Unprotected Interfaces are Attractive Targets for Attackers
Analyze the RFC Interfaces of your SAP® Systems
SAP® interfaces are often not considered when SAP® systems are protected. Therefore, they remain unprotected and provide attractive targets for attackers.
Experience from numerous SAP® security audits and penetration tests for SAP® systems shows repeatedly that, in almost every SAP® system checked, unprotected interfaces exist that could allow attackers direct access to your SAP® systems.
An extensive analysis of the interfaces between SAP® systems requires a holistic consideration of the interfaces because their configuration may contain vulnerabilities on several levels.
Complex system environments and SAP® systems that have a large number of interfaces, such as SAP® Solution Manager, as appropriate for operational scenarios quickly become confusing with regards to their communication requirements with other upstream or downstream systems. This situation tends to become even less transparent over the course of a system life cycle.
For a comprehensive analysis, it is necessary to carry out a fundamental baseline inventory of the current interface relationships within a customer’s system landscape.
In the results, there is a list of interfaces that must be evaluated according to various considerations regarding their actual operational necessity and security.
The following procedure is available for the implementation:
Are the determined interfaces actually relevant for operations and do they work properly? In this case, it may be necessary to remove incorrect connections and legacy systems that came to exist via test scenarios, upgrades, and so on.
The remaining interfaces must be analyzed with regard to their completion and security aspects (such as user/authorization assignments and trust).
The determined vulnerabilities must be removed, and the documentation concerned (for example, an authorization concept) must be adjusted. Settings of dependent components, such as RFC Gateway, also must be adjusted.
Take advantage of our experience gained from many SAP® security audits and penetration tests and let us advise you .