How to test the deletion before executing in a productive environment?
Why delete clients 001 and 066?
The clients 001 and 066 had a purpose in the past and do not have them any more.
The only thing they do now is pose a security threat. Access can be gained to these clients, for example via standard SAP users, and from these client you could take over the system via a cross client attack. Background on client 066 can be found in OSS note 1897372 – EarlyWatch Mandant 066 – Can Client 066 be deleted?.
Also unwanted batch jobs might be still running from these clients consuming resources.
The deletion can be tested on a development and QA system before it is done on productive system. If really in doubt copy the productive system to a different system and perform the deletion there first as a test.
This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.
In this fourth blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures.
For the first blog on attacking the SAP BCODE hash click here.
For the second blog on attacking the SAP PASSCODE has click here.
For the third blog on attacking the SAP PWDSALTEDHASH has click here.
Questions that will be answered in this blog are:
How does the rule based attack work?
How to use the rules on found passwords?
Where to find good rule books?
The rule based attack
The dictionary rule book attack is using the dictionary as input and then applies rules to the dictionary to generate a new password candidate.
Example words we will use are Password and Welcome.
Examples of apply some rules:
Replace a with @ will give P@ssword
Replace o with 0 will give Passw0rd and Welc0me
Replace s with $ will give Pa$$word
Replace l with ! will give We!come
All rules above combined will give P@$$w0rd and We!c0me
For full list of possible rule syntax see Hashcat site on rule-based attack.
Suppose we have guessed one correct password for one user. He made the password Welcome1!.
Now we will construct some rules:
Replace e with 3, rule will be se3
Replace l with 1 and l with !, rules will be sl1 and sl!
What has happened here? Why is this found now, and not before with the se3 rule, which should substitute the e with 3? Pretty simple: replace e with 3 in word Welcome1! will give W3lcom31!. So it replaces all and not first one. This is there background of having many rules.
Huge rulesets
With the Hashcat download you get a special directory called rules. Here there are some big rulesets available.
The nicest one is the RockYou list of rules. This is constructed based on the RockYou password list hacked in 2009 where 32 million passwords leaked. Based on English dictionary somebody has constructed the rules to come to most of these passwords.
Effectiveness of the attack
The effectiveness of the rule based attack is quite high. If you have found 1 password, you just run the complete ruleset of one of the huge lists to find multiple variations. People are not so inventive and creative. You will be surprised on the amount of password variations you find on the following words:
Welcome
Summer
Winter
Password
Apple
Android
Google
Hackers don’t start with the full dictionary. They start with the top 1000 words and apply many rules to them. From the passwords found they will start to derive patterns of the users. Any new password is processed through many new rules to generate candidates with higher potential.
The name and or abbreviation of a company is word number 1 to add to the favorite word list.
Further optimization of the attack speed
For optimizing the attack speed, read the fifth blog on SAP password hash hacking here.
Prevention measure 1: frequent change and large change per time
Many companies have implemented a more faster cycle of password changes. In the past once per year was common. Nowadays 60 to 90 days is more common practice. Set this in profile parameter: login/password_expiration_time.
More important is to make a larger change per time the password changes. This is to avoid the rule-attacks explained above to become very effective. How many people just simply change and increase single digit in password? Or increase the special with the next one on the keyboard. Set the profile parameter login/min_password_diff to sufficiently high value of 3 or more.
Prevention measure 2: length
Explain to your users that length is more important than complexity by using this famous explanation:
Prevention measure 3: stronger hashes
Stronger hashes simply take more time to crack. To set stronger hashes, read this dedicated blog.
Next blog on password hacking
The fifth blog on password hacking is about optimizing the attack speed. Read on in the blog. And the blog on extended word lists.
For some batch jobs you want to have the execution done and don’t want to fill up your system with large spool files of this execution. This blog will explain to setup printer NULL to have a batch job suppress the output generation.
Questions that that will be answered in this blog are:
How do I setup printer NULL?
How to test the setup of printer NULL?
Where to find more background information on printer NULL?
Setup of printer NULL
Start transaction SPAD to define a new printer. Now create printer call NULL (with long and short name both NULL):
Select a simple windows driver. Fill the other mandatory fields. Add the message description clearly that the output will be lost.
Save the printer definition.
Testing the NULL printer
From the blog explaining the technical clean up we will take program RSWWHIDE. This program generates huge amount of output (per deleted item 3 to 10 lines). We will run the program twice in test mode: once with printer NULL and once with printer LP01 (default printer). Selection of printer NULL is same as with any printer:
Result in SM37:
The first run with printer NULL has suppressed the generation of the spool file.
This blog will explain how to scan ABAP coding in search of a specific keyword or string. Many times older or badly written programs contain hard code logic like system ID’s, plant codes, movement types, order types etc. When a larger business change happens you need to find these codes in your ABAP code and act on them. This blog will explain how to do this search.
Questions that will be answered are:
How does the scan program work?
How to search for certain strings?
How to search for words in the comments?
ABAP search tool
You can start the ABAP search tool with transaction code CODE_SCANNER:
REPORT zscantest2.DATA zt001w TYPE t001w.SELECT SINGLE werks FROM t001w INTO zt001w.IF zt001w-werks EQ 'DE01'.WRITE: 'German plant'.ELSEIF zt001w-werks EQ 'US01'.* USA plantWRITE: 'US plant'.ELSE.WRITE: 'diffferent plant'.ENDIF.
If we now start a search with the word ‘S4H’ we get this result:
A hard coded SID.
If we search with ‘US01’ we get this result:
A hard coded plant.
If we search with ‘USA’ we get this result:
The word we were looking for is in the comment lines.
Search alternative program RS_ABAP_SOURCE_SCAN
In SAP note 2764076 – CODE_SCANNER not working properly, SAP explains that CODE_SCANNER might not always work for every release. They offer alternative program RS_ABAP_SOURCE_SCAN (there is no transaction code for this program, so start via SE38):
This blog will analyze some of the tables behind the SAP user license measurement.
Warning: the list of tables below is not complete. Do not base any assumptions on the content of these tables in your system. In updates and newer versions all content can change. The tables and the text in blog is to give you insight into the process. In any contract SAP will claim the right for inspection of actual usage of your system versus the license rights in your contract.
Questions that will be answered are:
How do I know which objects are measured?
How are objects measured?
How can I find actual measured objects?
The general user measurement principles are explained in the blog on USMM.
The tables behind license measurement
The best table to start with is the TUAPP table: measurement of applications.
Example is given below:
Here you can see that Advanced ATP is measured via call function module. In SE37 you can lookup the function module and see inside the code what exactly is measured:
The other entry in TUAPP we will take as example is Procurement Orders. Its application ID is 5000 and does not measure via function module.
First we get the application to unit and unit name from table TUAPP_UNT (units themselves are defined in table TUUNT):
Now we see procurement is counting Inquiry, Purchase order, Contract, Scheduling Agreement and Others.
The actual values read by the measurement for the application counters are stored in table TUCNT:
The tables behind the AC checks
The AC (anti cheating) modules use bit different tables.
Table TUL_AC_UNIT is to denote the table to count on:
Here you see the main procurement table EKKO has ID number 5018.
In table TUL_ACTTC you can lookup this value:
This data will be used in dynamic SQL statement that will list the user name (ERNAM) who did the create or change and uses AEDAT (last change or creation date) for table EKKO to count for check 5018.
Be careful with the interface users. If an external system posts data into SAP system with a single background user, but it is clear that in the source system multiple real users doing the actions, SAP might want to charge you for 'indirect use'.
For live support of an SAP system you typically will have 2 types of support users:
Users for SAP themselves to logon to your system and provide support to you
Fire-call users with elevated authorizations to solve time critical incidents
Both type of users have no direct business goal, but have only support usage. You can mark them as type 91 Test user, as long as you have a clear naming convention for these users and a general rule that they are locked unless they are needed.
User deletion as regular activity
The user measurement program (both USMM and USMM2) checks for deletion of users in the last three months. To avoid discussions on user deletion it is best practice to delete monthly, or bi-monthly, all persons which have left your company.
End validity date
Users who don’t have a current validity date are not counted in the user measurement program. You might want to schedule program RSUSR_LOCK_USERS in a regular batch job to end the validity of users that did not log on for long time automatically. See this blog for more details.
Multiple logon
SAP does measure how many times a user has a double, triple, etc logon. The results are stored in table USR41_MLD. SAP might argue that the same user is used by multiple persons. You can use the contents of table USR41_MLD to prove if this was a mistake only. If the are too many multiple logons you might need to go back to the business to change their behavior.
You can also forbid the multiple logons at system level. SAP system parameter login/disable_multi_gui_login can be set in RZ11 to forbid multiple logons. For some users (like DDIC) you do want to keep multiple logons. These users must be set into system parameter login/multi_login_users=username1,username2,username3,etc.
Proper consolidation
Use the SLAW or SLAW2 tool to execute a proper consolidation of your measured users. This process will de-duplicate your counted users.
License validation program
Read this dedicated blog to know more about license vailidation program RSUVM080.
LUI License utilization information
The LUI (license utilization information) tool is an online SAP tool that has all the information on your on premise and cloud licenses information combined. For cloud the usage is automatically visible. For on premise systems you can upload the usage via the SLAW files. This can give you insights into under-consumption and over-consumption of licenses. Read more in this blog.
Check for bug fix notes in your advantage
SAP might give you a list of OSS notes to apply in your system before the measurement. These notes normally benefit SAP. You can also check for OSS notes that benefit you.
EHP switches can deliver great new functionality. But not all of them are for free. This blog will explain, how you will know which ones are included in the standard license, and which ones not.
Attached to this OSS note is the most recent version of the PDF listing which switches are part of the standard license, and which switches require an extra license.
How to read the document?
The document is sorted per business area. Best way is simply use the find button in the PDF and search for your switch.
Example of 2 switches that don’t have license impact:
The pricing comment and License (material number) column are empty. These switches are part of standard license.
Example of switch with license impact:
For this switch your company should be in possession, or acquire the license mentioned in the last column.
EHP switches best practices
Since EHP switch can have license impact the following best practices is suggested:
Restrict SFW5 EHP switch activation access to basis team only (display for all is ok)
Explain basis team the fundamentals of the licenses and EHP switches
Determine in your company who must approve EHP switch on and make clear to basis team only to execute the activation after this approval
If you have switched on a switch with licenses and don’t want to use it, check if it is a reversible switch. Then simply undo this. If it is not reversible, don’t use the corresponding functionality. The latter is much harder since you need to restrict authorizations to that function very carefully.
In the previous blog the new SAP license model for indirect access. The biggest challenge after reading the blog will be: how can I know the impact for my situation and my SAP system?
For this purpose SAP has developed an estimation tool.
Questions that will be answered in this blog are:
Which note do I need to apply to get the estimation tool?
How do I run the estimation tool?
Why is the tool estimation only?
Warning: this tool only gives estimation. The tool cannot take into account specific configurations you have done to standard SAP that influence the outcome. Also the tool cannot take into account potentially company specific agreements you have made with SAP.
Digital access report
Start transaction RSUVM_DAC for the digital access report:
Double click on the line will get you to the details.
Depending on your SAP version and support package the tool is already available, or you need to manually install it. In case of manual installation, first manually create package Digital_Access in SE80. The next OSS note to install is depending on your version (S/4HANA or ECC):
The counting estimation in the ABAP is simply executing a select count for the time frame and user on the respective tables for specific document types.
Example below is the counting of purchase order line items:
Here you can see only lines from EKPO with type lc_bstyp_f (which has value ‘F’) are selected. If you have configured your system differently (for example copied F to Z and are using Z) the count program will not find and report this.
This is the reason why the program is only to give you an estimation.
Tool updates
Regularly check the tool OSS note for new updates of the note version. Other relevant notes and bug fixes:
This blog will explain about the new SAP license model for indirect access, also known as Digital Access license.
Questions that will be answered in this blog are:
Where to find reference material on the new SAP license model?
How does the new SAP license model look like?
What are the exact definitions inside the documents for digital access?
IMPORTANT:
The explanation in this blog is to help you understand. This is not a replacement of the official SAP site. Please always check the latest official SAP site on the latest status of licensing. The document to search for in the SAP site is called SAP licensing guide (a guide for buyers).
For measurement of digital access in your system read this blog.
References
Before starting the explanation these are important and useful references:
Official announcement on the new license model can be found following this link.
Generic explanation of the indirect access model can be found following this link.
Explanation on indirect access for existing systems can be found following this link.
Background on new model document details can be found following this link.
Useful background documents hosted by ASUG group, follow these 2 links: link1 and link2.
Formal definition:
Digital Access to SAP ERP (“ERP”)
This Package grants (a) humans a license to Use ERP through Non-SAP Application(s) that is/are directly integrated to ERP without the need to be licensed as a “Named User” of ERP and (b) non-humans (e.g. bots, sensors, chips, devices, etc.) a license to Use ERP directly or through Non-SAP Application(s) that is/are directly integrated to ERP and without the need to be licensed as a “Named User” of ERP (collectively, “Digital Access of ERP”).
All Digital Access of ERP will be licensed based exclusively upon the number of Documents created annually by such Digital Access of ERP. Documents are unique records (i.e. unique digital line-items/objects) as defined in the “Document Definitions” column of the below table. Each Document shall count as one (1) Document, except for Material Documents and Financial Documents which shall each count as two tenths (0.2) of a Document. However, where the automated processing in ERP of a Document from one Document Type results in the subsequent creation in ERP of one or more additional Documents of different Document Type(s), such additional Documents shall not be counted.
Where a Non-SAP Application is connected to ERP via a Connectivity App, such Non-SAP Application is still deemed directly integrated to ERP for purposes of this provision. Any humans and/or non-humans using ERP through application(s) (e.g. Ariba, Concur, Successfactors, Hybris) that is/are integrated to a Non-SAP Application that is directly integrated to ERP do not need to be licensed as a “Named User” of ERP.
In practice this should means documents posted via generic interface user, IOT device, 3rd party application, cloud application posting data in SAP system, etc.
By simply counting documents and agreeing on a price per document, this will simplify the ever ongoing discussion on indirect access.
Document definitions
SAP starts with 9 documents. You can find the list and definition in the table below.
Document Types
Document Definitions
Sales Document
A Sales Document is (i) a line item record that represents the material and/or service being sold or quoted and/or (ii) a record that represents an individual order/release against a scheduling agreement which indicates the material and/or service being sold.
Purchase Document
A Purchase Document is (i) a line item record that represents the material and/or service being ordered or requested and/or (ii) a record that represents the release against a scheduling agreement which indicates the material and/or service being procured.
Invoice Document
An Invoice Document is a line item record that represents the material and/or service being billed.
Manufacturing Document
A Manufacturing Document is (i) a record which represents the production-related details associated with manufacturing a material, including: the type, quantity and color of what to produce, when to produce it, where to produce it and/or other distinguishing characteristics, and/or (ii) a record that represents a confirmation which indicates the status of the processing activities associated with manufacturing orders.
Material Document
A Material Document is a line item record that represents a specific material being received, issued or transferred to, from or within a storage location or plant.
Quality Management Document
A Quality Management Document is (i) a record that represents the details of a nonconformance being reported including the information required for problem solving and/or (ii) a record that represents results of an inspection.
Service & Maintenance Document
A Service & Maintenance Document is (i) a record that represents the details of work to be performed including the information needed to plan, execute and bill for a service or maintenance request , and/or (ii) a record that represents the details of a problem being reported including the information required for problem solving and/or (iii) a record that represents the status of the processing associated with service orders and maintenance orders and/or (iv) a record that represents a claim by a customer for repair or replacement or compensation for under-performance, pursuant to terms in a warranty document.
Financial Document
A Financial Document is a record that represents accounting information in a financial journal.
Time Management Document
A Time Management Document is (i) a record that represents an employee’s time worked and assigned to business related objects and/or (ii) a record that represents a confirmation (e.g., a progress update) which indicates the status of the processing activities associated with manufacturing orders.