Daniel Berlin on Security

2013-05-05 Daniel Berlin

Sniffing SAP GUI passwords // Part 2

Hello and welcome (back)!

In my article about Sniffing SAP GUI passwords in Nov. 2012, I took a look at several state-of-the-art sniffing tools for capturing SAP GUI passwords.
One of those tools was a Wireshark plugin by Martin Gallo of CoreLabs — unfortunately, it refused to compile over and over again, which is why I never tested it… but meanwhile, Martin released an improved version.

Fortunately, I took the time to try it, because it turned out to be a real gem — a bit hard to obtain, but pretty useful once you got it. 😉

The nice part: Usage

In contrast to the other Wireshark plugin by Positive Research, this one does not only decompress but also dissect almost all parts of the traffic and shows the respective fields and values (below you can see a DDIC login with the password in plain text).
Another invaluable advantage is of course its availability as source code!

Sniffing the SAP DIAG protocol: Wireshark with CoreLabs plugin

The nasty part: Compilation

The following script does the trick, although you’ll probably want to adjust it to the build environment, the Wireshark version and your needs…
(It assumes to be run from the directory, where the plugin tarball is located.)

#!/bin/bash -ex
 
rm -rf wireshark
svn co http://anonsvn.wireshark.org/wireshark/trunk wireshark
 
mkdir wireshark/plugins/sap
tar -C wireshark/plugins/sap -xzf sap-wireshark-plugin-0.1.3.tar.gz
 
cd wireshark
./autogen.sh
 
cat plugins/sap/wireshark.patch | patch -p0
 
test -x /usr/bin/python2 && export PYTHON=/usr/bin/python2
./configure --prefix="$PWD" --disable-warnings-as-errors
 
make
make install
 
bin/wireshark

See you soon!

+++ End of article +++

+++ Begin of article +++

2013-03-28 Daniel Berlin

SAP security policies

Hi there.

This time I’d like to present a hot new SAP feature to you: Security Policies!
It is available starting from ERP 6.0 EHP6.

Effect

The system behavior regarding password rules and logon restrictions is controlled by profile parameters, e.g. “login/min_password_lng” for the minimum password length. These parameters are valid system-wide and could not be overridden by any means.
With the new security policies, it is now possible to define different sets of password rules, password change policies and logon restrictions and assign these policies to users.

This provides the flexibility to segregate users and assign an appropriate policy to each of those groups of users!
For instance, you can enforce strict rules on the global level (= profile parameters) and loosen them on user level via a security policy (e.g. increased validity period of unused initial password for users, who use SAP less frequently).

For users with a security policy assignment, the attributes defined therein ~~override~~ replace the profile parameters – for users without a SecPol the parameters stay relevant.

Creation

The administration of security policies can be performed via the new tcode SECPOL, which is secured by two brand-new authorization objects: S_SECPOL is checked during the maintenance of the policies themselves, while S_SECPOL_A is used to define the values that may be assigned to the security policy attributes.
First of all, let’s create a new policy:

… then mark it and switch to the attribute maintenance screen by double-clicking on “Attributes”.

Attributes

The following attributes are available:

Type	Security policy attribute	Corresponding profile parameter	Description
Password rules	CHECK_PASSWORD_BLACKLIST	( none )	Check the password blacklist
	MIN_PASSWORD_DIGITS	login/min_password_digits	Minimum number of digits
	MIN_PASSWORD_LENGTH	login/min_password_lng	Minimum password length
	MIN_PASSWORD_LETTERS	login/min_password_letters	Minimum number of letters
	MIN_PASSWORD_LOWERCASE	login/min_password_lowercase	Minimum number of lowercase letters
	MIN_PASSWORD_SPECIALS	login/min_password_specials	Minimum number of special characters
	MIN_PASSWORD_UPPERCASE	login/min_password_uppercase	Minimum number of uppercase letters
Password change policies	MIN_PASSWORD_CHANGE_WAITTIME	login/password_change_waittime	Minimum wait time for password change
	MIN_PASSWORD_DIFFERENCE	login/min_password_diff	No. of different characters when changing
	PASSWORD_CHANGE_FOR_SSO	login/password_change_for_SSO	Password change requirement for SSO logons
	PASSWORD_CHANGE_INTERVAL	login/password_expiration_time	Interval for regular password changes
	PASSWORD_COMPLIANCE_TO_CURRENT_POLICY	login/password_compliance_to_current_policy	Password change after rule tightening
	PASSWORD_HISTORY_SIZE	login/password_history_size	Size of the password history
Logon restrictions	DISABLE_PASSWORD_LOGON	login/disable_password_logon, login/password_logon_usergroup	Disable password logon
	DISABLE_TICKET_LOGON	( none )	Disable ticket logon
	MAX_FAILED_PASSWORD_LOGON_ATTEMPTS	login/fails_to_user_lock	Maximum number of failed attempts
	MAX_PASSWORD_IDLE_INITIAL	login/password_max_idle_initial	Validity of unused initial passwords
	MAX_PASSWORD_IDLE_PRODUCTIVE	login/password_max_idle_productive	Validity of unused productive passwords
	PASSWORD_LOCK_EXPIRATION	login/failed_user_auto_unlock	Automatic expiration of password lock

The button “Effective…” shows the relation of the policy values to the default ones (=, ≠ or not set), while the “Superfluous Entries” button identifies unnecessary entries (i.e. identical to the default ones).

Assignment

To assign the newly created security policy, just edit a user in SU01, switch to the “Logon Data” tab and enter the SecPol name in the “Security Policy” field:

Mass-assignments via SU10 are of course possible, too!

To be able to assign a SecPol, you’ll need the authorization object “S_SECPOL”, which behaves similar to S_USER_AGR – i.e. activity 22 (assign) and the policy’s name are checked.

If you want to select users by their security policy assignment, you can simply use the User Information System:

SUIM » User » by Logon Date and Password Change

Central user administration

The security policy ↔ user assignment is supported by the CUA and its distribution can be configured via SCUM as usual.

See you soon!

+++ End of article +++

+++ Begin of article +++

2013-02-23 Daniel Berlin

Cross-client SAP user listing

Hello!

You might be faced with the task to create a really comprehensive user listing for an SAP system with several productive clients – even including 000 and 066.

This is usually a boring task, as you have to log in to every client… gather the list… proceed to the next client… and so on…
Apart from dying of boredom, you might run into the problem of not having access to all clients (e.g. 066). 😕

Mediocre solution:

Write a report like this:

REPORT.
TABLES: usr02.
 
SELECT * FROM usr02 CLIENT SPECIFIED ORDER BY mandt.
  WRITE: / usr02-mandt, usr02-bname.
ENDSELECT.

Pro: Easy, simple, fast.
Con: Has to be transported, protected… and using “CLIENT SPECIFIED” is considered “bad code” by many companies! So you might get problems during transport.

Slick solution:

Use the report RSUVM005, which is intended for system measurement: it gives you a list of (almost!) all users on the clients you specify on the selection screen.
Still, the list is missing a few users, because SAP quite rightly considers them irrelevant for licensing — they are automatically filtered out by the report (or more specifically: by the function module SLIM_EXCLUDE_USER):

SAP client	Excluded user
000	DDIC
001	DDIC
066	EARLYWATCH
( all other clients )	ALEREMOTE
	SAPCPIC
	ITSLOGIN
	J2EE_ADMIN
	J2EE_GUEST
	SAP*
	SAPSUPPORT
	TMSADM
	WF-BATCH
	WFTEST

To get the comprehensive user listing, we just need a cross-client selection for those excluded user names in addition.
Fortunately, you can simply achieve this via tcode SM21 and (mis-)use the “User” field to check for the existence of the missing users on other clients.

Now you can compile the cross-client user listing from within one client… 😎

Bye!

+++ End of article +++