Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
kai_bauer
Explorer
9,994

Huge collections of leaked logon credentials (see Identity Leak Checker) make it necessary to harden SAP-Systems against password attacks.

There is a lot of information on this topic. This blogpost aims to give a summarized overview of the most important activities required to secure AS ABAP Systems.

At the end you will find a condensed checklist that you can use for documentation.

 

Summary

Hardening AS ABAP Systems against password attacks is split into three main topics:

  1. Secure password hashes against password cracking (see SAP Note 1458262)
  2. Check logon rules and password complexity requirements (see SAP Documentation AS ABAP)
  3. Define patterns of "illegal passwords" in table "USR40" (see SAP Note 2467)

 

1.) Secure password hashes against password cracking

Password hash values are stored in the following database tables:


Table / ViewFunctionRelease
USH02Change history for logon dataIn all Releases
USH02_ARC_TMPChange history for logon data, last entries from archive informationFrom Release 6.20
USR02Logon data tableIn all Releases
USRPWDHISTORYPassword history tableFrom Release 7.00
VUSER001View of general userdataFrom Release 4.5B
VUSR02_PWDView of password hashesFrom Release 7.10

 
It is advisable to restrict read access to tables containing password hash values using Authorization Objects S_TABU_DIS and S_TABU_NAM:


It is also important to use strong hash algorithms (at least SAP Release 7.02):


ReleaseHash AlgorithmBased onClassification
< SAP-Release 7.00BCODE-HashMD5Unsecure
SAP-Release 7.00PASSCODE-HashSHA-1Unsecure
Since SAP Release 7.02PWDSALTEDHASH login/password_hash_algorithmSHA-n (multiple SHA-Variants)Secure


As mentioned in SAP Note 1458262, be careful:

After upgrading from Releases < 7.02 to PWDSALTEDHASH, old hash values still exist in the database. Additional hashing with PWDSALTEDHASH is only effective once users change their passwords. From then, both values (old & new, unsecure & secure) exist.

To complete the change to the PWDSALTEDHASH-Algorithm it is important to follow these steps:

    • Force users to change passwords (login/password_expiration_time).
    • Manually change passwords for usertypes "SERVICE" and "SYSTEM" (there is no password expiration).
    • Deactivate using "old" hash-values by setting profile parameter login/password_downwards_compatibility = 0
    • Remove "old" hash values from the database by using report CLEANUP_PASSWORD_HASH_VALUES

 

2.) Check logon rules and password complexity requirements

 
The behavior of the login procedure can be configured using the following profile parameters. For hardening, the values ​​recommended by SAP can be used as a guideline (see SAP Documentation: Profile Parameters for Logon and Password (Login Parameters).

SettingProfile ParameterRecommendation
Period after which a password has expired and needs to be changed.login/password_expiration_time90 days
Number of old passwords that can not be re-selected.login/password_history_size≥10
Number of characters that must differ for a new password (aggravation of permutation rules).login/min_password_diff3
Days to wait for a password Change (so history_size can not be bypassed).login/password_change_waittime1
Number of days that an initial password remains valid (initial passwords are often known to several people and should be changed in a timely manner).login/password_max_idle_initial≤7
The number of days that a password can be left unused before it becomes invalid.login/password_max_idle_productive180
Number of allowed login attempts before the SAP GUI session is aborted (brute force protection).login/fails_to_session_end3
Number of allowed login attempts before the account is locked (brute force protection).login/fails_to_user_lock5
Number of days until an account locked by unsuccessful attempts is automatically unlocked.login/failed_user_auto_unlock0


In the next step it is important to ensure choosing secure passwords. This can be done by increasing password complexity. The following profile parameters set password minimum requirements:


SettingProfile ParameterRecommendation
Minimum password lengthlogin/min_password_lng8
Number of lowercase letterslogin/min_password_lowercase1
Number of uppercase letterslogin/min_password_uppercase1
Number of digitslogin/min_password_digits1
Number of letterslogin/min_password_letters1
Number of special characterslogin/min_password_specials1

 

3.) Define patterns of "illegal passwords" in table "USR40"

SAP provides a password exception table (USR40) for unauthorized password combinations. When a user chooses a password, the system checks if it is included in the exception table and (in case of “Yes”) rejects it.

The following rules apply by default regardless of profile parameters and values in USR40 (see SAP Note 2467)

    • The password cannot be "PASS" or "SAP*".
    • The first three characters cannot be identical.
    • “?” or “!” cannot be the first character of a password.


USR40 is very good at eliminating the issue of using leaked passwords and can protect systems against attacks with known dictionaries.

However, it should be noted:

The table USR40 was not designed to contain thousands of single values for "illegal passwords" (negative dictionary). Instead, the system expects pattern values. Possible new passwords are compared with all the entries in the table USR40.

Therefore, only values ​​that are not already excluded by profile parameters for password complexity should be used. It is recommended to use the following "wildcards" (placeholders for other characters) to exclude entire strings:

    • character "?" for a single character
    • character "*" for a character string


Examples (as shown in SAP Note 2467)

    • 123* prohibits all passwords that begin with "123", such as "123456" or "123123".
    • P?SS  prohibits passwords like "PASS", "PBSS", and so on.
    • *? ?* prohibits passwords that contain blank characters (between words).


Sample values for USR40

Possible values for the password exception table USR40 could be:

    • Most common passwords from leaks that are not excluded by profile parameters for password complexitiy.
    • Simple "Keyboard Walks" (e.g. QWER*, 1234* ... ).
    • Company name, product names, customer names ...

 

Final checklist for securing SAP NetWeaver AS ABAP Systems against password attacks

The following table is a final condensed checklist of all necessary steps to secure SAP NetWeaver AS ABAP Systems against password attacks.

All recommended values come from the SAP Notes and SAP Documentation listed above.

You may use it as guideline and for documentation.


StepRecommendation Comment

Secure Password Hashes   
Restrict read access to tables containing password hash values:  Using authorization objects S_TABU_DIS and S_TABU_NAM.
Table USR02  
Table USH02  
Table USH02_ARC_TMP  
Table USRPWDHISTORY  
Table VUSER001  
Table VUSR02_PWD  
Use strong hash algorithms:   
Use SAP-Releases ≥ 7.02 From 7.02, the "PWDSALTED-HASH" algorithm, classified as safe, can be used.
Check profile parameter login/password_expiration_time90A changed password is additionally hashed by the „PWDSALTEDHASH“-Algorithm.
Manually change passwords of SERVICE- and SYSTEM-Users that never expire A changed password is additionally hashed by the „PWDSALTEDHASH“-Algorithm.
Disable old hash algorithms by setting Profile parameter login/password_downwards_compatibility = 00Final deactivation of old hash algorithms. From then users without changed passwords (= without PWDSALTEDHASH) are no longer allowed to log on.
Cleanup and delete old, unused hashvalues by executing report CLEANUP_PASSWORD_HASH_VALUES  

Check Logon Rules   
General password expiration:   
Profile parameter login/password_expiration_time90Period after which a password change becomes necessary.
Password history Settings:   
Profile parameter login/password_history_size≥10Number of old passwords that cannot be reused.
Profile parameter login/min_password_diff3Number of characters that must differ for a new password (aggravation of Permutation rules).
Profile parameter login/password_change_waittime1Days to wait for the next password Change (that history_size can not be bypassed).
Validity of unused passwords:   
Profile parameter login/password_max_idle_initial≤7Number of days that an initial password remains valid.
Profile parameter login/password_max_idle_productive180Number of days that a productive password can be left idle before it becomes invalid.
Brute-Force Protection:   
Profile parameter login/fails_to_session_end3Number of permitted login attempts before the SAP GUI session is closed.
Profile parameter login/fails_to_user_lock5Number of allowed login attempts before the account is locked.
Profile parameter login/failed_user_auto_unlock0Number of days until an account that has been blocked by unsuccessful attempts is automatically unlocked.

Ensure Password Complexity   
Profile Parameter login/min_password_lng8Minimum password length
Profile Parameter login/min_password_lowercase1Number of lowercase letters
Profile Parameter login/min_password_uppercase1Number of uppercase letters
Profile parameter login/min_password_digits1Number of digits
Profile parameter login/min_password_letters1Number of letters
Profile parameter login/min_password_specials1Number of special characters

Define Patterns of „Illegal Passwords“   
Password exception table USR40:   
Use values that are not excluded by profile parameters for password complexitiy (don’t create a dictionary!)  
Use wildcards '*' and '?'  

 

Related Links:

https://sec.hpi.de/ilc/search?lang=en Hasso-Plattner-Institut, Identity Leak Checker

https://launchpad.support.sap.com/#/notes/1458262 1458262 - ABAP: recommended settings for password hash algorithms

https://launchpad.support.sap.com/#/notes/2467 2467 - Password rules and preventing incorrect logons

https://help.sap.com/saphelp_nw73/helpdata/EN/4a/c3f18f8c352470e10000000a42189c/frameset.htm Profile Parameters for Logon and Password (Login Parameters)

https://launchpad.support.sap.com/#/notes/1484692 1484692 - Protect read access to password hash value tables

https://launchpad.support.sap.com/#/notes/1237762 1237762 - ABAP systems: Protection against password hash attacks

https://launchpad.support.sap.com/#/notes/1458262 1458262 - ABAP: recommended settings for password hash algorithms

5 Comments
Labels in this area