SAP Security Challenge – January 2018
Welcome to the SAP Security Challenge by Xiting. How much do you know about SAP Security? Do you know what you don’t know? To help you identify those areas, Xiting has launched the SAP Security Challenge with a monthly quiz to test your knowledge. Stay tuned and follow our blog to broaden your skillset.
We will publish a new quiz every first of the month, consisting of ten (10) questions. Participants can submit their answers anytime between the first and last day of the month. The winner will be announced on the first day of the following month via newsletter and on our blog.
In December’s challenge, we had 173 (256 in November) participants and an overall average of 5.86 (6.4 in November) correct answers. In total, 6 participants were able to answer all questions correctly and entered the draw to win the price.
We are very happy to announce that Dinesh K. is the SAP Security Champion of December 2017. Dinesh answered all 10 questions correctly and wins the free ticket to the GRC Conference in Las Vegas. Congratulations, Dinesh. See you in Vegas.
Answers from Decembers’ Challenge
What is the default password of SAP Standard User DDIC?
The default password for standard user DDIC is 19920706. The standard user SAP* has 06071992 as default password in client 000/001/066, and PASS in any new client. These user IDs should be changed to prevent unwanted users from logging in with full authority. SAP* can be disabled; however, DDIC is needed for the system so it is important to change this password to a secure one.
A strict SAP Security Concept is required for which systems?
It is very important to implement a strict SAP Security concept for all systems. All of the SAP systems talk to each other using RFC interfaces and the weakest system in the chain is the most vulnerable. Therefore, it is very important to implement security measures also in development, test, and quality systems. As well as in non-productive clients like client 000 or 066 (Early Watch), as even these clients allow you to alter your production environment.
In PFCG, what does an authorization with a status of “Changed” mean?
The “Changed” status in PFCG shows the standard values proposed by SU24 that have been changed in the authorizations. This is the best-practice approach to updated authorizations in PFCG.
Approximately how many authorization objects are available in the current SAP NetWeaver 7.50 with ERP Enhancement Package 8?
The current SAP NetWeaver 7.50 with ERP Enhancement Package 8 has more than 3’700 authorization objects that can be authorized to users.
Since 2010, the SAP Security Patch Day is on the second __________ every month.
Security Patch Day is on the second Tuesday a month since 2010. It is very important to keep up with the security patches as the vulnerabilities are publicly known.
Which transaction can be used to maintain authorization groups?
To create table authorization groups you can use transaction SE54 and select ‘Authorization Groups’> Create/Change >New Entries.
What does table authorization group &NC& protect?
&NC& protects tables that are not assigned to an authorization group. When a user has access to standard table display/maintenance transactions (SM34, SM31, SM30, SE16, SE16N, SE11, SE17, etc), the system will make an authority-check against ‘&NC&’. If the table has not been assigned to a table group (S_TABU_DIS authorization group), then &NC& will be checked. Hence authorizing &NC& gives access to a large number of tables in an SAP system. It is not as powerful as *, however, protecting it properly is necessary.
How does S_TABU_NAM work?
With S_TABU_NAM, the system checks the view names or table names directly, so that an exact authorization check is possible. In the function module VIEW_AUTHORITY_CHECK, the system checks S_TABU_NAM only if the authorization check on S_TABU_DIS was unsuccessful.
In SU24, what does column TSTCA tell you about a transaction?
TSTCA is the table which tells you the minimum access required in order to view initial screen of the transaction. The authorization required is configured in transaction SE93. In SU24, the column “TSTCA” indicates which value is configured in SE93.
Which recommended value shall be set for profile parameter login/password_downwards_compatibility?
Passwords are stored in different tables within an SAP system. These include USR02, USH02, USH02_ARC_TMP, USRPWDHISTORY, VUSER001, VUSR02_PWD, etc. Protecting these tables is necessary. In addition, it is recommended to set parameter login/password_downwards_compatibility to 0. This restricts that passwords are downward compatible and forces the use of an iterated salted SHA1-hash (field PWDSALTEDHAS in table usr02). “Old” encryption methods can no longer be used (field BCODE: MD5, field PASSCODE: SHA1). Delete old password hashes via report CLEANUP_PASSWORD_HASH_VALUES.
We wish you the best of luck in January’s challenge.