Symptom
You would like an overview of the improvements and changes in password rules or logon procedures that are delivered with SAP NetWeaver 2004s (SAP NetWeaver Application Server ABAP 7.0, referred to as "SAP NW AS ABAP 7.0" below).
Other terms
login/min_password_lowercase, login/min_password_uppercase, login/password_max_idle_productive, login/password_max_idle_initial, login/password_history_size, login/password_change_waittime, login/password_downwards_compatibility, login/password_compliance_to_current_policy
Reason and Prerequisites
Some customers have higher security requirements.
Solution
This is an overview of improvements and changes delivered as of SAP NW AS ABAP 7.0.
Improvements
Changes
You would like an overview of the improvements and changes in password rules or logon procedures that are delivered with SAP NetWeaver 2004s (SAP NetWeaver Application Server ABAP 7.0, referred to as "SAP NW AS ABAP 7.0" below).
Other terms
login/min_password_lowercase, login/min_password_uppercase, login/password_max_idle_productive, login/password_max_idle_initial, login/password_history_size, login/password_change_waittime, login/password_downwards_compatibility, login/password_compliance_to_current_policy
Reason and Prerequisites
Some customers have higher security requirements.
Solution
This is an overview of improvements and changes delivered as of SAP NW AS ABAP 7.0.
Improvements
- Passwords: Differentiation between upper and lower case; maximum length increased from 8 to 40 characters
The system distinguishes between upper and lower case in newly assigned passwords; in addition, passwords can now consist of up to 40 characters (up until now, only a maximum of eight characters was permitted). In Unicode systems, you can use Unicode characters in passwords.
In newly-installed systems, this applies immediately to all users; for systems that have been upgraded to SAP NW AS ABAP 7.0 from an earlier release, we have ensured that all users can continue to log on using their old password.
The hash password procedure (code version) that was used to save the (reference) password is saved in the user master record. The system checks this information during a password check. When you use an older hash password procedure (this applies to reference passwords that were assigned before the upgrade), the first eight characters of the logon password are converted to uppercase letters. The remaining 32 characters must be blank characters. If the reference password was saved using a newer hash password procedure (this applies to passwords that were assigned after the upgrade or installation), the system analyzes the whole password without conversion to uppercase letters.
For more details, see Note 1023437.
Relevant (new) profile parameters:
login/min_password_lowercase
login/min_password_uppercase
login/password_downwards_compatibility
- Password history: Size can now be defined as required (previously: always 5)
The passwords that the user has assigned in the course of a password change are stored in the password history (passwords set by the user administrator are not stored in the password history). The system prevents the user from reusing previously used passwords. The password history used to be limited to five entries; you can now define the size of the password history using a profile parameter (login/password_history_size ) (maximum value: 100 entries).
- Lock period for password change can be selected (it used to be limited to one day)
To prevent the password history from being bypassed, a user may only change his or her password again after the lock period has expired (exception: the user is prompted to change the password by the system). You can now select this lock period using the profile parameterlogin/password_change_waittime (maximum value: 1000 days).
- (Advance) password change with stricter password rules
You can now set the system to only prompt those users whose current password no longer satisfies the current (stricter) password rules to change their password (in advance). To do this, set the profile parameterlogin/password_compliance_to_current_policy = 1 .
- Validity period of unused passwords can be restricted
Passwords that are not used by the authorized user are a security risk. For this reason, you are now able to restrict the validity period of these passwords; here, the system distinguishes between initial passwords (that is, passwords that are assigned by the user administrator and that are to be changed by the user at the next opportunity) and non-initial passwords (that is, passwords that have been set by the user). (Technical) users of the SERVICE and SYSTEM type are exempt from this regulation.
Relevant (new) profile parameters:
login/password_max_idle_initial
You can use this parameter to determine the maximum time between the (re)setting of the password and the next logon with the initial password. As soon as this period has expired, the system displays message "Initial password has expired" and refuses the password logon. However, you can still logon using SSO.
login/password_max_idle_productive
You can use this parameter to determine the maximum time between two password logons. As soon as this period has expired, the system displays a message stating that the password has not been used for a period of time and was therefore deactivated, and the system refuses the password logon. However, you can still logon using SSO.
(The delivered RZ11 documentation is incorrect.)
Changes
- Logon: Compromising error messages are avoided
If you attempt to log on using incorrect logon data, the system now only issues the generic error message "Name or password is incorrect" as a rule; further reasons for failed logons (for example, locked user accounts, user account is outside validity period, and so on) are only given in detail if valid logon data has been received. Error scenarios in which the system could not check the logon data, or where no further check is allowed are the exceptions to this rule:
- "User has no password - logon using password is not possible"
- "Password logon no longer possible - too many failed attempts"
- The default values of certain profile parameters that are relevant to security have been changed:
login/failed_user_auto_unlock : 0 (instead of 1)Locks for failed logon attempts remain valid for an unlimited period.
login/fails_to_user_lock : 5 (instead of 12)The lock for failed logon attempts is set after five failed password logon attempts.
login/no_automatic_user_sapstar : 1 (instead of 0)The emergency user must be activated explicitly.
login/min_password_lng : 6 (instead of 3)Passwords must consist of at least six characters.
login/ticket_expiration_time : 8 (instead of 60)Logon tickets are only valid for eight hours.
- The profile parameters l
login/password_max_new_valid andlogin/password_max_reset_valid have been replaced by the profile parameterlogin/password_max_idle_initial , which means that the system no longer distinguishes between the first and the subsequent setting of a password by the user administrator regarding the restriction of the validity of the resulting initial passwords.
No comments:
Post a Comment