Showing posts with label SAP Security. Show all posts
Showing posts with label SAP Security. Show all posts

Tuesday, October 4, 2016

SAP Security Recommendations

Maintain  the SAP secure gateway:

There are various attacks to SAP gateway such as running operating system commands without authentication.

Restrict access to SAP gateway by proper network controls both internally and externally. If business case exists for customer networks to use RFC communications because of applications such as BEx (Business Explorer), apply proper security configuration on the SAP gateway for restricting TYPE E and TYPE R connections.

Please refer to secinfo, reginfo configuration for more information.

Make-sure that SAP landscape is free of weak or default passwords:

SAP systems contain hundreds or thousands of users. A single compromised account can cause issues for the rest of the landscape.

After SAP systems are configured for proper password policy, we recommend running password audits on SAP systems periodically to prevent weak passwords such as " Summer-2012 " or " Welcome01 " to be present. Although such passwords can be password policy compliant, please remember that "compliant" does not mean "secure".

Need to disable critical ICM/ITS or JAVA AS web services:

Disable or restrict access to web services such as SOAPRFC and WEBRFC. These services allow RFC communication over the Internet.

Disable the invoker servlet on SAP Java AS systems to prevent attackers from bypassing your system security controls.

Any application unnecessarily available increases exposure which results in elevated risk.


Update Patch SAP system and SAP GUI regularly

SAP AG releases security patches every month. Please setup proper patch management policies both for the SAP applications and other client components such as SAPGUI or SAP NetWeaver Business Client.
Secure the private key store for protection against Single Sign-on attacks

PSE files contain sensitive information which lets an attacker create valid system tokens. With these valid security tokens, attacker can connect to remote systems as any user WITHOUT A PASSWORD. The tokens are usually valid forever.

Protect PSE files with proper operating system security controls. Protect access to tables such as SSF_PSE_D by putting them to a separate table group and adjusting SAP authorizations accordingly. Restrict executing of OS commands from applications by securing the gateway and relevant application components. Introduce a regular key replacement process.

Posted by at No comments:
Labels: ,

Wednesday, September 14, 2016

Idle session time out / Logging off inactive users

Home
Idle session time out / Logging off inactive users

 Logging off the inactive users is not set up by default. Setting up the feature of logging off the users improves the security as unattended terminals do not stay active indefinitely.

 To activate automatic logging off, do the following:

 Go to RZ10/RZ11 -> instance/default profile -> select the below parameter -- change and save it

 Maintain the parameter rdisp/gui_auto_logout. Enter the required number of seconds of inactivity before the user is logged off automatically.

 To deactivate automatic logoff, delete the parameter from the profile(s) or set the value '0'.

 Also find parameter rdisp/plugin_auto_logout to set timeout for http sessions as well.
Posted by at 1 comment:
Labels:

Sunday, September 11, 2016

Program to change mass password in SAP

Home


Below program will help for security consultants...!

Ask ABAP Consultant to develop a REPORT with below code (only if your client allows), and execute same to reset password for no. of user.


*&---------------------------------------------------------------------*

*& Report  ZNAME_OF_YOUR_PROGRAM

*&

*&---------------------------------------------------------------------*

*&

*&

*&---------------------------------------------------------------------*



REPORT  ZNAME_OF_YOUR_PROGRAM message-id zpassword.



tables usr01.



data: lt_return type bapiret2 occurs 0 with header line.

data: message type string.

data: lw_user type BAPIBNAME-BAPIBNAME.

data: it_bname type standard table of usr01, wa_bname type usr01.

data: dummy type bapipwd value 'n$NRC}va9/w-/WxYikSp8~a+Zb=NU7+oEVv'.



select-options: s_bname for usr01-bname obligatory NO INTERVALS.

parameters: p_passw type bapipwd obligatory.



SELECTION-SCREEN BEGIN OF LINE.

SELECTION-SCREEN COMMENT 1(13) vText10.

SELECTION-SCREEN POSITION 15.

PARAMETERS: rb11 RADIOBUTTON GROUP rb1.

SELECTION-SCREEN COMMENT 18(10) vText11.

SELECTION-SCREEN POSITION 35.

PARAMETERS: rb12 RADIOBUTTON GROUP rb1.

SELECTION-SCREEN COMMENT 38(10) vText12.

SELECTION-SCREEN END OF LINE.



SELECTION-SCREEN BEGIN OF LINE.

SELECTION-SCREEN COMMENT 1(13) vText20.

SELECTION-SCREEN POSITION 15.

PARAMETERS: rb21 RADIOBUTTON GROUP rb2.

SELECTION-SCREEN COMMENT 18(15) vText21.

SELECTION-SCREEN POSITION 35.

PARAMETERS: rb22 RADIOBUTTON GROUP rb2.

SELECTION-SCREEN COMMENT 38(30) vText22.

SELECTION-SCREEN END OF LINE.



AT SELECTION-SCREEN OUTPUT.

vText10 = 'Log info:'.

vText11 = 'short'.

vText12 = 'detail'.

vText20 = 'Password must'.

vText21 = 'not be changed'.

vText22 = 'be changed at first logon'.



at selection-screen.



*  loop at s_bname where option ne 'EQ'.

*    message e001.

*  endloop.



start-of-selection.

select *

from usr01

into corresponding fields of table it_bname

where bname in s_bname.



*  loop at s_bname.

loop at it_bname into wa_bname.

*    select count(*) from usr01 where bname in s_bname.

select count(*) from usr01 where bname = wa_bname-bname.

if sy-subrc ne 0.

*      write: / 'Userid:', s_bname-low , 'is not found in database'.

write: / 'Userid:', wa_bname-bname , 'is not found in database'.

continue.

endif.



if rb22 = 'X'.

dummy = p_passw.

endif.



*    Write: / 'about to reset password for user:', s_bname-low.

*    lw_user = s_bname-low.

lw_user = wa_bname-bname.

CALL FUNCTION 'BAPI_USER_CHANGE'

EXPORTING

USERNAME  = lw_user

PASSWORD  = dummy

PASSWORDX = 'X'

* don't work        PRODUCTIVE_PWD = rb21

TABLES

RETURN    = lt_return.

CALL FUNCTION 'BAPI_TRANSACTION_COMMIT'.



if rb21 = 'X'.

CALL FUNCTION 'SUSR_USER_CHANGE_PASSWORD_RFC'

EXPORTING

BNAME        = lw_user

PASSWORD     = dummy

NEW_PASSWORD = p_passw.

CALL FUNCTION 'BAPI_TRANSACTION_COMMIT'.



*      update USR02 set PWDHISTORY = '1' where BNAME = wa_bname-bname.

*      update USR02 set PWDSTATE = '0' where BNAME = wa_bname-bname.

*      update USR02 set PWDINITIAL = '2' where BNAME = wa_bname-bname.

*      commit work.

endif.


if rb12 = 'X'.

Write: / 'about to reset password for user:', wa_bname-bname.

loop at lt_return.

write: / '.....' , lt_return-MESSAGE.

endloop.

write : / '.', '.', '.'.

endif.



if rb11 = 'X'.

read table lt_return index 1.

message = lt_return-message.

Write: / 'About to reset password for user:', wa_bname-bname.

Write: at 55 '...', message.

endif.


endloop.

if sy-subrc ne 0. write: / 'No user selected'. endif.
Posted by at 2 comments:
Labels:
Subscribe to: Posts (Atom)