Network Services

The servers are the most vulnerable part of your network infrastructure and you should take special care to protect them from unauthorized access. However, there are a number of network services that do allow server access, and you should take appropriate precautions when using these services.

General Network Services

A typical Unix or Windows server machine runs many network services of which only a few are actually needed for running a SAP system. The names of these services are contained in the file /etc/services. This file maps the symbolic name of the service to a specific protocol and numeric port number. (Under Windows, the file is located at: /winnt/system32/drivers/etc/services.)

Disable any of these network services on the server net that you do not need. Sometimes these services contain known errors that unauthorized users may be able to take advantage of to gain unauthorized access to your network (for example, sendmail). In addition, by disabling unused network services, you also decrease the vulnerability of your network to denial-of-service attacks.

For an even higher level of security, we also recommend that you use static password files and disable any unnecessary access services on the application and database servers.

You can list the active services and open ports on a UNIX or Windows NT server with the command netstat –a.

SAP Network Services

SAP systems also offer a variety of network services in their own infrastructures. As with general network services, we also recommend disabling any SAP services that you do not need with your installation. For a complete list of the ports used by SAP NetWeaver products and their default assignments, see the document TCP/IP Ports Used by SAP Server Software which is available on the SAP Service Marketplace at http://service.sap.com/security.

Additional Information

For a list of well-known port numbers, see the list provided by the Internet Assigned Numbers Authority (IANA) at http://www.iana.org/assignments/port-numbers.