Use the following measures to protect against unauthorized logons:
- Terminate sessions after a number of unsuccessful logon attempts under a single user ID. (Set the number of allowed unsuccessful logon attempts in the profile parameter: login/fails_to_session_end).
- Lock users after a number of consecutive unsuccessful logon attempts under a single user ID.
Set the number of invalid logon attempts that are allowed in the profile parameter login/fails_to_user_lock. Note the following:
- You can explicitly set locks for specific users.
- The system removes locks at midnight on the same day; however, you can also manually remove them at any time.
- You can specify that the AS ABAP should not remove user locks automatically. (Set this flag in the profile parameter login/failed_user_auto_unlock).
- The System Log records all locks. For more information, see Auditing and Logging.
- End users should activate password-protected screen savers.
- Monitor unsuccessful logon attempts with report RSUSR006.
This report records the number of incorrect logon attempts by a user and user locks. We recommend scheduling this report to run on a regular basis (daily).
- Record logon attempts in the Security Audit Log (transactions SM18, SM19 and SM20).
For more information, see Auditing and Logging.
- Log off idle users.
Specify the amount of time a user can be idle in the profile parameter rdisp/gui_auto_logout.
- Use the customer exist SUSR0001 to add your own checks. (See SAP Note 37724.)
For example, you can add a check to prevent multiple dialog logons (see Recognizing and Preventing Multiple Dialog User Logons and SAP Note 142724).
- Customize SAP Logon so that users cannot change the configuration.
See also:
Profile Parameters for Logon and Password (Login Parameters)