Tuesday, 25 June 2013

How To Protect Special Users In SAP

Default Passwords for Special Users
User
Description
Client
Default Password
SAP*
SAP Net Weaver AS system super user
000, 001, all new clients
Hard-coded password is PASS.
DDIC
ABAP dictionary and software logistics super user
000, 001
Master password set during installation.
EARLYWATCH
Dialog user for the Early Watch service in client 066
066
Master password set during installation.
SAPCPIC
User for remote connections to legacy SAP systems (4.5)
000, 001, all new clients
ADMIN
TMSADM
User for transport management system (TMS)
000
Master password set during installation.
 

Since above users have standard names and passwords, you must secure them against unauthorized use by outsiders who know of their existence.






How to protect SAP*
It is not possible to delete the SAP* user. The suggested measure is to create a new super-user account with a complex password, and deactivatethe SAP* default account.
This can be done by activating the profile parameter login/no_automatic_user_sap* or login/no_automatic_user_sapstar.
Even though the SAP* account is being deactivated, the default password for this account must be changed.

How to protect DDIC
As for the DDIC user, this account cannot be deleted or deactivated either. And therefore, the best protection is to change its default password.

How to protect EARLYWATCH
The EARLYWATCH account is used specifically for the Early Watch service, and its password must be changed, and the account locked out. It should be unlocked when required, and re-locked after use.

How to protect SAPCPIC
The SAPCPIC user can be either disable or its default password can be changed. Either method involves disabling certain functionality. Therefore, this is an organization-specific issue where the functionality required will decide which method is best.

No comments:

Post a Comment