Knowledge Sharing

SAP NetWeaver / S/4HANA Secure Profile Parameters


WALLSEC Security Hardening Baseline for SAP NetWeaver

Secure Profile Parameters

Here is a list of security-relevant SAP NetWeaver profile parameters and our WALLSEC configuration recommendation. The recommended configurations may need to be adapted to meet your corporate requirements.

abap/path_normalization = ext

auth/check/calltransaction = 3

auth/no_check_in_some_cases = Y

auth/object_disabling_active = N

auth/rfc_authority_check = 1

dynp/checkskip1screen = ALL

dynp/confirmskip1screen = ALL

gw/acl_mode = 1

gw/monitor = 1

gw/reg_info = <path to RFC Gateway reg_info ACL - must not be empty>

gw/reg_no_conn_info = 129

gw/rem_start = DISABLED

gw/sec_info = <path to RFC Gateway sec_info ACL - must not be empty>

gw/sim_mode = 0

icf/reject_expired_passwd = 1

icf/set_HTTPonly_flag_on_cookies = 0

icm/HTTP/error_templ_path = <path to a common error page>

icm/SMTP/show_server_header = FALSE

icm/accept_forwarded_cert_via_http = 0

icm/trace_secured_data = 0

icm/trusted_reverse_proxy_<num> = SUBJECT="CN=<corporate.proxy.corp>, *", ISSUER="CN=<corporate CA server>, *"

is/HTTP/show_detailed_errors = FALSE

is/HTTP/show_server_header = FALSE

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 3

login/disable_cpic = 1

login/failed_user_auto_unlock = 1

login/fails_to_user_lock = 5

login/min_password_diff = 4

login/min_password_digits = 1

login/min_password_letters = 1

login/min_password_lng = 8

login/min_password_lowercase = 1

login/min_password_specials = 0

login/min_password_uppercase = 1

login/no_automatic_user_sapstar = 1

login/password_change_for_SSO = 3

login/password_compliance_to_current_policy = 1

login/password_downwards_compatibility = 0

login/password_expiration_time = 90

login/password_history_size = 5

login/password_max_idle_initial = 5

login/password_max_idle_productive = 30

login/show_detailed_errors = 0

login/ticket_only_by_https = 1

login/ticket_only_to_host = 1

ms/acl_info = <path to message server ACL - must not be empty>

ms/admin_port = 0

ms/monitor = 0

rdisp/TRACE_HIDE_SEC_DATA = 1

rdisp/gui_auto_logout = 1800

rec/client = all

rfc/callback_security_method = 3

rfc/reject_expired_passwd = 1

rfc/selftrust = 0

rsau/enable = 1

rsau/integrity = 1

rsau/log_peer_address = 1

rsau/selection_slots = 10

rsau/user_selection = 1

sapgui/nwbc_scripting = FALSE

sapgui/user_scripting = FALSE

sapgui/user_scripting_disable_recording = TRUE

sapgui/user_scripting_force_notification = TRUE

sapgui/user_scripting_per_user = TRUE

sapgui/user_scripting_set_readonly = TRUE

snc/accept_insecure_gui = 0

snc/accept_insecure_rfc = 0

snc/data_protection/max = 3

snc/data_protection/min = 3

snc/data_protection/use = 3

snc/enable = 1

snc/log_unencrypted_rfc = 2

snc/only_encrypted_gui = 1

snc/only_encrypted_rfc= 1

ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH

system/secure_communication = ON

You need support securing your SAP systems? Contact Us! We help enterprises plan secure IT infrastructures, assess IT services, mitigate risks and run compliant operations.

Related Articles:

You found the content of this post useful? Register for our Newsletter below to receive email notifications about new posts like this one.