RE: Workstation Screensaver Lock Timeouts

["JTH" <jth () visi com>]

<snip>
> ...An ongoing problem we 
> have is with users taking advantage of logged in, unlocked 
> computers, to send entertaining email messages to the 
> organization on behalf of the logged on user..  Any further 
> thoughts are appreciated...  Rick

I've seen stories of this, and often this was the most effective way to
get users to manually lock their workstations *whenever* they get up from
their desk. Shortcuts should be provided so a user has only to click one
button, and inform them that in XP you can press the Windows key + L to
lock the desktop, or 2k/XP press ctrl-alt-del and press L or enter to lock
the desktop.

As for timeout, I would set it at 15 minutes and leave it. The users will
get used to it, or as you've seen, grumble about it at all. A good
pen-test can always be a good eye-opener. An external consultant with
payroll or HR files, sending each person their SSN or other private data,
can show the users exactly why they should do this, eliminating the
"there's no critical data here" argument.

That's somewhat harsh and insensitive to the user, but they should be
woken up to the risk somehow.

That, or make those "humorous messages" sent to everyone in the company,
every time. The embarassment might be enough.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------