Scribd Logo
Upload

Welcome to Scribd!

  • TMS Administration BLOGS SAP

    Uploaded by

    Mario Cruz
    56 views3 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    56 views3 pages

    TMS Administration BLOGS SAP

    Uploaded by

    Mario Cruz

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 3

    23/4/2020 Security in SAP transport Management | SAP Blogs

    Follow RSS feed Like


    Community

    Ask a Question Write a Blog Post Login

    joris van de Vis


    September 6, 2013 1 minute read

    Security in SAP transport Management


    3 Likes 2,784 Views 2 Comments

    This blog is written in an e ort to raise more awareness on securing your SAP infrastructure. In this case speci cally on the topic of
    securing the SAP Transport Mechanism.

    Over the past years there has been published a lot of information on securing your SAP infrastructure. SAP itself has  published the SAP
    Security guides, there are many SAP Security researchers that present their ndings on Security conferences and here on SCN people
    are also actively blogging on this topic. Many security related topics have already been highlighted, but I found there was not much
    information on the speci c topic of Securing the SAP Transport Management System (TMS). I therefore did a deep-dive into this topic
    myself and wrote a whitepaper on it.

    To summarize some ndings:

    5 important vulnerabilities that might exist in your SAP infrastructure related to TMS:

    •XPRA execu on

    •User TMSADM exists with default password, outside client 000 or has too much authorisa on

    •Access rights on the TMS transport directory share are not restric ve enough

    •ABAP code vulnerabili es in STMS related reports and Func on Modules

    •Remote execution of TP commands

    Some solutions to prevent the above:

    To prevent XPRA execution:

    Perform peer code reviews of all developments


    Use SE03 –> “search for object in requests” to find transports with XPRA steps
    Consider to define critical objects. This prevents the export of transports with the XPRA step in it.

    Mitigate risks around the TMSADM user:

    Change default password for TMSADM user in client 000. See OSS notes 1488406, 761637, 1552894, 1414256 and 1515926
    Delete TMSADM user in clients other then 000
    Only assign profile S_A.TMSADM to user TMSADM

    Mitigate risks related to the transport shares:

    https://blogs.sap.com/2013/09/06/security-in-sap-transport-management/ 1/3
    23/4/2020 Security in SAP transport Management | SAP Blogs

    Set strict rights for the transport shares.


    Follow RSS feed Like
    Mount shares with “nosuid” option (Linux/Unix)

    ABAP vulnerabilities:

    Patch:
    Regularly review the security notes to check for notes that are not covered by SAP Solution Manager System recommendations. Usually
    these notes are for components that are not registered in the SAP Solution Manager

    Remote execution TP commands:

    Protect the Gateway with an Access Control List (ACL). See the White Paper “Secure Configuration of SAP NetWeaver Application Server
    for ABAP” 10
    See Note 1371799 on how to prevent starting of TP via the gateway

    General recommendations somewhat related:

    When changing the password of the TMSADM user, do NOT use the NEW DEFAULT password. Instead choose your own strong
    password
    Protect RFC connections between systems with SNC
    Make sure to have strict transport procedures in place. It might be considered to use ChaRM. This functionality can standardize the way
    transports are moved throughout the landscape and can enforce one way of working. This excludes the use of manual steps and reduce
    risk.
    Do NOT forget the HUMAN factor as it is often the weakest link
    See the SAP Security guides for more information

    For more background information on this topic and also a detailed description on exploiting these vulnerabilities see the whitepaper on:
    http://www.erp-sec.com/news/

    Alert Moderator

    Assigned tags

    Security | management | stms | tms | transport |

    Related Blog Posts

    Join the Upcoming DSAG Webinars of the Working Group “Identity Management & Security” (German Language)
    By Martina Kirschenmann , May 17, 2016
    Security at TechEd
    By Kristian Lehment , Sep 11, 2011
    SAP Security Patch Day – May 2018
    By Aditi Kulkarni , May 08, 2018

    Related Questions

    Security -- S_CTS_Admin Object


    By Former Member , Mar 02, 2007

    https://blogs.sap.com/2013/09/06/security-in-sap-transport-management/ 2/3
    23/4/2020 Security in SAP transport Management | SAP Blogs
    SAP Security Transport Release Error
    Follow
    By Former RSS
    Member , Oct 11, feed
    2013 Like

    Use port 50013 (Management Console) with User/password


    By Former Member , Dec 14, 2010

    2 Comments

    You must be Logged on to comment or reply to a post.

    M. Dijsselbloem

    September 9, 2013 at 8:07 pm

    Hey Joris,

    Long time no see!

    Thanks for outlining these vulnerabilities.

    Cheers!

    Mark

    Like (0)

    Rakesh Ram

    November 9, 2014 at 1:04 am

    Hey Joris,

    Happened To See this today and great doc…..Thanks for Sharing

    Regards

    Deepak

    Like (0)

    Find us on

    Privacy Terms of Use

    Legal Disclosure Copyright

    Trademark Preferencias sobre cookies

    Newsletter Support

    https://blogs.sap.com/2013/09/06/security-in-sap-transport-management/ 3/3

    You might also like