12-14-2010 8:41 AM
Hello,
I have a problem. We had a security auditory of SAP systems. They have seen that the port 50013 (Management Console) has not any security with user /password.
Is there a way to put a security before the information?
Best Regards.
Pablo Mortera.
12-14-2010 9:29 AM
12-14-2010 10:01 AM
hello Arpan,
In that web it only tells me what port I can user (HTTP/HTTPS) but does not say anything about how to put a user/password it the SAP Management Console in the begining, before it apperas the Java Applet.
Best Regards.
Pablo Mortera.
12-14-2010 10:24 AM
12-14-2010 10:29 AM
Hi,
what OS do you use? SAP MMC should allow access only to OS users from application server Check note 927637. The newer version also allows to configure ACL that logon will be possible only from selected IP addresses (more info in note 1439348).
Cheers
12-14-2010 10:32 AM
12-14-2010 10:34 PM
So it does not ask for username and password when you connect from different computer? You can also try to protect this port with firewall.
Cheers
12-15-2010 10:17 PM
Hi Pablo
The SAP Managment Console is a UI (Applet) to access the functionality of the sapstartsrv process, This process is used for montioring and administration of SAP instances and listens on port 5nn13 (or 5nn14 for https)
It is expected that you can access the UI without authentication but to carry out administrative functions (which are sapstartsrv webservice method calls) , such as shutting down an instance for example, authentication is required.
By default only the most critical of these web service methods require authentication but the list of protected webmethods can be modified. Please see note 927637 for more details
02-03-2011 9:41 PM
Patrick,
What you say is true, however, the ability to look at logs is not password protected by default. It is a frighteningly simple procedure to capture an administrator login, break the hash to get the password, and then log on to the protected functions as an admin.
Your systems will be much more secure if you limit who can access SAPMC at the firewall and by configuring the sapstartsrv process as much as your version allows. As you say, note 927637 is the place to start.