1
Table of Contents 3
1Executive Summary 3
2Microsoft and SAP Partnership 3
3SAP Solution Security Implementation 3
3.1Security Layers 3
3.2 Minimum Windows Release Prerequisites 3
3.3The document assumes that the downwards compatible kernel 7.20 is used.Security Implementation 3
3.3.1Step 1 – Create Dedicated SAP Management Station(s) 3
3.3.2Step 2 – Isolate SAP backend systems in a dedicated VLAN 3
3.3.3Step 3 – Close all inbound non-SAP ports 3
3.3.4Step 4 – Close Web outbound ports 3
3.3.5Step 5 –Change Windows Terminal Services Port 3
3.3.6Step 6 –Use Terminal Services Client 6.0 3
3.3.7Step 7 –Create dedicated SAP Active Directory Container 3
3.3.7.1Create Development, management station, QAS and production sub-containers 3
3.3.7.2If the SAP administrator is familiar with Active Directory the Active Directory team may delegate authority to reset password or create new accounts to the SAP administrator. Note: The SAP administrator will only have permissions to change accounts inside the SAP Organizational Unit. Enable Policy block on SAP container 3
3.3.8Step 8 - Create a policy for the SAP servers using SCW 3
3.3.8.1Windows firewall and network settings 3
3.3.8.2Uninstall Internet Explorer 3
3.3.8.3Check system auditing configuration 3
3.3.9Step 9 – Move Management Station & SAP Servers to AD Containers 3
3.3.10Step 10 – Apply Policies to Management Station & SAP Containers 3
3.3.11Step 11 – Rename local administrator account using a function 3
3.3.12Step 12 – Remove Domain Admins and all other user accounts 3
3.3.13Step 13 – MS SQL Server Security 3
3.3.13.1SQL Server Security Configuration 3
3.3.13.2Use of scripts & direct access to the database 3
3.3.13.3Security Requirements for SQL Server Service Accounts 3
3.3.13.4Admin Connection 3
3.3.14Step 14 – Secure SAP Service Accounts 3
3.3.14.1Validate & Adjust DOMAIN\adm & DOMAIN\SAPService security 3
3.3.15Web Dispatcher & SAP MMC 3
3.3.16Step – Physical Data Centre Security 3
3.3.17Windows Server Core Deployments 3
| 