This section gives you an overview of the security-relevant topics in the area of network security and communication.
Preventing Misuse of the RFC Software Development Kit
Do not install the RFC Software Development Kit (RFC SDK) in your production system or on your application servers or front ends. For more information on avoiding misuse of the RFC SDK, see SAP Note 43417 .
Restricting Access to External CPI-C or RFC Server Programs
You can restrict access to external server programs by using a suitable authorization check. For detailed information: Restricting Access to External Server Programs.
Restricting Registration of External Server Programs
Restricting Registration of External Server ProgramsWhen using an RFC server (based on RFC SDK, NW RFC SDK, JCo, .NET Connector or Business Connector), under certain circumstances there is always the danger that an external harmful program registers itself as an RFC server.
Find out how to protect yourself against harmful registration: Restricting Registration of External Server Programs.
Restricting Access to RFC Server Program RFCEXEC or RFCEXEC.EXE
Restricting Access to RFC Server Program RFCEXEC or RFCEXEC.EXEThe program RFCEXEC represents an external RFC server that can be addressed by the SAP system. This enables you to use the wide range of operating system functions.
This program is part of the classic RFC SDK and provides a good example of how you can implement an RFC server. Many applications now use this example program in a production environment. This has led to access to the program being restricted.
For more information: SAP Note 618516 .
A modified version of the program is available with SAP NetWeaver RFC SDK Patch Level 2.
For more information: SAP Note 1140031 .
Allowing RFC Connections from Known and Selected Systems Only
Systems that you allow to communicate with one another using RFC should be protected by the appropriate network measures (see Network Measures). Operate your systems in a closed, secure LAN or use SAProuters and packet filters to control access to the systems.
Deactivating Remote Monitoring of Gateway
The Gateway controls remote RFC and CPI-C communications. It reads queries and sets up work processes for the connection. It includes a monitor that you can use to analyze and administer the Gateway. In the standard system, you can access the gateway monitor locally or from a remote computer. However, we recommend that you deactivate remote monitoring of the Gateway.
To deactivate remote monitoring of SAP Gateways, set the profile parameter gw/monitor to 1 (see also SAP Note 64016 ).