Huge collections of leaked logon credentials (see
Identity Leak Checker) make it necessary to harden SAP-Systems against password attacks.
There is a lot of information on this topic. This blogpost aims to give a summarized overview of the most important activities required to secure AS ABAP Systems.
At the end you will find a condensed checklist that you can use for documentation.
Summary
Hardening AS ABAP Systems against password attacks is split into
three main topics:
- Secure password hashes against password cracking (see SAP Note 1458262)
- Check logon rules and password complexity requirements (see SAP Documentation AS ABAP)
- Define patterns of "illegal passwords" in table "USR40" (see SAP Note 2467)
1.) Secure password hashes against password cracking
Password hash values are stored in the following database tables:
It is advisable to
restrict read access to tables containing password hash values using Authorization Objects
S_TABU_DIS and
S_TABU_NAM:
It is also important to
use strong hash algorithms (at least SAP Release 7.02):
As mentioned in SAP Note
, be careful:
After upgrading from Releases < 7.02 to PWDSALTEDHASH, old hash values still exist in the database. Additional hashing with PWDSALTEDHASH is only effective once users change their passwords. From then, both values (old & new, unsecure & secure) exist.
To complete the change to the PWDSALTEDHASH-Algorithm it is important to follow these steps:
- Force users to change passwords (login/password_expiration_time).
- Manually change passwords for usertypes "SERVICE" and "SYSTEM" (there is no password expiration).
- Deactivate using "old" hash-values by setting profile parameter login/password_downwards_compatibility = 0
- Remove "old" hash values from the database by using report CLEANUP_PASSWORD_HASH_VALUES
2.) Check logon rules and password complexity requirements
In the next step it is important to
ensure choosing secure passwords. This can be done by increasing password complexity. The following profile parameters set password minimum requirements:
3.) Define patterns of "illegal passwords" in table "USR40"
SAP provides a
password exception table (USR40) for unauthorized password combinations. When a user chooses a password, the system checks if it is included in the exception table and (in case of “Yes”) rejects it.
The following rules apply by default regardless of profile parameters and values in USR40 (see SAP Note
2467😞
- The password cannot be "PASS" or "SAP*".
- The first three characters cannot be identical.
- “?” or “!” cannot be the first character of a password.
USR40 is very good at eliminating the issue of using leaked passwords and can protect systems against attacks with known dictionaries.
However, it should be noted:
“The table USR40 was not designed to contain thousands of single values for "illegal passwords" (negative dictionary). Instead, the system expects pattern values. Possible new passwords are compared with all the entries in the table USR40.”
Therefore, only values that are not already excluded by profile parameters for password complexity should be used. It is recommended to use the following "wildcards" (placeholders for other characters) to exclude entire strings:
- character "?" for a single character
- character "*" for a character string
Examples (as shown in SAP Note
2467😞
- 123* prohibits all passwords that begin with "123", such as "123456" or "123123".
- P?SS prohibits passwords like "PASS", "PBSS", and so on.
- *? ?* prohibits passwords that contain blank characters (between words).
Sample values for USR40
Possible values for the password exception table USR40 could be:
- Most common passwords from leaks that are not excluded by profile parameters for password complexitiy.
- Simple "Keyboard Walks" (e.g. QWER*, 1234* ... ).
- Company name, product names, customer names ...
Final checklist for securing SAP NetWeaver AS ABAP Systems against password attacks
The following table is a final condensed checklist of all necessary steps to secure SAP NetWeaver AS ABAP Systems against password attacks.
All recommended values come from the SAP Notes and SAP Documentation listed above.
You may use it as guideline and for documentation.
Related Links:
https://sec.hpi.de/ilc/search?lang=en Hasso-Plattner-Institut, Identity Leak Checker
https://launchpad.support.sap.com/#/notes/2467
https://help.sap.com/saphelp_nw73/helpdata/EN/4a/c3f18f8c352470e10000000a42189c/frameset.htm Profile Parameters for Logon and Password (Login Parameters)
https://launchpad.support.sap.com/#/notes/1484692
https://launchpad.support.sap.com/#/notes/1237762 1237762 - ABAP systems: Protection against password hash attacks
https://launchpad.support.sap.com/#/notes/1458262