Greetings, dear readers!
Today I would like to share with you some thoughts about security +SAP environment. I hear people talking about security a lot, discussing GRC implementations, HTTPS protocols appliances, and other security enhancements that are targeted to improve overall security and authorizations. We all love talking about cloud solutions, mobile tools and their security, and other aspects of everyday +SAP maintenance.
How about taking it to the previous level? The steps below can be executed by any user that has SAP GUI installation, and he doesn't even require a user in SAP. Be careful with your commands...
* This post applies to Windows-based installations, with SAP BASIS component lower than EHP1, patch 10.
Today I would like to share with you some thoughts about security +SAP environment. I hear people talking about security a lot, discussing GRC implementations, HTTPS protocols appliances, and other security enhancements that are targeted to improve overall security and authorizations. We all love talking about cloud solutions, mobile tools and their security, and other aspects of everyday +SAP maintenance.
How about taking it to the previous level? The steps below can be executed by any user that has SAP GUI installation, and he doesn't even require a user in SAP. Be careful with your commands...
* This post applies to Windows-based installations, with SAP BASIS component lower than EHP1, patch 10.
- Open your SAP GUI
- Double-click on one of your SAP installations (I suggest you don't touch your production environment)
- Log on to the system, by changing client number to 066, user EARLYWATCH, password 'support'
- Execute transaction SM51
- While in SM51, execute the command GREP
- Paste the line below and click "Find" - you will get full configuration of the server
As you might understand, you can execute command prompt commands directly from SAP, without even having a user there. You can, for example, change the word 'set' in the line above to 'ipconfig', which will return you the network configuration.
Security, huh?
So you have authorization for SM51, right?
ReplyDeleteWell... if you didn't that'd be hackable if you had also debug auth with variables change auth either... (and abap reading/debugging skills).
But if you didn't... well...
than SM51 isn't really that unsafe. IT's a BASIS tcode to provide Basis means to interact with the OS from SAP.
oh, and this means you have different commands depending on which OS you're at.
You're showing there an improper use of a high-profile tcode. I keep thinking SAP is secure if administred by a good Basis team.
P.S.: Windows, MacOS and Linux all have "tools of mass distruction", all limited by authorization profiles.
Hi Rogerio,
ReplyDeleteYou are right about it, with the correct BASIS people you can sleep well. The problem is that many organization didn't pay attention to this part of the install guide, and therefore have such security breaches.
Regards,
Ivan