SAP weak/predictable user credentials
Description
SAP systems create several standard administrative users during installation, including SAP*, DDIC, and EARLYWATCH, which are configured with well-known default passwords. This vulnerability exists when these default credentials remain unchanged in production environments. Invicti successfully authenticated to the SAP system using default or commonly used credentials for one or more of these standard accounts, indicating that weak or predictable passwords are still in use.
Remediation
Immediately secure all standard SAP user accounts by implementing the following measures:
1. Disable or Restrict the SAP* Account:
- Create a new emergency superuser account with a strong, unique password
- Set the profile parameter
login/no_automatic_user_sapstar = 1to prevent automatic creation of SAP* in clients - Lock the SAP* account in all clients using transaction SU01
2. Change Default Passwords:
- Immediately change passwords for all standard users including DDIC, EARLYWATCH, TMSADM, SAPCPIC, and any other default accounts
- Use strong passwords with minimum 12 characters including uppercase, lowercase, numbers, and special characters
- Ensure passwords do not match common patterns or dictionary words
3. Implement Password Policies:
- Configure password complexity requirements using transaction SECPOL
- Enable password expiration and history to prevent password reuse
- Implement account lockout policies after failed login attempts
4. Regular Auditing:
- Periodically review user accounts using transaction SUIM to identify inactive or unnecessary privileged accounts
- Monitor authentication logs for suspicious login attempts
- Conduct regular security assessments to verify credential strength