Feb 272008
 

With growing concerns over Data Confidentiality/Security and Privacy growing, administrators have to take enough care and opportunity where possible to ensure securiry and privacy is maintained. Security/Privacy concerns are both physical and electronic.

For instance, a passby individual can actually be looking at a confidential legal document which not everyone has access to or a PC left unattended by a user can prove to be a lethal weapon for a passer by.

Windows luckily helps protect against this passer by activity using simple screensaver functionality. Admins can Auto-lock user desktops or force log off user after a defined period of inactivity.

Auto-Lock Screen

Most if not all organisations use Windows Screen Savers to lock user PCs using Windows ScreenSavers after a period of inactivity. The specified screensaver kicks in when there is no user activity (keyboard/mouse events) for a period of time and Windows 2000, XP and 2003 allows to prompt for a password when resuming from screensaver. Given the complex security requirements and compliances, this will eventually be an audit point in most organisations regulated by a central body.

Auto-Logoff User

A similar screensaver called winexit (winexit.scr) is available for download from Microsoft as a part of Windows 2000 or Windows 2003 resource kit. This screensaver automatically logs out the user after a period of inactivity.

The resource kits can be downloaded here for Windows 2000 & Windows 2003

Installation is straight forward, right-click file and select install and can be deployed centrally through the Group Policies.

However, care has to be taken to ensure the timing is set appropriately and the users are educated on saving their files after work as unsaved work will potentially be lost in the event of a forced logoff and make them understand what the screensaver can do. Also, advisable to enable Autosave on applications where possible.

Another important aspect is that the user can always disable this feature from the display properties and hence it is important that this is controlled using the Group Policies. Admins can

Disable editing Screensaver from Display properties for users

Always push this screensaver policy using GPO as in the event the user manages to get the screensaver off, the policy gets applied in the next update.

The settingsof interest under Group Policy for Screensavers are under

UserConfiguration
     \ Administrative Templates
              \Control Panel
                       \Display
 

Group Policy for Screensavers

Incoming search terms:

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>