screen saver timeouts with password required after 20 minutes.
-
The consultant we are working with on our security project is recommending all workstations have screen saver timeouts with password required after 20 minutes. I understand the reason, but am concerned for what impact this may have on our centersβ day to day work flow and operations.
Thoughts?
-
20 minutes is a very long time to be away from your system, and have the screen unlocked.
I would have it set for under 5 minutes and lock out.
Effects = people get better at typing their passwords.
-
@DustinB3403 said:
20 minutes is a very long time to be away from your system, and have the screen unlocked.
I would have it set for under 5 minutes and lock out.
Effects = people get better at typing their passwords.
My first instinct was to also suggest that they get better at remembering their passwords, lol.
-
Yeah we used to have 10 minutes...if someones not active for 10 minutes they've either fallen asleep, busy doing something else, or not at their desk...
-
20 minutes is too long. I could walk away, take a dump, play one level of Angry Bird, buy a drink at vending machine, and come back within 20 minutes.
-
@LAH3385 said:
20 minutes is too long. I could walk away, take a dump, play one level of Angry Bird, buy a drink at vending machine, and come back within 20 minutes.
Yeah... While you are away, I could install evil.bat (which would play fart sounds every two minutes), screenshot your screen, hide the desktop, and flip the image upside down.... Too easy.
-
@dafyre said:
@LAH3385 said:
20 minutes is too long. I could walk away, take a dump, play one level of Angry Bird, buy a drink at vending machine, and come back within 20 minutes.
Yeah... While you are away, I could install evil.bat (which would play fart sounds every two minutes), screenshot your screen, hide the desktop, and flip the image upside down.... Too easy.
hah, it only takes 1 minute to Ctrl + A, Shift + Delete.
-
we do 10 min here.
-
@LAH3385 said:
20 minutes is too long. I could walk away, take a dump, play one level of Angry Bird, buy a drink at vending machine, and come back within 20 minutes.
Teach your users Window Key+L The screen saver is only suppose to be a backup.
-
@Jason I would sit down with Management and mention that IT would like to implement a new policy that automatically locks all computer accounts at 5 minutes of inactivity.
Teaching users leads to issues, like "I was never shown that and now all of our company account details are in our competitions hands!"
-
@Jason said:
@LAH3385 said:
20 minutes is too long. I could walk away, take a dump, play one level of Angry Bird, buy a drink at vending machine, and come back within 20 minutes.
Teach your users Window Key+L The screen saver is only suppose to be a backup.
We had it as a Wallpaper to remind users to Lock their Workstation when away. We even taught some users how to flip screen via keyboard then lock the workstation. They would flip any workstation that was left alone without locking.
-
@DustinB3403 said:
@Jason I would sit down with Management and mention that IT would like to implement a new policy that automatically locks all computer accounts at 5 minutes of inactivity.
We don't have to sit down with management to implement that kind of policy. 5 min is too much of an inconvenience. There has to be a balance between security and work getting done. When you start making things really inconvenant for users is when they find ways to by pass them. Like sitting their mouse on the edge of something so the computer keeps thinking it's moving
-
5 Minutes is hardly an inconvenience, that's enough time to go to the rest room, and grab a cup of coffee.
And its more than enough time for someone to jump on the system and do something malicious.
-
@Jason said:
@DustinB3403 said:
@Jason I would sit down with Management and mention that IT would like to implement a new policy that automatically locks all computer accounts at 5 minutes of inactivity.
We don't have to sit down with management to implement that kind of policy. 5 min is too much of an inconvenience. There has to be a balance between security and work getting done. When you start making things really inconvenant for users is when they find ways to by pass them. Like sitting their mouse on the edge of something so the computer keeps thinking it's moving
I think that would also depends on how sensitive or vulnerable the workstation is. I would implement 5 minutes on any manager or HR/Compliance/Finance workstation. On the other hand, I would leave a kios alone for days for all I care.
-
@LAH3385 said:
@Jason said:
@LAH3385 said:
20 minutes is too long. I could walk away, take a dump, play one level of Angry Bird, buy a drink at vending machine, and come back within 20 minutes.
Teach your users Window Key+L The screen saver is only suppose to be a backup.
We had it as a Wallpaper to remind users to Lock their Workstation when away. We even taught some users how to flip screen via keyboard then lock the workstation. They would flip any workstation that was left alone without locking.
Crap like this is what made me make sure I set low time out times and in general to just lock when I stand up.
Sadly - it doesn't work well where I am - a place that is arguably needing this more than most.
-
@LAH3385 said:
I think that would also depends on how sensitive or vulnerable the workstation is. I would implement 5 minutes on any manager or HR/Compliance/Finance workstation. On the other hand, I would leave a kios alone for days for all I care.
Managers, HR. IT, Security, Finance, Internal Audit etc are all different. They require two factor authentication and lock pretty much immediately (30 seconds) without use. They also have software on them that prevents non-white listed execuatables, batch files etc. from running.
-
I think this discussion also points out the need to change the way we access some things, again thinking LANless design.
No local files, but no fileshares either.
Though I suppose that won't really matter - people will be logged into their email on a tab, into SharePoint on another.. and these things will just be available to anyone who sits down.
@Jason is right, it's a fine balance between security and productivity and sensitivity of the data in question.
Sadly around here, people just have an extremely bad sense of time. On person swore to me that their computer timed out in 30 seconds. Without a third party utility (or maybe a reg hack) I know of no way to set it to under 1 min, which is where it was set.
So I hung out with the guy for the next 3 hours, I was just in the back ground watching over his shoulder.. and was timing the amount of time when he stopped using the computer to when the lock kicked in.. and showed him 60 second every time.
we again repeated this after moving the time to 5 mins and again at 10. He (and most others) just have no sense of time when not paying specific attention to time.
-
If you don't have white list of files/execuatbles they can always run http://thecramers.us/windows/prevent-windows-screen-timeout-and-sleep-mode-nosleep-exe/
-
@Jason said:
If you don't have white list of files/execuatbles they can always run http://thecramers.us/windows/prevent-windows-screen-timeout-and-sleep-mode-nosleep-exe/
Oh man - damn... I hope someone would get fired for running that. It clearly is defeating a company policy (at least in my case).
