SAP Note 862989 – New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)
Summary
Symptom
You would like an overview of the improvements and changes in password rules or logon procedures that are delivered with SAP NetWeaver 2004s (SAP NetWeaver Application Server ABAP 7.0, referred to as “SAP NW AS ABAP 7.0” below).
More Terms
login/min_password_lowercase,
login/min_password_uppercase,
login/password_max_idle_productive,
login/password_max_idle_initial,
login/password_history_size,
login/password_change_waittime,
login/password_downwards_compatibility,
login/password_compliance_to_current_policy
Cause and Prerequisites
Some customers have higher security requirements.
Solution
This is an overview of improvements and changes delivered as of SAP NW AS ABAP 7.0.
Improvements
o Passwords: Differentiation between upper and lowercase; maximum length increased from 8 to 40 characters
The system distinguishes between upper and lower case in newly assigned passwords; in addition, passwords can now consist of up to 40 characters (up until now, only a maximum of eight characters was permitted). In Unicode systems, you can use Unicode characters in passwords.
In newly-installed systems, this applies immediately to all users;
for systems that have been upgraded to SAP NW AS ABAP 7.0 from an earlier release, we have ensured that all users can continue to log on using their old password.
The hash password procedure (code version) that was used to save the (reference) password is saved in the user master record. The system checks this information during a password check. When you use an older hash password procedure (this applies to reference passwords that were assigned before the upgrade), the first eight characters of the logon password are converted to uppercase letters. The remaining 32 characters must be blank characters. If the reference password was saved using a newer hash password procedure (this applies to passwords that were assigned after the
upgrade or installation), the system analyzes the whole password without conversion to uppercase letters.
For more details, see Note 1023437.
Relevant (new) profile parameters:
– login/min_password_lowercase
– login/min_password_uppercase
– login/password_downwards_compatibility
o Password history: Size can now be defined as required (previously: always 5)
The passwords that the user has assigned in the course of a password change are stored in the password history (passwords set by the user administrator are not stored in the password history).
The system prevents the user from reusing previously used passwords. The password history used to be limited to five entries; you can now define the size of the password history using a profile parameter (login/password_history_size) (maximum value: 100 entries).
o Lock period for password change can be selected (it used to be limited to one day)
To prevent the password history from being bypassed, a user may only change his or her password again after the lock period has expired (exception: the user is prompted to change the password by the system). You can now select this lock period using the profile parameter login/password_change_waittime(maximum value: 1000 days).
o (Advance) password change with stricter password rules You can now set the system to only prompt those users whose current password no longer satisfies the current (stricter) password rules to change their password (in advance). To do this, set the profile parameter login/password_compliance_to_current_policy = 1.
o Validity period of unused passwords can be restricted
Passwords that are not used by the authorized user are a security risk. For this reason, you are now able to restrict the validity period of these passwords; here, the system distinguishes between initial passwords (that is, passwords that are assigned by the user administrator and that are to be changed by the user at the next opportunity) and non-initial passwords (that is, passwords that have been set by the user). (Technical) users of the SERVICE and SYSTEM type are exempt from this regulation.
Relevant (new) profile parameters:
– login/password_max_idle_initial
You can use this parameter to determine the maximum time between the (re)setting of the password and the next logon with the initial password. As soon as this period has expired, the system displays message “Initial password has expired” and refuses the password logon. However, you can still logon using SSO.
– login/password_max_idle_productive
You can use this parameter to determine the maximum time between two password logons. As soon as this period has
expired, the system displays a message stating that the password has not been used for a period of time and was therefore deactivated, and the system refuses the password logon. However, you can still logon using SSO.
(The delivered RZ11 documentation is incorrect.)
Changes
o Logon: Compromising error messages are avoided
If you attempt to log on using incorrect logon data, the system now only issues the generic error message “Name or password is incorrect” as a rule; further reasons for failed logons (for example, locked user accounts, user account is outside validity period, and so on) are only given in detail if valid logon data has been received. Error scenarios in which the system could not check the logon data, or where no further check is allowed are the exceptions to this rule:
– “User has no password – logon using password is not possible”
– “Password logon no longer possible – too many failed attempts”
o The default values of certain profile parameters that are
relevant to security have been changed:
– login/failed_user_auto_unlock : 0 (instead of 1)
Locks for failed logon attempts remain valid for an unlimited period.
– login/fails_to_user_lock : 5 (instead of 12)
The lock for failed logon attempts is set after five failed password logon attempts.
– login/no_automatic_user_sapstar : 1 (instead of 0)
The emergency user must be activated explicitly.
– login/min_password_lng : 6 (instead of 3)
Passwords must consist of at least six characters.
– login/ticket_expiration_time : 8 (instead of 60)
Logon tickets are only valid for eight hours.
o The profile parameters llogin/password_max_new_valid and login/password_max_reset_valid have been replaced by the profile parameter login/password_max_idle_initial, which means that the system no longer distinguishes between the first and the subsequent setting of a password by the user administrator regarding the restriction of the validity of the resulting initial passwords.
SAP相关产品:
SAP GRC权限合规检查系统(简称AMS-R系统)是SAP ERP应用企业进行权限合规检查、违规数据抓取和IT审计的理想工具。
AMS-V SAP License 资产优化管理系统产品:是应用于SAP系统权限风险控制及注册用户账号管理为目标的SAP软件资产精益化管理方案。
SAP 日志堡垒机安全管理系统(简称AMS-L系统)是一款面向SAP ERP 系统的网络安全管理工具,提供基于SAP系统用户业务行为的常态化监管,是对SAP现有日志体系的有效增强管理。
SAP 运维管理平台系统(简称AMS-Ops)旨在确保企业SAP应用系统健康、稳定运行的基础上,持续性的改进、优化,从而满足其业务发展需要的企业级SAP系统运维管理服务。
AMS SAP 商超订单统一管理系统以商超平台订单集中管理为核心,系统支持多平台、多店铺、全渠道系统采购订单、验收单、结算单等业务单据的统一管理;商超订单统一管理系统支持与 SAP ERP 系统的无缝衔接,在SAP ERP系统中自动生成销售订单、外向交货单,核对验收单、结算单等 SD 模块业务操作,有效的简化企业商超订单管理工作流程,保证订单数据处理的统一、准确、高效,实现跨系统、组织的协同管理,提升企业营销效率。
关于赛锐信息
河南赛锐信息科技有限公司(简称“赛锐信息”)是一家致力于SAP ERP系统应用的服务商,公司立足打造基于AMS产品套件的企业信息化解决方案,结合前沿技术追求最佳用户体验、企业信息化优秀解决方案和企业级产品应用的供应商。公司自主研发的AMS系列软件产品是国内首个用于SAP权限风险识别的增强系统,也是同行业用户精益化管理解决方案中最优的解决方案,作为用户管理、风险规避和信息审计的辅助工具,其有助于规范企业的管理行为,帮助建立合规的管控流程,有效提高企业IT资产投资回报率;AMS系列产品在各项技术指标上拥有完全的、独立的领先优势,可以满足市场竞争、技术许可和标准制定等方面的需要。
作者:SAP权限管理 QQ:2651000673 Tel 13007521773
