SAP password policy: how to manage it securely?

SAP password policy: how to manage it securely?


SAP system is a business automation software. Its modules reflect all the internal processes of the company: accounting, trade, production, finance, personnel management, etc. SAP consultants take part in projects for the implementation and maintenance of SAP modules.

Confidentiality is important in everything and SAP is no exception. Protect your SAP* password account, make secure access and then you can avoid many problems.

How to set requirements for SAP password? How to protect yourself from being hacked? What you need to know about SAP password policy? Learn all the essentials about SAP password policy and options to effectively manage it in this article.

SAP password policy

The SAP password policy can be managed through configuration. The password policy is installed and configured by default when a new sap database is created. The default configuration is already good enough to guarantee satisfactory password protection. SAP password policy settings can be changed to a different level of protection. However, some users will require a different alternative protection. Technical user passwords are the most vulnerable, as some restrictions are disabled to keep the entire system running.

What is the length of the SAP password?

By default, the minimum password length is 8 characters. It is defined as the maximum_password_length password policy setting. To apply a longer password, you can increase the minimum value to a higher value in the system settings.

How do I force the SAP user to change a weak password?

By default, a new user will have to change the password the first time they log in. If this is not the case, the administrator can update the user's connection setting so that he has to change his password the next time he logs on. This password update operation is available only once at the user level.

Password policy is set to: change password on first connection to database. This default can be changed to Disabled. In this case, by default, none of the users will be asked to change their password. It is not recommended to deactivate the default value. This means that someone will have to manage every existing password, which in turn creates forgotten password problems for all personal users. The person will most likely remember their own personal password. Why try to make things worse by giving each user a weird and different password to remember. As far as the Technical User is concerned, this is the other side of the issue. The password should remain as it was originally entered and should only be updated after a decision by the system administrator.

How to update SAP password expiration date?

The default SAP user password expiration date can be changed to more or less time. This is a global change for all users interested in this expiration option. To control the connection validity period for an individual user or group of users, refer to the connection validity period. The password expiration date does not apply to the predefined run time of the project.

Password expiration is set to 182 days by default in SYSTEMDB and client databases. The parameter value is the number of days. In a normal context, SYSTEMDB should not have a personal standard user. In SYSTEMDB, you can create a personal technical user with an administrator or backup profile. However, these users should not be restricted because of their high profile unless they were created for temporary access. The limitation will be at the level of the connection expiration date, not at the password level.

The SAP user's password expiration date is automatically reset to 182 days each time the password for a user is updated, unless the expiration date has been deactivated for that user.

How to keep SAP password safe?

There are a number of rules that must be followed to ensure the security of the SAP password. These rules will make it difficult for an attacker to obtain a valid password. What are the possible threats for SAP password?

Many employees keep their passwords in writing somewhere. This is not good, but it is a normal fact when there are too many user connections to remember and there is no automatic authentication. So it is recommended that you update your SAP password frequently in this case. A balance must now be struck between two limits: the number of previous passwords that cannot be reused, and the frequency with which the password is updated. Solution: SAP passwords need to be changed regularly, preferably with very different characters. The technical parameters considered are last_used_passwords and maximum_password_lifetime.

Personal SAP passwords are easier to crack than random (system generated) passwords. Someone's password will most likely contain a meaningful name with a date of birth that is easier to remember. The cracker learns the password very quickly. Solution: Use special characters, lowercase, uppercase and numeric values ​​in the password content, but also increase the minimum password length. The technical parameters considered are password_layout and Minimal_password_length.

Technical threat to users - Users are at great risk if some password restrictions are disabled by an administrator. Only provide passwords to administrators. Make sure the custom key is in place. Solution: Strong password mock and password update schedule with a procedure that covers all possible scenarios. Technical parameters considered: password_layout.

How to stop too many SAP connection attempts?

Too many connection attempts will block the user's default password. This can be painful in some cases. Technical users can also suffer the consequences. Any work will fail due to blocked technical user. You need to contact your database administrator to unblock your account. This is an ideal function against unauthorized access. The default value for this parameter is 6.

Important note: UPDATING the value of the maximum_invalid_connect_attempts parameter will NOT unlock the user.

SAP password policy settings with M_PASSWORD_POLICY

While the SAP tool is very handy, SQL queries have some advantages when it comes to retrieving sap password policy values. In addition to the fact that the result is obtained without the danger of mistakenly changing the values, the values ​​of the results of an SQL query can also be used as part of a script or program.

How do you make a strong password and work out your security policy?

To create a strong sap password policy, you need to spend time creating your own password security settings. The default SAP password policy is already a good starting point from which you can tweak the security settings as per your requirements. The security concerns are likely to be different depending on whether it is a database development environment or a production system.

Basically, you need to think a little more than what the standard SAP password policy suggests. For example, technical users require a strong password. You don't want your password to expire for any valuable tech users. At one stage, this would mean problems for batch processing and backups. It is possible to stop the password expiration. This is great, yes, but security is not complete on the basis that someone ever finds out about the password. Thus, the user's technical password still needs to be updated to maintain a high level of security. This is not a simple update operation. This should be planned to cover scenarios and programs using technical users. The password should not be hardcoded in any script, but the user's connection key should be readily available at all times. Therefore, all relevant keys will need to be restored with a new password and the connection verified.

Here are some of the security aspects you might want to look at for your company's requirements:

First of all, for any new and old personal users, you will want them to personalize their passwords. Force users to change their password the next time they connect. It's easier than giving each person different passwords and managing them all once at a certain time.

Make sure that the old password cannot be reused for any user when entering a new password. By default, these are the last 5 passwords. You can change the limit value according to your security requirements.

Set the password expiration date to a specific number of days. By default, all users are set to 182 days, but nothing prevents the administrator from setting a different date for the parameter. This limitation must be disabled for technical users. For these users, password updates will be scheduled to meet business requirements, but should not be disabled by default after a specific date.

Set the minimum password length. The default is 8 characters. Cracking a long password will take longer than cracking a short one. So increase the minimum character count if password security is indeed an issue. However, keep in mind that regular users may find it annoying to enter a long password each time they log in.

Set the required password complexity. A complex password structure is also more difficult to crack than a standard common word or name. Using a standard is fine, but changing the default can make it difficult to guess passwords and make it difficult for any clever program to find the meaning. So if you want to make your passwords more secure, here's a guideline:

  • Increase the minimum password length to 10 characters.
  • Add special characters such as underscore to be part of password values.
  • Lock personal user accounts after 5 consecutive login attempts.
  • Have a technical user management procedure with the following criteria: Change the technical user password regularly while updating the user store key. Make sure all connections are valid for batch and backup.

How do I update SAP password policy settings?

There are several ways to update the SAP password policy. The easiest way is to use tools like HANA studio or SAP cockpit. It is safe and an error will be detected as you type. On the other hand, it is easy to get it wrong and the policy will differ from one SAP database to another.

You can also use the SQL command. Using SQL script ensures that the same password policy is strictly enforced for every SAP client database.

Frequently Asked Questions

When is SAP service user password expiration?
The default password expiration is set to 182 days in SYSTEMDB and client databases. You can change the default password expiration time to a longer or shorter time. This is a global change for all users interested in this expiration option.
How can SAP password policies be aligned with industry-standard cybersecurity practices?
Aligning SAP password policies with cybersecurity practices involves implementing complex password requirements, regular changes, and multi-factor authentication.



Comments (0)

Leave a comment