Question: Would anyone be willing to share a list of password exceptions from there USR40 table? I am not interested in the entire dictonary as some have suggested in the past. 20-100 entrys would be fine. Please email the file to homs@sbcglobal.net if you can
Thanks,
Mark
Answer:
You can minimize the list by setting the system parameter for the password to be 8 characters, you then do not need to worry about the less than 8 character words.
If you are in a high enough version you can force alphanumerc and/or the addition of special charactes, eliminating the need or greatly reducing the need for USR40.
It is generally filled with loal sports teams, company names and monikers.
Answer:
John,
We have limited to 8 characters but the "SOX Auditors" want more entrys in the table. What version or support pack level enables password complexity?
Thanks,
Mark
Answer:
THen have them give you the "approved" list.
Late 4.6 and 4.7+ I believe allows you to use these parameters, search in OSS for more info and if there is a support pack to apply to lower versions.
Answer:
John,
We have limited to 8 characters but the "SOX Auditors" want more entrys in the table. What version or support pack level enables password complexity?
Thanks,
Mark
if you are on 4.7 & use the special chars you will have mitigated the risk. The auditors will be looking for a particular risk - something like passwords should be periodically changed and not easily guessable.
A well configured USR40 will be able to do this, as will a combination of alpha & numeric chars & a minimum number of char changes etc. You can prove the risk is mitigated using either method.
Unfortunately your SoX auditors are not permitted to supply you with entries for USR40, however there are lots of generic password lists on the web which will suffice.
Answer:
Unfortunately your SoX auditors are not permitted to supply you with entries for USR40. If they are adding value they do supply you with a list or at least "recommend" one
Answer:
Unfortunately your SoX auditors are not permitted to supply you with entries for USR40. If they are adding value they do supply you with a list or at least "recommend" one
Unfortunately most auditors do not add value.
If they are performing SoX review then technically speaking, advising on how to mitigate a risk would be outside the scope of what they are permitted to do - giving someone a list of passwords could fall under this is they were being pernickity.
If an audit firm is assisting with SoX (i.e. they are not the financial auditor) then they can give you what they like.
For non-SoX stuff then there is more leeway & they can be helpful. Of course there are a auditors will use some discretion & point you in the right direction
Answer:
Unfortunately most auditors do not add value.
Just put a * into USR40 to cover all the theoretical eventualities...
Answer:
Unfortunately most auditors do not add value.
Just put a * into USR40 to cover all the theoretical eventualities...
Answer:
Auditors aren't there to add value. They are there to stop cavalier businessmen losing it.
Though personally, I think that forcing strong passwords simply forces people to write them down. And since most fraud is committed from withoin a company rather than outside it, writing things down somewhere around your desk is truly a Bad Thing.
Answer:
Auditors aren't there to add value. They are there to stop cavalier businessmen losing it.
Though personally, I think that forcing strong passwords simply forces people to write them down. And since most fraud is committed from withoin a company rather than outside it, writing things down somewhere around your desk is truly a Bad Thing.
There's a lot of truth to your assertion about the strong password stuff.
There is a study out there somewhere that covers the tradeoffs between enforcing stronger passwords and the likelyhood of people writing them down. Unfortunately I can't find a link
If I remember correctly, a reasonable compromise was forcing a minimum of 3 characters difference and having 1 number in there
Answer:
Passwords that are too strong can be as big a problem as weak passwords. They actually introduce two vulnerabilities.
1. (as noted) people write them down.
2. people forget them and call the help desk. Help desk password resetting is a critical weakness. If they have processes to validate users who are calling to get passwords reset, the process will bestrained if many people are having to call in.
My personal recommendation for an inside the firewall system is a seven character password that requires one number and one special character. I think that allowing people to cyclce passwords is fine. I think that USR40 should be set up with a few hundred gimme passwords (set up with wild cards) to prevent the most common issues. If you are really paranoid about security then there should be some process to monitor the use of invalid user ids (in STAT) and failed login attempts.
If you want to be any more secure than that then moving to three factor authentication with a security bolt-on is the best way to go.
How to Earn Rs.25000 every month in internet without Investment?
USR40 table
Labels:
SAP USER FAQs
Subscribe to:
Post Comments (Atom)
topics
-
▼
2007
(1406)
-
▼
November
(1359)
- Free Download SAP FI Certification study pdf books
- Implementing SAP R/3 on OS/400
- Update SAP Kernel in UNIX based
- Security Audit Log (BC-SEC).pdf
- Security Audit Log.pdf
- Securities,pdf
- Secure Store & Forward / Digital Signatures (BC-SE...
- Secure Network Communications (BC-SEC-SNC)
- Free download use ful T-codes
- I did not find any OSS notes appropriate for my pr...
- How to apply OSS notes number?
- What is OSS Notes number?
- Where can i access SAP OSS?
- WHAT IS OSS
- Disaster Recovery Plan to Restore Production System
- Steps to Install SAP Note in sap
- Difference Between SAP Notes and Support Package
- Question : Subject : Support packages testing
- Five Different "User Type"
- How to solve the Time Zone Definition Problems?
- Setting the User Decimals Format
- Schedule Manager
- Various Important SAP Basis T-Code
- Trace Functions in sap
- System Trace: Error Analysis in sap
- System Trace(ST01) in sap
- Roles and Authorizations Used in Background Proces...
- Deleting Multiple Spool Requests Simultaneously in...
- Logging and Tracing in spool
- Print and Output Management in spool
- Background Job Monitoring Monitor in CCMS
- Monitoring the Database Using the Alert Monitor
- Monitoring the Operating System Using the Alert Mo...
- Monitoring Memory Management Using the Alert Monitor
- Method Dispatching Monitor in CCMS
- Remote Application Server Status Monitor in CCMS
- GRMG Self-Monitoring Monitor in CCMS
- CCMS Selfmonitoring Monitor for System-Wide Data i...
- Logfile Monitoring Monitor in CCMS
- Logon Load Balancing Monitor in CCMS
- Transaction-Specific Dialog Monitor in CCMS
- Workload Collector Monitor in CCMS
- System Errors Monitor in CCMS
- System Configuration Monitor in CCMS
- Syslog Monitor in CCMS
- Spool System Monitor in CCMS
- Security Monitor in CCMS
- Performance Overview Monitor in CCMS
- Operating System Monitor in CCMS
- Filesystems Monitor in CCMS
- Entire System Monitor in CCMS
- Monitoring the Enqueue Service in CCMS
- Dialog per Application Server Monitor in CCMS
- Dialog Overview Monitor in CCMS
- Database Monitor in CCMS
- Transactional RFC and Queued RFC Monitor in CCMS
- Communications Monitor in CCMS
- Buffers Monitor in CCMS
- Background Job Monitoring Monitor(CCMS)
- Background Processing Monitor(CCMS)
- Availability and Performance Overview Monitor (CCMS)
- SAP CCMS Monitor Templates Monitor Set
- Creating and Changing a Monitoring Pause(CCMS)
- Creating and Changing Monitoring Rules(CCMS)
- Configuring Availability Monitoring(CCMS)
- Update Repositories(CCMS)
- Displaying Central Performance History Reports(CCMS)
- Displaying Report Properties
- Scheduling and Executing a Report
- Variables in Group Names
- Creating a Report Definition(CCMS)
- Maintaining Collection and Reorganization Schemata...
- Maintaining Collection and Reorganization Schemata...
- Creating and Editing a Calendar Schema(CCMS)
- Creating and Editing a Day Schema
- Customizing the Alert Monitor(CCMS)
- Resetting MTEs and Alerts(CCMS)
- Reorganizing Completed Alerts(CCMS)
- Display Completed Alerts(CCMS)
- Automatically Complete Alerts(CCMS)
- Completing Alerts(CCMS)
- Starting Methods (CCMS)
- Processing Alerts(CCMS_
- Displaying the Technical View: Central Performance...
- Displaying the Technical View: Threshold Values(CCMS)
- Displaying the Technical View: Status Autoreaction...
- Displaying the Technical View: Status Data Collector
- Displaying the Technical View: Method Allocation
- Displaying the Technical View: Info on MTE
- Display Types and Views of the Alert Monitor(CCMS)
- Properties of Status Attributes (CCMS)
- Properties of Performance Attributes(CCMS)
- Properties of Log Attributes (CCMS)
- General Properties of Monitoring Tree Elements(CCMS)
- Properties of Monitoring Objects and Attributes
- Elements of the Alert Monitoring Tree
- Alert Monitoring Tree(CCMS)
- Monitors(CCMS)
- Monitor Sets (CCMS)
- Elements of the Alert Monitor (CCMS)
-
▼
November
(1359)
No comments:
Post a Comment