SAP user ID's and telnet/ssh/rlogin protocols.

donald_voorhees · ‎11-10-2011

Our company is embarking on a project to harden our OS level security and there has been a recommendation to revoke telnet, ssh, and rlogin from all system ID's.

We are a Netweaver 7.0/7.30 shop with some 6.40 and legacy 4.6 and 6.20 systems on mostly DB2.

Are these protocols critical to system operation? I ask especially with the DB2 systems as we have parittioned systems as well as LDAP in our enviornment. Just curious if we can expect any issues once these protocols are revoked.

mvoros · ‎11-10-2011

Hi,

SAP does not use these protocols directly so there shouldn't be any problem from SAP point of view. The only problem what I can see is in case of using SAP Console. This old (not supported anymore) tool allows exposing SAP transactions to text-based RF devices. The RF devices connect via telnet to SAP console. Another case might be if you use some external OS commands from SAP. For example using SFTP to transport files from one server to another.

I am just wondering how are you going to manage your servers on OS level without SSH? One way is to call OS shell from SAP but I am not sure if admins will like it. I completely agree with banning telnet and rlogin.

Cheers

Former Member · ‎11-11-2011

In addition to telnet and rlogin, dont forget about:

- Gateway secinfo and reginfo ACL files.

- Authorizations of users (particularly all RFC connection users) for S_LOG_COM, S_RZL_ADM and S_DATASET.

- Take a look at system profile parameter rdisp/call_system.

You should not have any problems if you restrict these correctly . For the last one you must check your custom code first and SAP Support might try to convince you not to do it...

Cheers,

Julius