Monday, March 25, 2013

Number of failed user logon attempts

There is a very nice new functionality available in ABAP stack. It helps users to recognize if something illegal Is not going on with their user accounts. This might be if someone is trying to hack their credentials in order to get an access to SAP system. By this user can recognize if ti is just he/she who did typo error or if someone else was trying to sneak around. 

System is analyzing user master data table USR02 and in particular field LOCNT (Number of failed logon attempts) which is being populated every time there is a failed logon attempt. On next successful logon if the field is not equal zero then following pop up message is shown:



















I’m not sure since when this functionality is available but seems it appeared in component SAP_BASIS 731 as of PL 05. Login is most likely implemented in function module SUSR_LOGON_USER_EXIT. In this place other checks (time zone, help, transport errors, SAP Business Workplace (SBWP) inbox notifications, user exit EXIT_SAPLSUSF_001 / ZXUSRU01, etc.) are implemented.

Following what SAP administrator would do while user will report seeing such information: Admin can run tool like SUIM -> User-> Users by Complex Selection Criteria -> With Unsuccessful Logons or By Logon Date and Password Change where more information about possible thread is available.

Afterwards there are many other tools that can be used for managing of users. Just to mention few: in the report RSUSR200 admin can select all inactive users that shall be locked. Further there is other report RSUSR_LOCK_USERS with which admin can automatically select and lock on user.

See other information on this topic:
Note 992200 - Firefighter User Exit
Note 2467 - Password rules and preventing incorrect logons

9 comments:

Unknown said...

Now the client needs to disable this feature.
is there any parameter involved?

Martin Maruskin said...

Hi Rob,

to be honest I'm sure if there is possibility to switch this off. As I wrote in the blog I do not know the place in the code where is this check is implemented.
You may want to play with it and debug it. If you do not find anything just open SMP message to ask SAP about possibility to switch it off.
Cheers,
sapper

Anonymous said...

I think this would be a great feature if it could be easily turned off. For most users it's seen as an inconvenience and they don't care how many incorrect logon attempts they've had. They care they have an extra "click" to perform before getting into the system.

For Admins they can see the number of incorrect logon attempts for users using the SUIM reports.

We use SSO and now need to find a way to turn this off or users with correct logon attempts prior to SSO will now be prompted each time they try to logon to the SAP system. The way SSO works, the counter does not get reset. I will open a message for SAP and share if I get a response.

Cheers

Moe



Martin Maruskin said...

Thanks Moe for pursuing this within SAP. Also Rob (above) was curious how to switch it off. Please share once you come to know that.

cheers, sapper

Anonymous said...

Reply from SAP
---------------
Hello Maurice,

Kindly notice that this is a new feature of the release 731. We have
checked with the developers and, unfortunately, you cannot disable this.
All users which have unsuccessful password based logon attempts will getthis popup. Let me explain the rationale behind a counter for failed
password logon attempts: passwords can be guessed (not only stolen) and
thus we have to limit the number of permissible failed logon attempts.
Unfortunately, the system cannot differentiate between accidental typos
of the legitimate user and the attempt of an attacker to guess the
password.

Therefore, the system will make the user alert about the fact that therehave been failed password logon attempts. The user should be able to
judge whether it was likely him or someone else who has caused this.

Please bear in mind that, being able to logon also by other means than
by password does not eliminate the above mentioned risk. Actually one
could even argue that it might increase the risk since the user might
have forgotten about his (idle) password. For exactly this reason we
made it configurable to prompt an user to change (or disregard) his
password when it is about to be changed (after 'n' days, configurable) -even if he does not use his password to logon (but using SSO).

The reason for not resetting the counter of failed password logon
attempts when performing a non-password logon, is that this would
jeopardize the concept (of limiting the number of permissible failed
password logon attempts) - because you'd grant an attacker additional
attempts to guess the password. So, if you are not using your password,
the best advice is: deactivate it - because then also the attacker will
have no chance to impersonate you with a guessed or cracked password.

So the alternatives you have to get rid of the popup message are either
deactivate the password in case you do not need it or logon once with
your correct password.

Hopefully it'll help you understand the design of such functionality.

I hope this solves the issue for you promptly and if so please let me
know by confirming this message (at your convenience) and providing somevaluable feedback. Otherwise please do not hesitate to respond with
further information. I'll be looking forward to them.

--------------
Regards
Moe

Martin Maruskin said...

Hi Moe,
hmmm the SAP reply is not very satisfying our needs. However you addressed this issue. Let's hope they will consider to include "switch off" of this functionality in future releases.
cheers,
sapper

Steve said...

What's the harm of deactivating the password if you are using SSO? So basically setting LOCNT=3

This would disable the pop-up from coming up.

Thigre said...

Hello

The SAP's response is clear : 1894688 - Number of failed password logon attempts

"[...]

There is no possibility of disabling the pop-up window option. However, the alternatives you have to get rid of this pop-up message are:

Deactivate your password in case you do not need it;
Login once with the correct password.


[...]"

Samuel Grevillot

Mark said...

Im afraid logging in with a correct password does not help.!!! That is what is so frustrating with this message. It comes up ALL the time, EVERY time, no matter how long ago you accidentally entered an incorrect password.

That is why I am trying to find out how to disable this infuriating message.