TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
>I would like to scan our SAP servers with Internet Scanner v6.0. Are there
>any known problems I need to be aware of?
>
>Thanks,
>Frank
I approach scanning SAP and PeopleSoft with a little more care than your
average
Internet web site. The Users and Operations staff are generally not used to
handling attack scenarios. This can make big problems if the scan is not
expected. Outages of these systems are VERY high visibility to management.
These systems are rarely OS and Application hardened to the extent that
Internet
connected systems are. Understand the vulnerabilities of the underlying OS
in
use for these systems before you start.
Make sure you understand the architecture of SAP or PeopleSoft
implementations
before you scan. Blind scanning these machines without some
application/configuration knowledge can send you in the wrong direction
(chasing
problems that aren't real problems).
Start with a light scan and work your way up to the level of hardening your
risk
level requires. Do this work incrementally if you have to (scan, close
holes,
re-scan). Be very careful of the database system scanning that you do.
Crashing the Payroll Database just before check processing can cause an
emergency reboot of your resume process.
Make sure you run the Database Default Password checks. This is the number
one
security problem in most implementations I have scanned. For many years the
Oracle default password was baked into these systems by the installers.
Ken Stephens, CISSP
Sr. Security Manager
CSC
[EMAIL PROTECTED]
