Register Login

Security checks in the SAP EarlyWatch Alert

Updated May 18, 2018

The SAP EarlyWatch Alert report contains selected checks about "Security". These checks are described in this note.

    1. SAP Security Notes: ABAP and Kernel Software Corrections

    2. Default Passwords of Standard Users

    3. Control of the Automatic Login User SAP*

    4. Password Policy

        a) Password Complexity

        b) Validity of Initial Passwords

    5. Gateway and Message Server Security

        a) Kernel Patch Level

        b) Gateway Security

        c) Message Server Security

    6. Users with Critical Authorization

        a) Super User Accounts

        b) Users Authorized to Display all Tables

        c) Users Authorized to start all Reports

        d) Users Authorized to Debug / Replace

        e) Users Authorized to Display Other Users Spool Request

        f) Users Authorized to Administer RFC Connections

        g) Users Authorized to Reset/Change User Passwords


The individual checks are described here:

SAP Security Notes: ABAP and Kernel Software Corrections

  • In this section, a check will determine whether or not selected and required security-relevant notes or HotNews have been implemented in the system.
  • A note or a HotNews is no longer required if your system release or Support Package level already contains the correction.
  • If the check determines that required security-relevant notes or HotNews have not been implemented, you will be informed of this by an overall status in the SAP EarlyWatch Alert report. The unit receives a "yellow" rating if at least one security-relevant SAP note needs to be implemented. The rating is "red" if at least one security-relevant HotNews needs to be implemented. In both cases, a relevant alarm message is entered in unit 1. "Service Summary" in the SAP EarlyWatch Alert report.
  • An administrator uses the tool RSECNOTE to create the detailed evaluation of the required security-relevant notes or Hot News in the system to be analyzed.
    You can use this tool to manually accept recommendations for notes or HotNews. The number of recommendations accepted manually is reported in the SAP EarlyWatch Alert report.
    If the tool RSECNOTE and the check routines contained inside it do not yet exist in the system to be analyzed, the SAP EarlyWatch Alert report informs you of this. The correction instructions that you can use to create this tool and the documentation for the tool are contained in Note 888889.
  • If the tool RSECNOTE and the check routines contained inside it do not yet exist in the system to be analyzed, only Notes 1167258, 1168813, 1298160 and 1304803 are checked to see whether they are required and need to be implemented.
  • The quantity of checked notes or HotNews is managed online by SAP. During a check, a system loads the list automatically using the service connection to SAPNet. This update takes place during background processing only if the last update took place over a week ago. When it is executed in the dialog, the update takes place daily. In addition, you can update the definitions using the tool RSECNOTE -> Menu -> List -> Refresh from SAPNet.
  • You can use the Note Assistant (transaction SNOTE) to implement the correction instructions. You can find additional information about the Note Assistant on the SAP Service Marketplace under the alias /NOTE-ASSISTENT (https://service.sap.com/note-assistant).
  • There is an overview of security-relevant notes or HotNews on the SAP Service Marketplace under the alias /SECURITYNOTES (https://service.sap.com/securitynotes). You can find out which security-relevant notes and HotNews are checked for this EarlyWatch Alert section from the tables on the Sap Service Marketplace and the list of related notes for Note 888889.

   Get more ideas on SAP Netweaver Transaction Codes

Default Passwords of Standard Users

  • A check determines whether the provided passwords of the standard users SAP*, DDIC, SAPCPIC, EARLYWATCH. and TMSADM have been changed in all clients and whether the user SAP* has not been created in one of the clients.
  • You can use the report RSUSR003 to display the results of this check in detail.
  • You can find additional information in the unit "Protecting Standard Users" (http://help.sap.com/saphelp_nw70/helpdata/EN/3e/cdaccbedc411d3a6510000e835363f/frameset.htm) in the "SAP NetWeaver Application Server Security Guide" and in SAP Notes 1414256 and 1552894.
  • A very critical ("red") rating occurs if one of the following criteria is met:

    1. The SAP* user does not exist in at least one client and the profile parameter login/no_automatic_user_sapstar is set to 0 on at least one application server (also see the check "Control of the Automatic Login User SAP*").

    2. For at least one of the SAP* or DDIC users, the default password was not changed in at least one client.
  • If a very critical rating does not apply, a critical ("yellow") rating occurs if one of the following criteria is met:

    1. The SAP* user does not exist in at least one client and the profile parameter login/no_automatic_user_sapstar is set to 1 on all application servers.

    2. For at least one of the SAPCPIC, EARLYWATCH, or TMSADM users, the default password was not changed in at least one client.

    3. The user TMSADM exists in a client that is not client 000.

Control of the Automatic Login User SAP*

  • This check may result in a "yellow" rating if the profile parameter login/no_automatic_user_sapstar is set to 0 on at least one application server.
  • For additional information with regard to this subject, refer to SAP Note 68048.

Password Policy

This section contains checks with regard to the complexity of the passwords and the validity of initial passwords.

  • Password Complexity

    The profile parameter login/min_password_lng determines the length of the password. If a password length of less than six characters is possible, then this check is rated as "red"; "yellow" is assigned when the length is under eight characters.
    If the rating of the minimum length of the password is red or yellow, the values of the profile parameters login/min_password_digits, login/min_password_letters, login/min_password_lowercase (as of SAP NetWeaver 7.00), login/min_password_uppercase (as of SAP NetWeaver 7.00), and login/min_password_specials are also specified for systems with release 6.10 or higher. At least three different character categories should be used.
  • Validity of Initial Passwords

    The validity of initial passwords is determined by the profile parameters login/password_max_idle_initial (as of SAP NetWeaver 6.40) and login/password_max_reset_valid (as of SAP NetWeaver 7.00 and 6.20 - 6.40) If an initial password can be used without time restrictions, a "red" rating is received. If the validity is defined as more than 14 days, a "yellow" rating is received.

    For more information, refer to SAP Note 862989 and the online help under http://help.sap.com/saphelp_nw70/helpdata/en/22/41c43ac23cef2fe10000000a114084/frameset.htm (Profile Parameters for Logon and Password (Login Parameters)).

Gateway and Message Server Security

  • Kernel Patch Level

    Some functions that are relevant for security can be used only as of a specific kernel patch level. This check specifies the minimum version and recommends the usage of the most current kernel. In this case, the maximum possible rating is "yellow". Refer to SAP Note 1298433 for additional information.
  • Gateway Security

    In this section, the profile parameters gw/reg_no_conn_info, gw/acl_mode, gw/sec_info, and gw/reg_info are checked. The highest possible rating of this section is yellow. For additional information, refer to SAP Notes 1444282, 1480644, and 1425765.

          Find more information on SAP Netweaver Forums

  • Message Server Security

    In this section, the profile parameters rdisp/msserv, rdisp/msserv_internal, ms/monitor, and ms/admin_port are checked. The highest possible rating of this section is yellow. For more information, refer to SAP Note 821875.

 Users with Critical Authorization

  • The checks in this section analyze how extensive critical authorizations are assigned in the system. Here, examples of critical authorizations from the areas "System administration", "User management" and "Access to sensitive data" are checked.
  • However, a complete security analysis of the system is not carried out. If you want to carry out an extensive and configurable analysis, carry out the security optimization self-service. You can find more information about this on the SAP Service Marketplace under the alias /SOS (https://service.sap.com/sos).
  • For these checks you have to take into account that all the users who were assigned the SAP_ALL profile are included (even though they are listed in the separate "Super User Accounts" section), because they also have the critical authorization that is to be checked.
  • The check is considered critical if several users in one client have the respective checked authorization.

    Critical applies if:

    More than 75 users of a client have the same authorization.

    More than 10% of the users (but at least 11) of a client have the checked authorization.

    If less than 11 users have the authorization, the check is rated as uncritical.

    If, in at least one client (except 000 and 066), the check is estimated as critical, the check receives a "yellow" rating. A "red" rating is usually not assigned.
  • The check "Super User Accounts" (user with the profile "SAP_ALL") differs from the rating rule described above.
  • Since this authorization is particularly critical and should usually not be assigned, a yellow rating is set when at least one user has been determined. In addition, the clients 000 and 066 are included for the overall rating for this authorization.
  • Setting up the report for the checks:

    The first section describes the estimation using possible effects and dangers of the critical authorization analyzed.

    A table consisting of the columns "Client", "No. of Users Having This Authorization", "No. of Valid Users" and "Rating" displays the determined results.

    The "Client" column specifies the clients to be checked. The "No. of Users Having This Authorization" column displays how many valid users have the authorization to be checked. The "No. of Valid Users" column displays all valid users of the checked clients. Valid users are those that are neither locked nor invalid due to a time limit.

The highest valuation of one of the checks mentioned previously determines the overall valuation of the unit "Security" in the SAP EarlyWatch Alert report.


×