Preventing Unauthorized Logons

Use the following measures to protect against unauthorized logons:

Terminate sessions after a number of unsuccessful logon attempts under a single user ID. (Set the number of allowed unsuccessful logon attempts in the profile parameter: login/fails_to_session_end).
Lock users after a number of consecutive unsuccessful logon attempts under a single user ID.
Set the number of invalid logon attempts that are allowed in the profile parameter login/fails_to_user_lock. Note the following:
- You can explicitly set locks for specific users.
- The system removes locks at midnight on the same day; however, you can also manually remove them at any time.
- You can specify that the AS ABAP should not remove user locks automatically. (Set this flag in the profile parameter login/failed_user_auto_unlock).
- The System Log records all locks. For more information, see Auditing and Logging.
End users should activate password-protected screen savers.
Monitor unsuccessful logon attempts with report RSUSR006.
This report records the number of incorrect logon attempts by a user and user locks. We recommend scheduling this report to run on a regular basis (daily).
Record logon attempts in the Security Audit Log (transactions SM18, SM19 and SM20).
For more information, see Auditing and Logging.
Log off idle users.
Specify the amount of time a user can be idle in the profile parameter rdisp/gui_auto_logout.
Use the customer exist SUSR0001 to add your own checks. (See SAP Note 37724.)
For example, you can add a check to prevent multiple dialog logons (see Recognizing and Preventing Multiple Dialog User Logons and SAP Note 142724).
Customize SAP Logon so that users cannot change the configuration.