The following information describes settings in SAP Web Dispatcher for increasing security against attacks.
To guarantee maximum security when you use the Web Dispatcher, we recommend that you take the following measures when the system is in operation:
- Always keep Web Dispatcher up-to-date. See 538405 describes where you can find the latest version.
- Configure your own error pages, so that the technical reason for the error does not arrive at the end user, by setting icm/HTTP/error_templ_path = /usr/sap/B6M/D13/data/icmerror.
Alternatively, you can set the parameter is/HTTP/show_detailed_errors to FALSE. After you have done this, no details about the error are passed to the client.
- Use the Web Dispatcher as a URL filter with positive lists. In any case, filter the following URLs since they return information about the infrastructure and configuration:
Block the access to the internal information page by using the following entry in your URI permission table:
- Implement the following settings to increase security in the web administration interface:
Use HTTPS to prevent the password from being intercepted. Use an HTTPS port that you have set up with the parameter icm/server_port_ in the URL.
Allow Web Dispatcher administration only on ports that have a secure protocol (HTTPS), by setting the PORT option of the parameter icm/HTTP/admin_ to an HTTPS port.
Configure a port that can only be accessed from the internal network as the administration port. Use the PORT option of the parameter icm/HTTP/admin_ to do this.
Allow administration only under a certain host name or IP address, which can only be accessed from the internal network. To do this, use the HOST option of the parameter icm/HTTP/admin_.
Limit administration to clients from the internal network. To do this, use the CLIENTHOST option of the parameter icm/HTTP/admin_.
Read Here at SAP BASIS Forum to Get Answers for More Questions like aforementioned.