Logon And Password Security in SAP Systems

SAP is an integrated business system which supports the most critical business processes of a company and in most of the cases, it is integrated with other Business Solutions. As a natural result, SAP Systems hold huge amount of sensitive business data. These characteristics of SAP Systems make them a target for security breaches that have the objective of obtaining access to sensitive information and performing fraudulent activities.

Users can log on to SAP Systems via SAP GUI ( Graphical User Interface ) using Single Sign On or using a user/password combination. Password hashes are saved in user master tables in database of an SAP System. An intruder having access to password hashes can crack especially weak or generated passwords using dictionary attack or collision attack techniques.

The question here is, how an intruder can bypass access control mechanisms of SAP to obtain password hashes.

The first way to access password hashes in a production SAP System is to browse database tables using transaction SE16 especially if appropriate access controls to tables are not established. Access to sensitive password and business data can be prevented by assigning proper Authorization Groups to database tables. This is unfortunately not the case in many SAP implementations and too many users have access to database tables holding sensitive data. The password hashes can be displayed and downloaded using transaction SE16.

The ability to debug programs in production environments offers another way to obtain password hashes. Debug mode makes it possible to look at the values being processed and obtain password hashes. Executing a basic report, such as RSUSR200—List of Users According to Logon Date and Password Change, which reads a table that contains user-related data, could be sufficient to obtain a hash in debug mode.

We can count many other ways of obtaining password hashes and sensitive business information like connecting to SAP Systems from external programs using RFC enabled function modules or accessing to database of an SAP System directly using database connectors.

SAGESSE TECH, global SAP Security / Oracle Security / ERP Security Tech Company, is providing an SAP PenTest Framework which controls these kinds of vulnerabilities and much more in your SAP Systems. You can contact SAGESSE TECH(E-mail : [email protected]?or?[email protected]?) if you would like to have a Vulnerability Scanning and PenTest on your SAP Systems.

It is very important to catch accesses to critical database tables, execution of critical programs or debugging in production systems in real time, correlate them with other ?security related events and show alerts in an integrated SIEM ( Security Information and Event Management ) Solutions.