Preventing Misuse of the RFC Software Development Kit

Do not install the RFC Software Development Kit (RFC SDK) in your production system or on your application servers or front ends. For more information on avoiding misuse of the RFC SDK, see SAP Note 43417.

Restricting Access to External CPI-C or RFC Server Programs

You can restrict access to external server programs by using a suitable authorization check. For detailed information: Restricting Access to External Server Programs.

Restricting Registration of External Server Programs

When using an RFC server (based on RFC SDK, NW RFC SDK, JCo, .NET Connector or Business Connector), under certain circumstances there is always the danger that an external harmful program registers itself as an RFC server.

Find out how to protect yourself against harmful registration: Restricting Registration of External Server Programs.

Restricting Access to RFC Server Program RFCEXEC or RFCEXEC.EXE

The program RFCEXEC represents an external RFC server that can be addressed by the SAP system. This enables you to use the wide range of operating system functions.

This program is part of the classic RFC SDK and provides a good example of how you can implement an RFC server. Many applications now use this example program in a production environment. This has led to access to the program being restricted.

A modified version of the program is available with SAP NW RFC SDK Patch Level 2.

For more information: SAP Note 1140031.

Allowing RFC Connections from Known and Selected Systems Only

Systems that you allow to communicate with one another using RFC should be protected by the appropriate network measures (see Network Measures). Operate your systems in a closed, secure LAN or use SAProuters and packet filters to control access to the systems.

Deactivating Remote Monitoring of SAP Gateway

To deactivate remote monitoring of SAP Gateways, set the profile parameter gw/monitor to 1 (see also SAP Note 64016).