SAP Security Summary

SAP Introduction

SAP stands for Systeme, Anwendungen, Produkte in der Datenverarbeitung, which freely translates into Systems, Applications, and Products in Data Processing. SAP is a collection of software for nearly all business applications in middle and large sized companies.

SAP AG is the leading supplier in SAP solutions. They distribute two main SAP product groups SAP R/2 and SAP R/3.

SAP R/2 and R/3

SAP R/2 was the first compact software package for the whole spectrum of business applications from the SAP corporation. SAP R/2 runs on mainframes, especially IBM, BS2000 (Siemens machines) or Amdahl.

SAP R/3 is the continuation of R/2 on client/server and distributed open systems. SAP R/3 was designed for open systems, e.g. UNIX. SAP R/3 is now based on various hardware and software architectures, it runs on most types of UNIX, on Windows NT and OS/400. Even experimental versions on mainframes (open MVS) exist. It runs on uni-processors, it scales very well on SMP systems and also on MPP architectures. R/3 runs on a variety of databases: Oracle, Informix Online, ADABAS-D, DB2 for UNIX, DB2/400, Microsoft SQL Server 6 and on an experimental version on DB2 for MVS.

SAP R/3 modules include:

Asset Management (Anlagenwirtschaft)
Controlling (Controlling)
Financial Accounting (Finanzwesen)
Human Resources (Personalwesen)
Industry Specific Solutions (Industriespezifische Loesungen)
Plant Maintenance (Instandhaltung)
Production Planning (Produktionsplanung)
Project System (Projektsystem)
Quality Management (Qualitaetssicherung)
Sales and Distribution (Verkauf/Versand/Fakturierung)
Materials Management (Materialwirtschaft)
Business WorkFlow
Central to all these modules is BC - Basis.

SAP R/3 Installation Issues

SAP R/3 creates default accounts when installed, including:


SAP* is the default superuser account and is created with the initial password of 06071992.


DDIC is the default maintenance account and has the initial password of 19920706. DDIC is allowed special privileges for certain operations including code execution. DDIC is the only user that can log in during a system upgrade.

The default system profile parameters include:


Defines the number of times a user can enter an incorrect password before the system terminates the session.


Defines the number of times a user can enter an incorrect password before the account is locked. The lock is released at midnight


Defines if a locked out user should remain locked. By default (1) users are unlocked at midnight if set to 0 the user will remain locked.


Allows for the definition of additional security tools such as Kerberos or Secude for system access. If this parameter is set to 'X' additional authentication methods can be defined on a user by user basis. By default this is not set.


Defines the minimum password length. The default is 3 with a max value of 8


Defines the number of days after which a password must be changed. By default it is 0, which disables password aging.

SAP Client Side Macros

The SAP R/3 Client allows users to create macros to launch common tasks. These macros have the capability to include the users username and password so that the user can be automatically logged on to the system.

SAP R/3 Scripting

SAP R/3 supports scripting the Scripting languages ABAP and SAPScript.

ABAP is a fairly powerful scripting language primarily for development of report generation, data entry and user interface programs under SAP.

ABAP coding examples have also shown it's capability to dump system password hashes, reset user passwords and trojan horse progams that can execute code on remote SAP clients.

SAP R/3 Passwords

SAP passwords are limited to 8 characters. They can be composed of letters, numbers and punctuation marks. Passwords are case insensitive e.g., "password" is the same as "Password" as is "PASSWORD"

SAP R/3 Authentication

While SAP R/3 can support encrypted sessions and encrypted authentication (kerberos) it is not included in the base product.

SAP AG's new offering is which is a web enabled version of their SAP product line. appears to be SAP AG's future business model. The goal of is a work anywhere environment. This includes completing SAP business tasks on workstations, mobile laptops and even wireless hand held devices. completes data transactions with maxi, midi, and miniapps. Which appear to be combinations of HTML, JavaScript, Java, MacroMedia Flash and other web plugins. Authentication provides authentication via cookies for normal users and via certificates for higher level users. Secure Socket Layer, Secure Network Connection (SAP proprietary encryption), and X.509 certificate capability is available.


As it is true with many networked applications, the security issues with SAP are multi-layered and interconnected. Security weaknesses in any of the following areas could expose sensitive data to pilfering, modification or destruction.

Centralized Database

SAP uses a centralized database for its information. This database can be run with various Database applications including Oracle, DB2, Microsoft SQL, and others. The security of this information is dependent on the security of these individual applications. Misconfiguration of these servers and applications could allow unauthorized access to sensitive data. Access in this manner also bypasses any security measures implemented via SAP.

A hardening procedure should be completed before the system is deployed. Scheduled security audits should be conducted on the database servers. Logging should be enabled and logs should be reviewed on a regular basis

SAP Server

The SAP application server runs on top of various operating systems including Unix and Windows NT. If these base systems can be penetrated then the data and applications they server can be at risk. Applications stored on the server could be trojaned. Through trust relationships, direct access to the database servers may be gained.

A hardening procedure should be completed before the system is deployed. Scheduled security audits should be conducted on the SAP system servers. Logging should be enabled and logs should be reviewed on a regular basis

SAP Application

Hundreds if not thousands of users may be on a SAP system. Access and inter-relationships controls are non-trivial to manage.

SAP Password length and character combinations are limited allowing easier guessing.

ABAP scripting language can be a powerful tool for accessing SAP internal data structure and sensitive system information. It can also be used to compromise SAP client and servers

The SAP system should be maintained with the latest security patches from the vendor. Default accounts should be removed when practical or passwords should be changed. Users should always be given the minimal rights to complete their work. System Auditing should be enabled. Scripting capabilities should be strictly controlled. Minimum password length should be set to eight characters. The number of failed attempts until lockout should be decreased and lockouts should not be automatically removed. Password aging should be enabled. SAP has the capability to reject passwords from a specified list. Common words and variants should be loaded so that they can be rejected.

It is recommended that external authentication schemes be investigated, such as Kerberos

Client Computer

SAP GUI clients run on various operating systems. The security of the data and transactions are dependent on the security of these client machines. If a client machine can be compromised then the attacker could intercept data or impersonate the client to perform transactions.

Web based clients are vulnerable to exploits against the browser. Trojaned or malicious Java, JavaScript or ActiveX applications could compromise data or authentication methods. This could include the stealing of authentication cookies or digital certificates.

Client systems should be maintained to the latest security patches and security audits should be conducted regularly. User interface to the SAP system (GUI, Web Browser, or third party) should be maintained to the latest security patch level. Client users should be instructed in security procedures including password selection, data criticality, reporting security events and acceptable usage policy

Corporate Intranet

On an unswitched and unencrypted Intranet, all data and transactions are open for sniffing on common network segments. Sessions could be spoofed or hijacked. Print jobs can be sniffed or redirected.

This is not a problem exclusive to SAP but is a general issue with LAN security

Switched networks should be used or the SAP system and users should be contained in it's own network segment. External strong authentication and session encryption should be considered.

Internet Accessibility

Internet accessibility includes all the problems encountered with Client Computers, discussed previously.

An added issue is if users are allowed to connect via the Internet with personal or home computers. While certain security measures can be mandated on corporate owned equipment, the security of a personal computer rests with the user himself. An external computer that is allowed to pierce the firewall to access internal data and services, even if is using a VPN, SSL or other encryption method, can create serious security risks. A compromised home computer can provide an attacker a tunnel into the corporate network.

If Internet access is to be allow a stronger authentication scheme (digital certificates) and end to end encryption should be used (SSL). Users should be educated about personal computer security risks. Personal firewalls and virus detection software should be employed when practical. The case for Internet access should be weighed heavily against its risks. A through risk assessment should be completed before a decision to deploy is made. This risk assessment should be revisited periodically to evaluate technology and business changes.

Last modified: Mon Nov 1 21:02:04 PST 2004