SAP System Security When Using Windows Trusted Domains

In the standard installation procedures, especially in large system configurations, we recommend to establish separate domains for your company data and your SAP system. We also recommend to use the Windows trusted domain concept as certain SAP-specific features and Windows-specific services require trusted relationships between domains for their purposes.

There are certain services that require a uni-directional trust relationship only (for example, network printing with the Print Manager or file transfer batches with operating system commands such as xcopy or move).

There are also services that require using a bi-directional trust relationship, for example, Single Sign-On using Microsoft's LAN Manager Security Service Provider Interface (NTLMSSPI).

When installing your SAP system, the installation tool, called SAPinst, automatically performs all steps that are relevant for proctecting your system against unauthorized access. For example, it creates the required user accounts and groups and protects the most important directories.

·        SAPinst creates the following domain users:

Ў        <sapsid>adm

This is the SAP system administrator account that enables interactive administration of the system.

Ў        SAPService<SAPSID> (this user is not created for Informix installations)

This is the virtual user account that is required to start the SAP system. It has the local user right to log on as a service and is a member of the local administrator’s group.

·        SAPinst creates the domain group SAP_<SAPSID>_GlobalAdmin

·        SAPinst creates the local group SAP_<SAPSID>_LocalAdmin and includes the domain group SAP_<SAPSID>_GlobalAdmin

·        SAPinst creates the local administrator group SAP_<SAPSID>_LocalAdmin on the transport host. Members of the group have full control over the transport directory \usr\sap\trans that allows transports to take place between systems. The SAP_<SAPSID>_GlobalAdmin group is added to the SAP_LocalAdmin group.

·        SAPinst protects the SAP directories \usr, \usr\sap, \usr\sap\trans, \usr\sap\<sapsid> and its sub-directories by only granting Full control access rights for the Administrators and SAP_<SAPSID>_LocalAdmin groups.

·        Eliminate any Full control rights for Everyone to shares on the SAP system servers.

·        For additional protection, you can eliminate the dynamically-created Windows root shares on the SAP system server. The server can then only be accessed from the network over manually created shares.

·        If you have installed other software on the application server, then make sure that the access rights for their directories and files are also set properly.

·        These rights apply specifically for SAP system resources. For details applying to the database files and directories, see the security instructions from your database supplier.