Un-authorizing Logons Protections - SAP Security

what are authorizing Logons protections. How it is helpful to the SAP system?

To develop security in a SAP system, it is essential to monitor unsuccessful login created by the user in a SAP environment. So, when someone tries to login to a system without knowing the correct password, the system should recognize it and lock the username for some time or that session should be terminated after undergoing multiple number of attempts.
Various security parameters can be set for unauthorized logon attempts –
  • Terminating a Session
  • Locking User
  • Activating Screen Savers
  • Monitoring unsuccessful logon attempts
  • Recording logon attempts

Terminating a Session

Whenever the user tries to enter the login multiple number of times with single user id, the system immediately terminates the session for that user for security reasons. This should be done using a Profile parameter − login/fails_to_session_end.
To change the Parameter value, run Transaction RZ10 and select the Profile as shown in the following screenshot. Activate Extended Maintenance and click on Display.
extended_mainteinance
Select the parameter that you want to change and click on the Parameterbutton at the top as shown below.
parameter_buttton
When you click on the Parameter tab, the value of the parameter can be changed in a new window. You can also create the new parameter by clicking on the Create (F5) button.
To find out the details of this parameter, run Transaction Code: RZ11 and enter the profile name – login/fails_to_session_end and the click on Display Document.
  • Parameter − login/fails_to_session_end
  • Short text − Number of invalid login attempts until the session ends.
  • Parameter Description − Number of invalid login attempts that can be made with a user master record until the logon procedure is terminated.
  • Application Area − Logon
  • Default Value − 3
  • Who is permitted to make changes? − Customer
  • Operating System Restrictions − None
  • Database System Restrictions − None
  • Are other parameters affected or dependent? − None
  • Values allowed − 1 - 99
In the above mentioned screenshot, you can see the value of this parameter is set to 3, i.e. the default value too. After 3 unsuccessful login attempts, session will be terminated for a single user.

Locking User

You can also have another method to lock the user. You can put a check on a particular User Id who has made number of multiple unsuccessful login attempts. If that number exceeds then the user can be locked for a single User Id. Set the number of invalid logon attempts that are allowed in the profile parameter: login/fails_to_user_lock.
  • It is possible to set a lock on specific User ID’s.
  • Locks are applied on a User Id till midnight. However, it can also be removed manually at any time by a System Administrator.
  • In a SAP system, you can also set a parameter value that allows lock to be placed on the User Id till they are manually removed. Parameter name: login/failed_user_auto_unlock.

Profile parameter: login/fails_to_user_lock

Every time when an incorrect logon password is entered by the user, those multiple logon attempts are recorded in the user master record and it shows the increased number. This logon attempts can be logged in the Security Audit Log. If the limit which is specified by this parameter is more, the relevant user is locked. This process is also logged in Syslog.
The lock is not valid after the current day is over. (Other Condition −login/failed_user_auto_unlock)
The failed logon counter is again reset once the user logs on using the correct password. Logons that is not effective with password-based does not show any effect on the failed logon counter. However, active logon locks are checked for every logon.
  • Values allowed − 1 – 99
To see the current value of this parameter, use T-Code: RZ11.
login_fails_to_usermetadata_for_parameter
  • Parameter name − login/failed_user_auto_unlock
  • Short text − Disable automatic unlocking of locked user at midnight.
  • Parameter Description − Controls the users who are unlocked by logging on incorrectly. If the parameter is set to 1, locks that were set due to failed password logon attempts only apply on the same day (as the locking). If the parameter is set to 0, the locks remain in effect.
  • Application Area − Logon.
  • Default Value − 0.

Activating Screen Savers

Activating Screen Savers can be accessed by system administrators which help in protecting the front end screen from any unauthorized access. These screensavers can be password protected.

Monitoring Unsuccessful Logon Attempts and Recording Logon Attempts

In a SAP system, you can use report RSUSR006 to check whether there are any users who have tried unsuccessful logon attempts in the system. This report contains detail information about the number of incorrect login attempts by a user and the user locks and you can schedule this report as per your convenience.
Go to ABAP Editor SE38 and enter the report name and then click on EXECUTE.
execute(4)
In this report, you have different details like Username, Type, Created On, Creator, Password, Lock and Incorrect Login Details.
list_of_users
In a SAP system, it is also possible to use Security Audit Log (transactions SM18, SM19 and SM20) to record all the successful and unsuccessful logon attempts. You can view the security audit logs using SM20 transaction, and this security audit should be activated in the system to monitor security audit logs.
security_audit_log

Logging off Idle Users

When a user is already logged into a SAP system and session is not working for a specific period of time, then that can be set to logoff in order to avoid any unauthorized access.
To enable this setting, you need to specify this value in the profile parameter: rdisp/gui_auto_logout.
  • Parameter Description – The user can define that inactive SAP GUI users are automatically logged off from a SAP system after a specific period. The parameter then identifies this time and Automatic logoff in the SAP system is deactivated by default (value 0), that is, the users are unable to log off even if they do not perform any actions for a longer period.
  • Values allowed − n [unit], where n >= 0 and Unit = S | M | H | D
To see the current value of parameter, run T-Code: RZ11.
_code_rz11
current_value
The following table shows you the list of key parameters, their default and permitted value in a SAP system −
Parameter Description Default Permitted Value
Login/fails_to_session_end Number of invalid login attempts until session end 3 1-99
Login/fails_to_user_lock Number of invalid login attempts until user lock 12 1-99
Login/failed_user_auto_unlock When sets t 1: Locks apply on the day that they are set.They are removed the next day when the user logs on 1 0 or 1
rdisp/gui_auto_output Maximum idle time for a user in number of seconds 0(no limit) unrestricted

All rights reserved © 2020 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status

SAP Security Topics