Locking SAP* in all clients in all systems.

Question: Hello all
I'm trying to propose that we lock SAP* in ALL clients and ALL systems (DEV, QA, PRD). Currently it's just locked in the customer client in all systems.
I want to prove that even if we go through the arduous task of building roles for DEV and QA, if we leave SAP* or DDIC's password unchanged in 001, anyone could do some damage.
Now, I know that I could do some system damage with DDIC or SAP* in r 001, but is there any way I could prove that I could say, assign myself SAP_ALL in the customer client by logging into 001 with SAP* and NOT using an RFC connection and function module? Thus..what's the point of building specialized roles in customer client if DDIC's or SAP*'s passwords are know in client 001.
Thanks.

Answer:
SAP*, DDIC, SAPCPIC, EARLYWATCH ARe among the IDs that could be used to access ANY client in ANY system From any system to any system ( yes it does require RFC or its equivalent, but the point is it is a backdoor, how you accomplish the damage is irrelevent, it is that you can).
In the logged on system you can use function module RFC_ABAP_INSTALL_AND_RUN to write code to add access to yourself in any client on the machine. You can do this temporarily, up to 1.5 hours, by manipulating table USRBF2 and semi perminantly by manipulating USRBF2 and UST04 or manipulation USREFUS table. This is provided you have AUTH/NEW_BUFFERING set above 0. This added access is almost un-noticed in SUIM and SU01.
In any system in any client you can alway use ABAP to do the changes in any client. You do not need a developers key, only DEBUG with replace, which SAP* has. TO get to other systems you do need RFC or communication to the other systems but to accomplish this you only need to know the default password of EARLYWATCH, DDIC, SAP*, SAPCPIC, all of which are known.

Answer:
Thanks John,
So, in short, SAP*'s password should be changed and locked in ALL systems and ALL clients?
EARLYWATCH, SAPCPIC and DDIC'S paswords should be changed in ALL systems and ALL clients?

Thanks.

Answer:
Yes.
Yes and locked.

Answer:
For what my penny is worth, you should remove all access from SAP*, then logon as SAP*, log-off and then lock the user ID.

Occationally keep an eye on the buffer, and SM20 and obscure messages in SM21.

No comments:

topics