Analyzing the password strength of important sap users like SAP*, DDIC, SAPCPIC, EARLYWATCH, in your system would be a good idea before going for an SOX audit. No user should have a weak or a commonly used password, and this can be checked using an inbuilt program. This is quite an easy task and it hardly takes your 5 minutes but proves to be useful. Please follow the given procedure.
Procedure:
- Go to ABAP editor: Execute transaction SE38
- Run program RSUSR003
- Click Display and Press F8
- Enter Title and select Layout and again press F8 (If there is no default layout just leave it blank)
- You have your report ready
Checkout the following screen shots:
Or better yet, extract the userid / encrypted password pairs for the users in which you’re interested from table USR02 and run a pen test against it using the SAP-patched John The Ripper, just like anyone trying to gain access would:
http://www.openwall.com/john/
This allows you to check the password security of additional privileged accounts (such as for workflows, RFCs, batch schedule, firefighting etc.) instead of just the SAP standard (I also have a z-version of RSUSR003 for this too).
Some high-level details of how you should secure your system OVER AND ABOVE the standard SAP security authorisation concepts to prevent this being made easier for those trying to compromise your system are here:
http://blog.saulchristie.com/2010/03/hacking-cracking-and-attacking-sap.html
Admittedly these are Basis thangs but we should all know a bit about what other teams can do to help us.
Steph.