https://community.sap.com/t5/application-development-and-automation-discussions/user-lock/m-p/1384151#M187186 <HTML><HEAD></HEAD><BODY><P>Sorry, but that would be a stupid idea.</P><P>If you do not restrict the number of permitted failed password logon attempts you enable dictionary and brute-force attacks - it's just a matter of time when an attacker will succeed.</P><P></P><P>BTW: Please choose the proper user type: SYSTEM (see &lt;a href="http://service.sap.com/~form/handler?_APP=01100107900000000342&amp;_EVENT=REDIR&amp;_NNUM=622464"&gt;SAP Note 622464&lt;/a&gt;)</P><P></P><P>SYSTEM users which are only used to perform system-internal tasks (such as background processing) do not require passwords (you might deactivate their password) - on the other hand: the password lock (due to failed password logon attempts) will not prevent the execution of background jobs (see &lt;a href="http://service.sap.com/~form/handler?_APP=01100107900000000342&amp;_EVENT=REDIR&amp;_NNUM=498889"&gt;SAP Note 498889&lt;/a&gt;). Please notice that there is a difference between &lt;b&gt;password lock&lt;/b&gt; and &lt;b&gt;account lock&lt;/b&gt;.</P><P></P><P>Regards, Wolfgang</P></BODY></HTML> Thu, 13 Jul 2006 07:06:05 GMT Wolfgang_Janzen 2006-07-13T07:06:05Z https://community.sap.com/t5/application-development-and-automation-discussions/user-lock/m-p/1384150#M187185 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>We are experiencing the problem with one of the user configured as service type.</P><P>But the problem is if some body tried to login without knowing the password , it locks the user account.</P><P>for ex: CA_AUTOSYS or DDIC</P><P>We have many batch jobs running under this user id.</P><P>How can we make users like this never locked.</P><P>I know the profile parameter which locks for that day and releases it. Is there anyother way where we can make the user id unlocked all the time. Please advise.</P></BODY></HTML> Wed, 12 Jul 2006 21:13:21 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-lock/m-p/1384150#M187185 Former Member 2006-07-12T21:13:21Z https://community.sap.com/t5/application-development-and-automation-discussions/user-lock/m-p/1384151#M187186 <HTML><HEAD></HEAD><BODY><P>Sorry, but that would be a stupid idea.</P><P>If you do not restrict the number of permitted failed password logon attempts you enable dictionary and brute-force attacks - it's just a matter of time when an attacker will succeed.</P><P></P><P>BTW: Please choose the proper user type: SYSTEM (see &lt;a href="http://service.sap.com/~form/handler?_APP=01100107900000000342&amp;_EVENT=REDIR&amp;_NNUM=622464"&gt;SAP Note 622464&lt;/a&gt;)</P><P></P><P>SYSTEM users which are only used to perform system-internal tasks (such as background processing) do not require passwords (you might deactivate their password) - on the other hand: the password lock (due to failed password logon attempts) will not prevent the execution of background jobs (see &lt;a href="http://service.sap.com/~form/handler?_APP=01100107900000000342&amp;_EVENT=REDIR&amp;_NNUM=498889"&gt;SAP Note 498889&lt;/a&gt;). Please notice that there is a difference between &lt;b&gt;password lock&lt;/b&gt; and &lt;b&gt;account lock&lt;/b&gt;.</P><P></P><P>Regards, Wolfgang</P></BODY></HTML> Thu, 13 Jul 2006 07:06:05 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-lock/m-p/1384151#M187186 Wolfgang_Janzen 2006-07-13T07:06:05Z https://community.sap.com/t5/application-development-and-automation-discussions/user-lock/m-p/1384152#M187187 <HTML><HEAD></HEAD><BODY><P>"000/DDIC" is required for upgrades and Support Package imports (which makes this account special and vulnerable for denial-of-service attacks); the user type should be DIALOG (to enable SAPGUI logons).</P><P></P><P>Well, during normal operations you do not need "DDIC".</P><P>Therefore you should deactivate that account (e.g. by using the account lock) and activate it only on demand.</P><P></P><P>Same applies for user SAP*.</P><P>You should not use that account but create copies and use them instead (see &lt;a href="http://service.sap.com/~form/handler?_APP=01100107900000000342&amp;_EVENT=REDIR&amp;_NNUM=2383"&gt;SAP Note 2383&lt;/a&gt;).</P><P></P><P>Regards, Wolfgang</P></BODY></HTML> Thu, 13 Jul 2006 07:22:08 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-lock/m-p/1384152#M187187 Wolfgang_Janzen 2006-07-13T07:22:08Z https://community.sap.com/t5/application-development-and-automation-discussions/user-lock/m-p/1384153#M187188 <HTML><HEAD></HEAD><BODY><P>Use the security audit log or application monitors (search for transaction "login_pw") to track down the "person" who is trying to logon with DDIC without being authorized to know the password, and fire them.</P><P></P><P>If you find that the "person" is actually an application trying to login, "fire" the application by removing the entry for that user from table RFCDES.</P></BODY></HTML> Thu, 13 Jul 2006 07:56:58 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-lock/m-p/1384153#M187188 Former Member 2006-07-13T07:56:58Z