Re: Restrict logon through RFC remote logon

PanosVel · ‎2024 Oct 09

Dear All,

We noticed there is a user who is taking advantage of his access using an RFC from quality system to remotely logon to PRD system using a dialog emergency user and he performs changes at the PRD system with the SAP edit action so he doesn't leave traces for his actions.

He use a user designed for emergency access so the user has the debug option enabled.

We want somehow through SMGW and secinfo file to restrict this kind of access.

We have tried a rule of Deny type with the source hostname as the USER-host but with no success.

The entry we see at active connections is the below:

sapgw04 172.XX.X.XXX sapgw03 EMERG Connected SAPLOGON

Can you please assist on that?

JoeGoerlich · ‎2024 Oct 10

Hello Panos,

this is known as RFC hopping. To prevent this, don’t store credentials in rfc destinations from systems of lower security classification to system of higher (e.g., dev->prod, qas->prod). Make sure the emergency user can only be used in emergency cases by locking it when not in use and rotate the password frequently. Enable the security audit log for this user and implement a process for evidence which person has used the emergency user at which point in time.

The secinfo is not considered for such connections.

Br,

Joe

PanosVel · ‎2024 Oct 10

Hello Joe,

What you wrote were my conclusions also but I secretly hopped I was missing something...

Thanks a lot for your response!

Br,

Panos

Peter · ‎2024 Oct 10

SAP has a whitepaper on how to secure RFC - please refer to Securing Remote Function Call (RFC) (sap.com)

JanSchlichting · ‎2024 Oct 14

Hello,

I would remove debugging (with edit) from your firefighter user.

If you want to habe it still, why do you not locl the user?

Our firefighter users are always locked. If you want to use them, you have to write an incident ticket to SAP Basis to unlock them. There is also a list of people, who are allowed to do so.

My 2 cents.