SAP Logon Shortcuts make life easier for attackers too!
From convenience to compromise: The real risk of SAP shortcuts.
Yesterday, I came across a post on LinkedIn with the headline: “Auto logon to SAP using shortcut.”
Unsurprisingly, it grabbed attention — many users reshared, commented, and even showed interest in trying it out (I’m sure they did). After all, anything that makes our work faster usually gets people excited.
But here’s the concerning part: a large number of those who reshared the post were SAP Security consultants. And that’s where I had to pause and ask — do we really understand what security means?
Security is not just about creating roles with strict authorizations and assigning them to users. That’s only one layer. True security means protecting the entire system, from the application to the database, and beyond. It’s about safeguarding not just who can do what inside SAP, but also how access, credentials, and data are protected across every layer of the ecosystem.
Let me dive through this topic and give some recommendations
SAP Logon shortcuts (files like .sap on Windows or .sapc on macOS) are often used to quickly connect to SAP systems with pre-filled details such as system name, client, user ID, and password.
While convenient, they also come with serious security risks — especially if passwords are stored inside them. Imagine leaving your house key under the doormat: it’s easier for you, but just as easy for anyone else who finds it.
This article explains the risks, and step-by-step methods for disabling SAP shortcuts on both Windows and macOS.
Risks Involved with SAP Shortcuts?
Passwords saved in SAP uses salted hash. It is an encoded string (similar to base-encoding or a simple cipher) that SAP GUI can decode on the fly when connecting to the system. Here is a flow:
*Source – Onapsis (Read https://onapsis.com/blog/sap-security-password-hash-cracking-user-cloning-user-impersonation/)
However, password in shortcuts are not stored with strong encryption. They can be reversed, meaning an attacker who gets the file could steal your SAP login credentials.
If someone emails, uploads, or copies a shortcut, they’ve effectively handed over system access to an outsider/intruder. Unlike a password manager, the shortcut doesn’t protect against misuse.
NOTE: I’m not even recommending Password managers/vaults here. Use them with your own risk.
If you feel that you are creating the shortcut without a password, remember even without a password, the shortcut exposes system IDs, client numbers, and server addresses, which attackers can use to target your SAP systems.
Industries bound by regulations (like SOX, ISO 27001, GDPR) consider this practice insecure. Storing credentials this way can directly cause compliance violations.
How to Disable SAP Shortcuts
While SAP Note 146173 – “SAPShortcut: Saving password in SAPShortcut – not recommended” already highlights the risks, challenges, and ways to disable this feature, I want to revisit these points here. The goal is simple: to put this information right at your fingertips, so no security consultant or administrator overlooks it.
Disabling in Windows:
To disable in Windows operating systems, Open Registry Editor (regedit.exe) and naviate to the following key:
HKEY_CURRENT_USER\Software\SAP\SAPShortcut\Security
Set the registry value "EnablePassword" of the type REG_SZ to 1 (default is 0).
Additionally, create or set a new key called “EnablePassword” and set the value to 0 (String Value). This ensures no shortcut can save a password.
NOTE: Ensure that the registry is backed up before making these changes.
Tip
SAP GUI installation offers an option to enable/disable Shortcut creation. Uncheck SAP Shortcut in Optional Components.
Disabling in MacOS
SAP GUI for macOS (Java version) uses .sapc files instead of .sap file and are stored in the following path:
~/Library/Preferences/SAP/
To stop .sapc files from launching SAP GUI when double-clicked, follow the steps mentioned below:
Install duti (a file association manager – link: http://duti.org/) and execute the following:
brew install duti
duti -s com.apple.TextEdit .sap all
duti -s com.apple.TextEdit .sapc all
This makes .sap and .sapc files open in TextEdit (harmless) instead of SAP GUI.
NOTE: For IT admins: push this setting via Jamf or Intune using LSHandlers profiles.
Conclusion
Convenience should never outweigh security. While SAP shortcuts might save a few clicks, the risks they introduce — weak credential storage, credential theft, and compliance violations — can cause far greater damage than the time they save. Enterprises must take proactive steps: disable password saving, block shortcut creation, enforce SSO/SNC, and monitor for .sap or .sapc files across endpoints.
At the end of the day, shortcuts make life easier for attackers too. By building a culture where secure logon practices are non-negotiable, organizations can protect their SAP landscapes against one of the simplest yet most overlooked threats. Remember: in SAP security, the strongest defense is not just restricting what users can do inside the system, but also securing how they get in.