CONFIGURATION GUIDE | PUBLICDocument Version: 1.0 – 2019-11-25

SAP Identity Management Password Hook Configuration Guide

© 2

019

SAP

SE o

r an

SAP affi

liate

com

pany

. All

right

s re

serv

ed.

THE BEST RUN

Content

1 SAP Identity Management Password Hook Configuration Guide. . . . . . . . . . . . . . . . . . . . . . . . .3

2 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 Security and Policy Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4 Files and File Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

5 Installing and Upgrading Password Hook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85.1 Installing Password Hook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85.2 Upgrading Password Hook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

6 Configuring Password Hook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

7 Integrating with the Identity Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

8 Implementation Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

9 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2 P U B L I CSAP Identity Management Password Hook Configuration Guide

Content

1 SAP Identity Management Password Hook Configuration Guide

The purpose of the SAP Identity Management Password Hook is to synchronize passwords from a Microsoft domain to one or more applications. This is achieved by capturing password changes from the Microsoft domain and updating the password in the other applications through a provisioning solution.

Prerequisites

To get the most benefit from this guide, you should have the following knowledge:

● Knowledge of the Identity Center● Microsoft domain security● Knowledge of the security policy of your organization● Knowledge of Windows PowerShell

The following software is required:

● You have installed SAP Identity Management 8.0 SP05 or higher● You have installed the correct version of the Password Hook (a 32- or a 64-bit version) on the Microsoft

domain controller.● You have installed Windows PowerShell 4.0 or higher.

Related Documents

You can find useful information in the following documents:

● Article in Microsoft Developer Network Library: Password Filters● SAP Identity Management Security Guide

SAP Identity Management Password Hook Configuration GuideSAP Identity Management Password Hook Configuration Guide P U B L I C 3

2 Overview

The SAP Identity Management Password Hook is a password hook DLL that can be installed on the Microsoft domain controller(s) in the password verification chain.

If the correct domain security policy is enabled, the Password Hook will be notified whenever a user tries to change his or her password. This allows the hook to intercept password changes in the Microsoft domain and distribute it to other applications using the SAP Identity Management Identity Center. This allows the user passwords of other applications to be synchronized with the passwords in the Windows domain.

The Password Hook can be one of several password hooks installed on the Microsoft controller. All enabled password hooks will be notified for each password change.

Scenario

The Password Hook uses REST API v2 over HTTPS to write the password to an identity store in the Identity Center. From there, the new password is distributed to a number of target applications using mechanisms in the Identity Center.

4 P U B L I CSAP Identity Management Password Hook Configuration Guide

Overview

3 Security and Policy Issues

NoteBy installing the Password Hook, changed passwords are sent to SAP Identity Management over HTTPS. Make sure the channel is encrypted and protected. When implementing the Password Hook, avoid any security breaches and be careful not to violate the security policy of your organization.

It is important to understand the nature of passwords when implementing a solution using the Password Hook.

A password is used by a user to authenticate against an application, and will give the user certain rights within that system. The password is known as a "shared secret", based on the assumption that it is known only by the user and the application. If the password is exposed, an attacker may be able to masquerade as (that is, log in as) the user, and perform operations only allowed by this user. There is no way of detecting or logging this kind of security attack.

Applications make efforts to store the password as securely as possible, for example, using a one-way encryption algorithm. By implementing any type of password hook, you will in most cases increase the risk of password exposure, and this risk should be carefully assessed with regards to consequences of exposure.

Another detail that should be considered is to which applications a password is synchronized. When the same password is used in all applications, a security attack with the purpose of obtaining a given user's password could be directed towards the application with the weakest security. Therefore, you should carefully consider which systems should be synchronized.

For Password Hook security-relevant information, see the Password Hook section in SAP Identity Management Security Guide.

Related Information

Password Hook

SAP Identity Management Password Hook Configuration GuideSecurity and Policy Issues P U B L I C 5

4 Files and File Locations

The Password Hook is distributed together with the Identity Center, but it is not installed together with the Identity Center. It needs to be installed separately.

You can find the files you need to install/update (and configure) the Password Hook in the installation kit, that is, in the Core components under the PasswordHook folder. The Password Hook is available in both 32-bit and 64-bit version.

When the Password Hook is installed, the default destination directory is C:\usr\sap\IdM\Identity Center.

The .dll file is installed in the Windows System directory (C:\WINDOWS\system32\MxPwdHook.dll).

File Directory Description

setup.exe <installation kit>\Core\PasswordHook

Run this file to install the Password Hook. Install the Password Hook on the Microsoft domain controller.

HookConfig.exe C:\usr\sap\IdM\Identity Center\ (by

default)

Open this file to configure the Password Hook. The file is included in the installa­tion.

newpass.bat C:\usr\sap\IdM\Identity Center\ (by

default)

This is a sample BAT file that can be used to test the Password Hook. The file is included in the installation.

TestHook.exe C:\usr\sap\IdM\Identity Center\ (by

default)

This is a small test program included in the installation. It simulates a password change for a test user and can be used to test the configuration of the Pass­word Hook.

6 P U B L I CSAP Identity Management Password Hook Configuration Guide

Files and File Locations

File Directory Description

Send-Password.ps1 C:\usr\sap\IdM\Identity Center\

This script sends a REST API request to update the value of the MX_PASS­WORD* attribute with the new pass­word. The user (identified with its MSKEY) and the new password are passed as arguments to the script.

The script is included in the installation.

* SAP Identity Management Password Hook uses MX_PASSWORD_HOOK at­tribute for password transportation. The attribute is internally converted to MX_PASSWORD.

Set-Credentials.ps1 C:\usr\sap\IdM\Identity Center\

This script sets the credentials for the user that makes the REST API request.

The script is included in the installation.

SAP Identity Management Password Hook Configuration GuideFiles and File Locations P U B L I C 7

5 Installing and Upgrading Password Hook

Even though the Password Hook is distributed together with the Identity Center, it still needs to be installed separately.

The necessary data for installing the Password Hook is included in the installation kit. The files are located in the Core components under the Password Hook folder.

The Password Hook is available for both 32- and 64- bit operating systems. Select the correct version of the Password Hook and install it on the Microsoft domain controller.

NoteMake sure that you are logged on as a user with administrator privileges when running the installation program.

Related Information

Installing Password Hook [page 8]Upgrading Password Hook [page 9]

5.1 Installing Password Hook

Context

To install the program, proceed as follows:

Procedure

1. Navigate to the correct version of the Password Hook (a 32- or a 64-bit version) in the Core ComponentsPasswordHook folder in the installation kit.

2. Start the installation by choosing setup.exe. You can use the default values for all steps in the process (that is, installation directoryC:\usr\sap\IdM\Identity Center).

Make sure the Key folder containing the Keys.ini file is available in the Password Hook installation directory. The default location of the Key folder is C:\usr\sap\IdM\Identity Center.

8 P U B L I CSAP Identity Management Password Hook Configuration Guide

Installing and Upgrading Password Hook

3. Enable the following setting, if necessary:

○ Choose All Programs Administrative Tools Domain Controller Security Policy from the Start menu to open the Domain Controller Security Policy window.

○ Choose Windows Settings Security Settings Account Policies Password Policy in the console tree and enable Passwords must meet complexity requirements.

4. Restart the server.

5.2 Upgrading Password Hook

Context

If you are upgrading the Password Hook, you must disable the Password Hook and restart the server before the program can be upgraded.

This is because the Windows LSA (Local Security Authority) locks the DLL file until the DLL has been disabled and the system restarted. Thus, the DLL has to be disabled before it can be upgraded. This is done by deselecting Enable hook in the SAP Password Hook configuration dialog box described in Configuring the Password Hook. Remember to choose the Save to registry button, to save the changes before closing the dialog box.

SAP Identity Management Password Hook Configuration GuideInstalling and Upgrading Password Hook P U B L I C 9

To upgrade Password Hook, proceed as follows:

Procedure

Run the same procedure as when installing the Password Hook.

Related Information

Configuring Password Hook [page 11]Installing Password Hook [page 8]

10 P U B L I CSAP Identity Management Password Hook Configuration Guide

Installing and Upgrading Password Hook

6 Configuring Password Hook

The Password Hook must be configured to perform the necessary actions when a user changes his or her password.

Prerequisites

You have installed Windows PowerShell 4.0 or higher.

Context

The Password Hook can make two calls when a password change is initiated. Both of them receive the user name and password as parameters.

● The (optional) password filter program is called before the password is changed in the domain controller. This can be used for external password verification/password policy, and can return a status value preventing the password from being changed.

● The password notification program that is called after the password is changed in the domain controller. This is used to distribute the new password to other applications.

The Password Hook can call any script or program that can take the user's name and password as arguments. The installation of the Password Hook contains a sample BAT file, newpass.bat, which can be used to test the Password Hook.

For more information about password change filtering and notification, see Password Filters in Microsoft Developer Network Library.

To configure the Password Hook, proceed as follows:

Procedure

1. Open the SAP Password Hook configuration dialog box by choosing All Programs SAP NetWeaver Identity Management Password Hook from the Start menu (which will open the file HookConfig.exe).

SAP Identity Management Password Hook Configuration GuideConfiguring Password Hook P U B L I C 11

2. Fill in the fields with the following values:

Field Values

Enable hook Select this check box to enable the hook.

NoteIf the hook was not enabled at the last startup, the computer must be restarted before the hook is acti­vated. If the hook was enabled at the last startup, the hook can be disabled (and enabled) without restarting the server.

General parameters

Working directory The working directory for the notification and filter pro­grams.

12 P U B L I CSAP Identity Management Password Hook Configuration Guide

Configuring Password Hook

Field Values

Environment variables Environment variables set before executing the notifica­tion and filter programs. Use the syntax parameter=value separated by pipe (|).

This can be path to any JDBC drivers or other client soft­ware necessary to access the target systems. For in­stance: PATH = E:\oracle\ora90\bin|SystemRoot = d:\winnt

Priority Priority to use for the process running the notification and filter programs. You can choose between:○ Idle○ Normal (Recommended)○ High

Notification

Password notification program Enter the name of or select the program which will be called after the user's password has been changed in the domain controller.

Arguments Specify any arguments to the password notification pro­gram or script. You can use the following variables:

%1 user name

%2 password

%3 relative ID

If any of the parameters includes spaces, enclose them in double quotes.

Wait for execution Maximum time in milliseconds to wait for the password notification program to complete execution. If it fails to complete within this limit, an error message will be logged. "0" means that it will not wait for the program to com­plete.

Filter

SAP Identity Management Password Hook Configuration GuideConfiguring Password Hook P U B L I C 13

Field Values

Password filter program Enter the name of or select the program that will be called before the user's password is changed in the domain con­troller.

NoteIf the filter program fails or it cannot be executed, any password change will be denied. Make sure that this field is empty if you are not using the filter mecha­nism.

This should be an executable program or a .bat file. All arguments must be specified in the in the Arguments field.

If this script returns anything but a zero (0) as the exit condition, the password change will be denied. This gives us a good way to allow/deny password changes based on a particular programs result, for example to enforce a password policy.

Leave this field empty if you do not want to filter pass­words.

14 P U B L I CSAP Identity Management Password Hook Configuration Guide

Configuring Password Hook

Field Values

Arguments Specify any arguments to the password filter program. You can use the following parameters:

%1 user name

%2 password

%3 full name

If any of the parameters includes spaces, enclose them in double quotes.

For example, if you are using a Java program to handle user passwords, the "Password filter program" will be set to e.g. "jre" or "C:\Program Files\Java\bin\jre.exe". The "Arguments" would be any parameters to the Java run­time and the class you would like to run. For instance: "-cp "C:\Program Files\MyJavaClasses" passwd %1 %2"

Using this example, when the user test changes the pass­word to "P@ssW0rd", the full command line executed will be: "C:\Program Files\Java\bin\jre.exe" -cp "C:\Program Files\MyJavaClasses" passwd test P@ssW0rd

NoteThe definition of the program must not contain any parameters. These must always be defined in the ar­guments field.

Wait for execution Maximum time in milliseconds to wait for the password fil­ter program to complete execution. If it fails to complete within this limit, the password change will be denied. "0" means that it will not wait for the program to complete, and the password will never be changed.

SAP Identity Management Password Hook Configuration GuideConfiguring Password Hook P U B L I C 15

Field Values

Password Select this checkbox to esure that the password is en­crypted when submitted to the filter applications. Other­wise the password is submitted in plain text.

The password is always encrypted when submitted to the notification applications.

Encrypting the password is important for two reasons. The password is submitted to the filter and notification programs as parameters on the command line. Thus, the password should be encrypted.

This also ensures that a user is not able to execute code disguised as a carefully crafted password. The filter and notification programs are executed with administrator privileges, and such code will be executed with administra­tor privileges.

Logging

Log file Enter the path and the file name of the log file. This should be a local file.

Maximum log file size Specify the maximum size in kilobytes of the log file. When this limit is reached, the log file is truncated to 25% of this size, with the most recent log entries kept. The old log file is renamed with a .bak extension. To disable the log trun­cation, enter "0" in this field.

Redirect program output to log file Select this check box to specify that the output from the notification and filter programs should be included in the log file.

Log level Select a log level. You can choose between:

None (0)

Error (1)

Debug (2)

All (3)

With the log level "All", the user passwords are stored in the log file together with other data, so use this option with care.

NoteChoosing a value different from "None" and not speci­fying a valid log file may have unpredictable results.

16 P U B L I CSAP Identity Management Password Hook Configuration Guide

Configuring Password Hook

Field Values

Notification Properties

Protocol HTTPS Protocol

Host Host name of your SAP NetWeaver AS Java

Port Port number of your SAP NetWeaver AS Java

Task GUID GUID of the Change Password (via Password Hook) form

Credentials file The credentials file must contain the credentials for the user that can access the SAP Identity Management REST API v2.

3. You can do the following:

○ Choose Save to registry to save the settings to registry and close the dialog box.○ Choose the button Save to file… to save the configuration to a file for back-up purposes, or to easily be

able to copy the configuration to another machine.○ Choose the Read to registry button to read the configuration from the registry.○ Choose the Read from file… button to read the configuration from a previously saved file.○ Choose Close to close the dialog box without saving the settings.

SAP Identity Management Password Hook Configuration GuideConfiguring Password Hook P U B L I C 17

7 Integrating with the Identity Center

Prerequisites

● You are using SAP Identity Management 8.0 SP05 or higher● You have installed the correct version of the Password Hook (a 32- or a 64-bit version) on the Microsoft

domain controller.● You have installed Windows PowerShell 4.0 or higher.● You must have a valid SSL certificate deployed on SAP NetWeaver because Password Hook uses HTTPS

protocol.● The Password Hook uses the REST API v2. The user who can access the REST API v2 must have specific

UME аctions configured as described in Configuring the UME Actions for the REST Interface● You have imported the latest version of com.sap.idm.forms.default package.● You have enabled password provisioning on the Password Policy tab of your identity store.● The Microsoft Active Directory (AD) user ID exists in SAP Identity Management (=MSKEYVALUE). You have

a connection between AD and SAP Identity Management, that is, you have created a repository of type ActiveDirectory and run the initial load job.

Context

The Windows PowerShell.exe is used as a password notification program. It executes the following scripts:

Script Description

Send-Password.ps1 This script sends a REST API request to update the value of the MX_PASSWORD* attribute with the new password. The user (identified with its MSKEY) and the new password are passed as arguments to the script.

* SAP Identity Management Password Hook uses MX_PASS­WORD_HOOK attribute for password transportation. The at­tribute is internally converted to MX_PASSWORD.

Set-Credentials.ps1 This script sets the credentials for the user that makes the REST API request.

18 P U B L I CSAP Identity Management Password Hook Configuration Guide

Integrating with the Identity Center

Procedure

1. Perform the following Password Hook configuration.

2. In the Password Hook configuration dialog, fill in the following information:

Field Values

Notification

Password notification program Provide the path to powershell.exe of your power­shell installation. The path should look like this: <POWERSHELL_INSTALLATION_DIRECTORY>\powershell.exe

SAP Identity Management Password Hook Configuration GuideIntegrating with the Identity Center P U B L I C 19

Field Values

Arguments Write a command with the path to the Send-Password.ps1 script and the appropriate arguments. This command should look like this: ­file "<PASSWORD_HOOK_DIRECTORY>\Send-Password.ps1" -user "%1" -pass "%2"

Filter

Password filter program This command line will start the sample BAT file.

Arguments The user name and password are passed to the bat file.

Password Encrypted password is submitted to the filter applications.

Notification Properties

Protocol HTTPS Protocol

Host Host name of your SAP NetWeaver AS Java

Port Port number of your SAP NetWeaver AS Java

Task GUID GUID of the Change Password (via Password Hook) form

To get the task GUID of this form, execute a database query. This query should look like this: select taskGuid from MXP_Tasks where TaskName = 'Change Password (via Password Hook)'

For example: ED04189D-8864-48BE-BA67-C0C3F9B232CD

Credentials file The credentials file must contain the credentials for the user that can access the SAP Identity Management REST API v2.

To create this file, proceed as follows:1. Choose Create and provide username and password.

NoteOnly the user who creates the credentials file can then execute the Send-Password.ps1 script.

2. Select the directory where you want to save the file. The name of the file is cr.txt.

3. Once the file is created, choose Select.4. Navigate to the file and select it.

20 P U B L I CSAP Identity Management Password Hook Configuration Guide

Integrating with the Identity Center

8 Implementation Considerations

When implementing the Password Hook, the following should be considered:

● The company's password policy.● The security of the applications where the password is written. If one application does not store password

securely, an attacker may get access to all systems by cracking this system.● Access rights to intermediate files within the implemented solution. Intermediate files may contain a

password, and is a risk of exposure.● The security of the Identity Center configuration file. If an attacker has access to the configuration file, it

may be modified to expose the password, for example by writing this to a file.● The log from the Identity Center. Ensure that the clear-text password never is written to log files which are

accessible by possible attackers.

SAP Identity Management Password Hook Configuration GuideImplementation Considerations P U B L I C 21

9 Troubleshooting

If you encounter some problems, you can use the following information to solve the problem:

Problem Description

The password hook was installed, but nothing happens when a password is changed.

Solution

1. Are there any entries in the log file that provide some information? The log file should be specified (with full path) in the configuration dialog.

2. Check that the Password Hook was properly installed, and that it has been loaded at startup.Open the configuration dialog box, and check that the Enable hook checkbox is selected.The server must be restarted before the hook will be called. Hook DLLs are only loaded at startup.If the hook was disabled during the last boot, you will have to restart the server after re-enabling the hook.If the hook was enabled during boot, you can disable/re-enable it without restarting the server.

3. Is password policy enabled? If not already enabled, you must enable the setting: Domain Security PolicyWindows Settings Security Settings Account Policies Password Policy Passwords must meet

complexity requirements .

Problem Description

After installing the password hook, nobody is allowed to change their password.

Solution

1. Check the configuration of the Password filter program.The password hook allows you to specify password filtering. This is implemented by executing the configured Password filter program. If this fails, it will be interpreted as Password did not satisfy the filter and the password change will be denied.If you are not using the filter mechanism, make sure that this field is empty.

2. Password policyIf you had to enable the setting: Domain Security Policy Windows Settings Security SettingsAccount Policies Password Policy Passwords must meet complexity requirements

22 P U B L I CSAP Identity Management Password Hook Configuration Guide

Troubleshooting

Some other filter may have set a stricter password policy. Try to identify the password policy of these filter programs. Or try to specify a complex password containing a mix of lowercase/uppercase characters and numbers, that is, try P@ssW0rd, Password123, kdhgvHJe3456 etc.

Problem Description

The filter detected the password change, but the application specified as Password notification program was never started, or failed to run properly.

Solution

1. You can use the test program TestHook.exe. It will simulate a password change for user "Testus", full name "Test User", relative ID "1234" and new password: P@ssw0rd. You can use this to test the configuration of the password hook.If everything is ok when using the test program, but fails on actual password changes, the cause is most likely in the user environment.When you execute the test program, everything is executed in the context of the logged on user, with its access rights, and environment.When the notification and filter programs are called from the system on a real password change, everything is executed in the context of the system account.This might cause problems if the program(s) called depend(s) on environment variables, specific accesses or needs to interact with the desktop.

SAP Identity Management Password Hook Configuration GuideTroubleshooting P U B L I C 23

Important Disclaimers and Legal Information

HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related LanguageWe try not to use gender­specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

Videos Hosted on External PlatformsSome videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the control or responsibility of SAP.

24 P U B L I CSAP Identity Management Password Hook Configuration Guide

Important Disclaimers and Legal Information

SAP Identity Management Password Hook Configuration GuideImportant Disclaimers and Legal Information P U B L I C 25

www.sap.com/contactsap

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.

THE BEST RUN