidential 129/143 Security Optimization Service 10.02.2016 Main Chapter Rating Check Users - Other Than System Administrators - Are Authorized to Maintain Trusting Systems (0268) Remote Monitoring Function for the RFC Gateway Is Not Disabled (0269) Permit-all simulation mode is active for the RFC gateway (0273) Users Are Authorized to Run Any RFC Function (0241) Users - other than Key Users - are Authorized to Visualize All Tables via RFC (0245) Incoming RFC with Expired Password is Allowed (0234) Users authorized for Trusted RFC which can be called from any calling user (0248) Unexpected Trusted System Connections Found (0238) Users - Other Than System Administrators - Are Authorized to Maintain Trusted Systems (0240) Users - Other Than System Administrators - Allowed to Maintain the ALE Distribution Model (0723) Users - Other Than System Administrators - Allowed to Maintain the Partner Profile (0724) User Authorization Users - Other Than the User Administrators - Are Authorized to Maintain Users (0002) User Administrators Are Authorized to Change Their Own User Master Record (0003) User Administrators Are Allowed to Maintain Users of Any Group (0004) Users Are Not Assigned to User Groups (0005) User Data Is Incomplete (0006) Users with Authorizations for User and Role/Profile/Authorization Maintenance (0008) Usage of 'Normal' Users as Reference Users Is Not Prohibited (0012) Users - Other Than User Administrators - Are Authorized to Access Tables with User Data (0013) Users - Other Than User Administrators - Are Authorized to Call Function Modules for User Admin (0019) Unexpected Users Are Authorized to Change a Super User Accounts (0026) Users with Profile SAP_NEW (0031) User SAP* has the default password in some clients (0041) Not all profiles are removed from user SAP* (0042) User SAP* is neither locked nor expired (0043) User SAP* is not assigned to the user group SUPER (0044) User SAP* has been deleted at least in one client (0045) Usage of the hard coded user SAP* is not disabled (0046) User SAP*'s activities are not logged in the Security Audit Log (0047) User DDIC has the default password in some clients (0048) Appendix Confidential 130/143 Security Optimization Service 10.02.2016 Main Chapter Rating Check User DDIC Is Not Assigned to the User Group SUPER (0049) User DDIC's activities are not logged in the Security Audit Log (0050) User SAPCPIC has the default password in some clients (0051) User SAPCPIC Is Neither Locked nor Expired (0052) User SAPCPIC Not Assigned to the Group SUPER (0053) User SAPCPIC Has More Authorizations Than Required (0054) User EARLYWATCH has the default password (0056) User EARLYWATCH Is Not Assigned to User Group SUPER (0058) User EARLYWATCH Has More Authorizations Than Required (0059) User EARLYWATCH's activities are not logged in the Security Audit Log (0060) User TMSADM has the default password in some clients (0063) User TMSADM Exists in Clients Other Than Client 000 (0064) User TMSADM has more authorizations than required (0065) Users Are Authorized to Maintain Roles Directly in the Production System (0072) Users Are Authorized to Maintain Profiles Directly in the Production System (0073) Users Are Authorized to Maintain Authorizations Directly in the Production System (0074) Users Are Authorized to Call Function Modules for Authorization, Role and Profile Management (0087) SAP Standard Roles Are Assigned to Users (0082) SAP Standard Profiles Are Assigned to Users (0083) Inconsistent Assignment of Generated Profiles (0084) Unused Roles Are Found (0086) Profiles on Long Time Locked Users (0089) Users Are Authorized to Disable Authorization Checks Within Transactions (0102) Users Are Authorized to Disable Authorization Checks Globally (0105) Users Are Authorized to Call Any Transaction (0110) Users Are Authorized to Delete an Authorization Check Before Transaction Start (0111) Global Disabling of Authority Checks Is Not Prevented (0104) Authority Check for Inbound RFC Connections Is Disabled (0106) Authority Check for Inbound tRFC Connections Is Disabled (0107) Users Comparison After Role Change Is Not Run in a Timely Accurate Manner (0112) Change Management Users - Other Than Key Users - Are Authorized to Start All Reports (0512) Appendix Confidential 131/143 Security Optimization Service 10.02.2016 Main Chapter Rating Check Users - Other Than Key Users - Are Authorized to Display All Tables (0513) Users Are Authorized to Maintain All Tables (0514) Users - Other Than System Administrators - Are Authorized to Change the Authorization Group of Tables (0515) Users - Other Than Query Administrators - Are Authorized to Administer Queries (0517) Users Are Authorized to Execute All Function Modules (0520) System Change Option Not Appropriately Configured in the Production System (0301) Client Change Option Not Appropriately Configured (0302) Users - Other Than System Administrators - Are Authorized to Change the System Change Option (0303) Users - Other Than System Administrators - Are Authorized to Change the Client Change Option (0304) Clients with an Entry in T000 but Without Any User Data (0319) Users - Other Than System Administrators - Are Authorized to Create New Clients (0305) Users Are Authorized to Delete Clients (0306) Users Are Authorized to Development in the Production System (0307) Users Are Authorized to Debug and Replace Field Values in the Production System (0308) Users Are Authorized to Perform Customizing in the Production System (0309) Users Are Authorized to Develop Queries in the Production System (0310) Execution of CATTs and eCATTs is Not Prevented by Client Settings (0311) Users Are Authorized to Execute CATTs in the Production System (0312) Users Are Authorized to Execute eCATTs in the Production System (0313) SAPgui User Scripting Is Enabled (0314) Users Are Authorized to Use the Legacy Migration Workbench (0315) Table Logging Is Not Enabled for Import (0317) Users Are Authorized to Modify the Table Logging Flag for Tables (0318) Development Sources Are Not Scanned for Critical Statements (0335) Development Keys Exist in the Productive System (0338) Users - Other Than Transport Administrators - Are Authorized to Change the TMS Configuration (0341) Users - Other Than Transport Administrators - Are Authorized to Start Imports to Production (0342) Users - Other Than Transport Administrators - Are Authorized to Create and Release Transports (0343) Users - Other Than Transport Administrators - Are Authorized to Apply Patches (0363) Web Application Server Users - Other Than System Administrators - Are Authorized to Activate ICF Services (0655) Appendix Confidential 132/143 Security Optimization Service 10.02.2016 Main Chapter Rating Check Users - Other Than System Administrators - Are Authorized to Access Table Authorization Group &NC& (0663) External Clients Are Allowed to Switch the Profile Level (0702) Additional http Client Connections Found (0682) No Proxy Used to Connect to http Servers (0683) No Authorization for S_SICF Required for http Client Access (0684) Client Proxy Does Not Require Client Authentication (0685) Additional http Connections with Full Logon Data Found (0687) No Encryption of Outgoing http Communication (0688) Users - Other Than System Administrators - Are Authorized to Administrate the ICM (0701) Users - Other Than System Administrators - Are Authorized to Display the http Server Cache (0705) Users - Other Than System Administrators - Are Authorized to Configure the ICM Monitor (0706) External Clients Are Allowed to Switch the Trace Level (0703) Users - Other Than System Administrators - Are Authorized to Maintain the System PSE's (0711) Users Authorized to Maintain the Sending Systems for User Replication (0864) Human Resources Users - Other Than HR Administrators - Are Authorized to Maintain Table T77S0 (0922) Users - Other Than HR Administrators - Are Authorized to Maintain Tables for Organizational Data (0923) Users - Other Than HR Administrators - Are Authorized to Read the Infotype Change Log (0924) Users - Other Than HR Administrators - Are Authorized to Read HR Tables with Person Related Data (0925) Users - Other Than HR Administrators - Are Authorized to Change HR Tables with Person Related Data (0926) Users - Other Than HR Administrators - Are Authorized to Maintain Client Dependent HR Customizing (0927) Users - Other Than HR Administrators - Are Authorized to Run All HR Transactions (0928) Users - Other Than HR Administrators - Have Broad Authorization on HR Reports (0929) Users - Other Than HR Administrators - Are Authorized to Read HR Master Data (0936) Users - Other Than HR Administrators - Are Authorized to Change Master Data without Double Verification (0937) Users - Other Than HR Administrators - Are Authorized to Change their Own Master Data (0939) Users - Other Than HR Administrators - Are Authorized to Read Payroll Results (0946) Users - Other Than HR Administrators - Are Authorized to Maintain Personnel Calculation Schemas (0947) Users - Other Than HR Administrators - Are Authorized to Release a Payroll Run (0950) Appendix Confidential 133/143 Security Optimization Service 10.02.2016 Main Chapter Rating Check Users - Other Than HR Administrators - Are Authorized to Delete Payroll Results (0951) 9.3 Customizing of Report Output Tables Listed Examples for: Value Number of users with critical permissions CUSTOMER Customer Defined Number 5 9.4 Used Questionnaire Find the header data of the selected questionnaire in the table below. If you have chosen to generate a report with an attached copy of the questionnaire, this copy is represented in the following chapters. Questionnaire Leading Name System New at 10.02.2016 Last Type Chang by SID = XXX InstNo = ABAP JDOE 0123456789 Change Change Questionnaire GUID Date Time 10.02.2016 15:27:19 005056837A4F1EE5B3FEB15A4BAF9F93 Appendix Confidential 134/143 Security Optimization Service 10.02.2016 10 Appended Questionnaire - SAP NetWeaver Application Server ABAP 10.1 Clientlist (0000) Purpose To restrict the number of analyzed clients (not recommended). Procedure Enter all of your system clients that are to be examined. You can also leave the table blank (recommended!), in which case all of the clients in your system will be examined. The entry "ALL" as a wildcard for all clients is not supported for this selection. IMPORTANT: For a complete security check, it is strongly recommended that you have ALL of your system clients examined. Background: - Because larger SAP customers tend to divide authorizations among many different users, we have created several different user groups below. - If you are a smaller customer and only have super users and "normal users", answer the questions for super users because they are automatically removed in all subsequent checks. - If you divide up your users to an extent but not in as much detail as given in the questionnaire, enter the users in one of the checks and copy the different users to the corresponding tables. Client 000 002 004 200 10.2 Print the User Data (All Checks) Procedure If you want user data (first name, last name, and department of the user) to be printed in the report, select the "Print User Data" field. If you do not select this field, only the user name is printed. When ST14 data is created, a parameter can be used to prevent user data (first and last name) from being sent to SAP. Print User Data? Yes SELECT IF USER DATA WANTED No X 10.3 User Authorizations 10.3.1 User Segregation (0004) Procedure If you have segregated your users in different user groups, select the field "User Segregation" in the table. Segregation in User groups Yes Select checkbox if segregation is used No X 10.3.2 Powerful Users 10.3.2.1 Super Users (0021) Procedure List for each client the known super users. These are the users having the profile SAP_ALL. - Please mention the users with user type "dialog", "service", "system" or "communication". - If a super user exists in all clients, you can also insert "ALL" in the field "Client" instead of listing all clients Client User Appended Questionnaire - SAP NetWeaver Application Server ABAP Confidential 135/143 Security Optimization Service Client 10.02.2016 User 10.3.2.2 System Administration 10.3.2.2.1 System Administrators (0151) Procedure For each client, list the known system administrators. If a system administrator exists for all clients, you can also insert "ALL" in the field "Client" instead of listing all clients. Client User 10.3.2.2.2 Background Administrators (0217) Procedure For each client, enter the known background administrators. If the background administrators are the same in all clients, enter "ALL" in the field "Client". Client User 10.3.2.2.3 Spool Administrators (0191) Procedure For each client, enter the known spool administrators. If the spool administrators are the same in all clients, enter "ALL" in the "Client" field. Client User 10.3.2.2.4 Transport Administrators (0351) Procedure For each client, enter the known Transport and SPAM Administrators. If the Transport and SPAM Administrators are the same in all clients, enter "ALL" in the field "Client". Client User Appended Questionnaire - SAP NetWeaver Application Server ABAP Confidential 136/143 Security Optimization Service Client 10.02.2016 User 10.3.2.3 User Administration 10.3.2.3.1 Super User Administrators (0025) Procedure For each client, list the known super user administrators. Super user administrators are the user administrators, who are allowed to change users in the group SUPER (for example, SAP*, DDIC). We always check for super users against the group SUPER. If the same super user administrator exists for all clients, you can insert "ALL" in the field "Client" instead of listing all clients. Client User 10.3.2.3.2 User Administrators (0001) Procedure For each client, list the known user administrators. If the same user administrator exists for all clients, you can also insert "ALL" in the field "Client" instead of listing all clients. Client User 10.3.2.3.3 Role & Auth Administrators (0071) Procedure For each client, enter the known role and authorization administrators. If the role and authorization administrators are the same in all clients, enter "ALL" in the field "Client". Client User Appended Questionnaire - SAP NetWeaver Application Server ABAP Confidential 137/143 Security Optimization Service 10.02.2016 10.3.2.4 Batch Input Administrators (0224) Procedure For each client, enter the known batch input administrators. If the batch input administrators are the same in all clients, enter "ALL" in the field "Client". Client User 10.3.2.5 Key Users (0511) Procedure For each client, enter the known key users. These users are allowed to start all reports and transaction and have authorization to view all tables. If the key users are the same in all clients, enter "ALL" in the field "Client". Client User 10.3.2.6 Query Administrators (0516) Procedure For each client, enter the known query administrators. If the query administrators are the same in all clients, enter "ALL" in the field "Client". Client User 10.3.3 Trusted RFC users which can be called by any calling user (0249) Procedure For each client, enter the known service users that can be called by any calling user using a trusted RFC connection. If these service users are the same in all clients, enter "ALL" in the "Client" field. Client User Appended Questionnaire - SAP NetWeaver Application Server ABAP Confidential 138/143 Security Optimization Service 10.02.2016 10.4 RFC Connections 10.4.1 Trusting Systems (Outgoing) (0271) Procedure Enter the name of the outgoing RFC destinations from the systems defined as trusting systems in the table RFCDES. RFC Destination 10.4.2 Trusted Systems (Incoming) (0246) Procedure Enter the name of the incoming RFC destinations to the systems defined as trusted systems in the table RFCSYSACL. RFC Destination 10.4.3 RFC Connections with Complete Logon Data (0251) Procedure Enter the names of the RFC destinations that you have maintained with complete logon data in table RFCDES. RFC Destination 10.5 Systems Allowed to Issue Trusted SSO Tickets (0602) Procedure Enter the names of the systems allowed to issue trusted SSO tickets. If the systems are the same in all clients, enter "ALL" in the field "Client". Client System Name Appended Questionnaire - SAP NetWeaver Application Server ABAP Confidential 139/143 Security Optimization Service 10.02.2016 10.6 Trusted Certification Authorities (CAs) from which certificates are accepted (0629) Procedure Enter the names of the trusted Certification Authorities (CAs) from which certificates are accepted. Distinguished Name 10.7 Scan of Transports (0348) Procedure If you scan transports for malicious programs, as described in SAP Note521087, select the field "Transport Scan". Do You Scan Transports? Yes Do you scan transports? No X 10.8 Scan of Source Code (0335) Procedure In the table, select the field "Code Scan" if you use the SAP Code Inspector to scan your code for critical statements or function calls such as: Critical statements: - INSERT REPORT - EDITOR_CALL FOR REPORT - SYSTEM_CALL Critical function modules: - ADD_USERPROFILE - DELETE_USER_ON_DB - BAPI_USER_* - SUSR_* - PRGN_* Do You Use the Code Inspector? Yes No Do you use the Code Inspector? X 10.9 Use of the J2EE Engine (0771) Procedure If you use the J2EE Engine of your SAP Web Application Server, select the field "J2EE Engine is Used" in the table. Do You Use the J2EE Engine? Do you use the J2EE Engine? Appended Questionnaire - SAP NetWeaver Application Server ABAP Confidential Yes No X 140/143 Security Optimization Service 10.02.2016 11 Appended Questionnaire - SAP Human Capital Management 11.1 HCM Administrators (0921) Procedure For each client with an HR implementation, enter the known HR administrators. If the administrators are the same in all clients, enter "ALL" in the "Client" field. Client User Appended Questionnaire - SAP Human Capital Management Confidential 141/143 Security Optimization Service 10.02.2016 12 Appended Questionnaire - Customer Defined Authorization Checks Purpose of this section Maintain the IDs and titles of Customer Defined Authorization Checks as well as a White Lists of users and a Check Description that is shown in the analysis report. Prerequisite that the Check Definition of the Questionnaire can be processed in the managed system The AddOn ST-A/PI is available on the managed system with release 01N SP01 or higher or with release 01N and SAP Note 1608969. Procedure Step1: Maintain the check titles and a key for the criticality in the table below. HIGH stands for a high c riticality and MEDIUM for a medium criticality. Note that you can modify the Check IDs in the corresponding Questionnaire Session while this is not supported in the Questionnaire document. In the session you can also add or delete IDs. CHECK DEFINITION Check ID Check Title (max. 53 Char.) Criticality (Key) 9000 Customer Defined Authorization MEDIUM Step 2: Enter users in the table below that are authorized for all Customer Define Authorization Checks and shell be excluded from all findings. If you enter ALL in the column client the corresponding user exception is valid for all clients. WHITE LIST FOR ALL CUSTOMER DEFINED AUTH. CHECKS Client User Example for a Customer Defined 'Authorization Check': The following table provides an example of an authorization check definition. This example can be used when you enter your own definitions later on. EXAMPLE FOR A CUSTOMER DEFINED 'AUTHORIZATION CHECK' Authorization Object Field Value S_DEVELOP ACTVT 03 S_DEVELOP DEVCLASS STAB S_DEVELOP OBJNAME RSTBPDEL S_DEVELOP OBJTYPE PROG S_TABU_CLI CLIIDMAINT X S_TCODE TCD SA38 S_TCODE TCD SC38 S_TCODE TCD SE38 Step 3: For each Check ID in the table above you find a subchapter below. Each chapter consists of three tables, called 'Authorization Check', 'White List' and 'Check Description'. If you have changed the Check Title in the table above, this will not jet be represented in the sub chapter headings. However the Check ID is the leading figure and the Check Description will be used in later questionnaires as well as in the analysis report. The following steps 3a to 3c apply to each subchapter. Step 3a - Authorizations to be Checked To define the custom authorization checks in this questionnaire then maintain the corresponding 'Authorization Check' tables. The following rules apply: You can enter up to four different authorization objects that are linked with "AND" during the selection of the authorized users. This means that all users are selected that have all of the authorizations specified. In addition, you can enter any number of values for the "S_TCODE" authorization object that are linked with "OR" to each other and with "AND" to the other authorization objects. This means that all users are selected that have all of the authorizations specified and that are authorized for at least one transaction specified in the "S_TCODE" Appended Questionnaire - Customer Defined Authorization Checks Confidential 142/143 Security Optimization Service 10.02.2016 object. The quality and consistency of your input is in your responsibility. No technical plausibility check is performed in this session. An example is given above. Step 3b - White List: Maintain users that are allowed to have the checked authorization in the White List. 'ALL' in column 'Client' indicates that the user is valid for all clients. Step 3c - Check Description: You have the option to add a description that will be shown in the analysis report. 12.1 Customer Defined Authorization (9000) AUTHORIZATION CHECK Authorization Object Field Value WHITE LIST Client User CHECK DESCRIPTION Check Description (max. 255 Char.) Appended Questionnaire - Customer Defined Authorization Checks Confidential 143/143