The feedback on secure by default in SAP S/4HANA shows that our approach is highly appreciated by customers. With the release of SAP S/4HANA 2022, our “Secure by Default” program continued and we addressed additional topics in fresh installations or configurations. This time we also approached adjacent components like SAP Host Agent and SAP Start Service to realize TLS1.2-only settings for SAP S/4HANA.
With SAP S/4HANA 2022, we extended the scope and coverage again, addressing several important configurations. Latest secure by default settings are applied for
SAP S/4HANA 2022
All SAP products based on S/4HANA Foundation 2022
List of new Secure By Default Settings
In new installations, system copies and conversions the following security relevant settings and configurations are applied automatically:
Prevent usage of non-reference user as reference user to protect against a common attack vector to hide SAP_ALL assignment
Enforce TLS1.2-only for web-based interfaces of SAP S/4HANA to reflect deprecation of TLS1.0 and TLS1.1 by the industry. This covers
SAP Internet Communication Manager (ICM)
SAP Start Service
SAP Host Agent
Mandatory SSL protection for session logon tickets to protect against session hijacking
Protect the RFC gateway against unauthorized RFC call forwarding to prevent bypass of firewall rules
Performance optimized log of RFC and SICF usage to support deactivation of unused RFC function modules and SICF services for attack surface reduction
As with SAP S/4HANA 1909, SAP S/4HANA 2020, SAP S/4HANA 2021, customers will receive the security settings automatically with new installations, system copies and conversions. An opt-out is possible for the security relevant profile parameters, but not recommended from SAP side. More details can be found in the SAP Note 2926224.
As secure by default settings cannot and will not cover all aspects of security settings in S/4HANA systems, we highly recommend customers to perform additional reviews and improvements of their security settings. Good sources are the SAP security whitepapers. Secure by default settings provide a good starting point, but there are additional security settings and configurations which are either customer specific, cannot be shipped as default or need to be applied on a regular basis (e.g. security patching).
Use the SAP-provided tools and services, such as Early Watch Alert, Configuration Validation and System Recommendations in order to display missing security patches. These inform you about gaps in a cost efficient way.
Always introduce disruptive security settings with good timing. Conversion projects and new installations are very good points in time to increase security. As a benefit, no additional effort for security testing is required, as testing is scheduled anyway. And this is the most expensive part of security.
Please refer to these blogs for older SAP S/4HANA releases