SAP Basis Security Hardening Guide

Why basis security matters

SAP Basis is the technical stack that supports every SAP application. The kernel, the database connection, the gateway, the message server, the work processes, and the system profile parameters that govern them all are basis components. Without disciplined basis security the customer inherits SAP default values that prioritize installation simplicity over operating safety. The default values appear in external audit as control weaknesses in the technical baseline.

This article documents the profile parameter baseline, the gateway and message server hardening, the user buffer and password policy, and the audit defensible basis security posture. Reference the SAP security audit pillar, the patch management analysis, and the security hardening expertise.

Profile parameter baseline

The profile parameter baseline captures the dozens of system parameters that govern technical security. The login parameters control password length, complexity, expiration, and lockout. The auth parameters control authorization buffer behavior. The rdisp parameters control work process and gateway behavior. SAP publishes the recommended baseline in note 1322944 and through the security baseline template. The customer position is to apply the baseline, document any deviation with risk acceptance, and revalidate the parameter values after every upgrade.

Reference the security baseline analysis, the critical authorizations analysis, and the cybersecurity analysis.

Gateway and message server hardening

The gateway is the SAP component that handles RFC traffic from external systems. The message server is the SAP component that coordinates load balancing across application servers. Both components require explicit access control. The gateway secinfo and reginfo files control which programs and hosts may register or connect. The message server access control list controls which hosts may join. The customer position is to define both control files with explicit allow lists, never to operate either component with default permissive rules.

Reference the RFC security analysis, the cybersecurity analysis, and the transport security analysis.

Default permissive gateway secinfo and reginfo files are the single most common external exposure in SAP basis security audits. Replacing the defaults with explicit allow lists is the highest leverage hardening step in the basis baseline.

User buffer and password policy

The user buffer governs how SAP caches authorization data for active users. The buffer size affects performance and the buffer refresh affects how quickly authorization changes take effect. Password policy governs login parameters, password complexity, lockout, and the historical password storage. The audit defensible posture defines password length at least 12, password complexity required, lockout after 5 failed attempts, password history depth at least 5, and the SAP standard user accounts SAP* and DDIC kept either locked or assigned high entropy passwords with documented owner.

The detail is in our license audit pillar (cross cluster reference for the named user implication of password policy), the user access review, and the privileged access analysis.

Audit defensible basis posture

The audit defensible basis security posture has four components. First, the documented profile parameter baseline applied across every system in the SAP landscape. Second, the explicit gateway secinfo and reginfo allow lists with documented owner and review cycle. Third, the password policy at recommended thresholds with documented exceptions for technical users. Fourth, the patch posture that keeps the technical stack current. The four components together produce evidence that survives external auditor walkthrough and SoX testing.

The implementation detail is in our security baseline analysis, the patch management analysis, the cybersecurity analysis, and the compliance framework pillar. The security hardening expertise documents the full senior advisor methodology.