Re: passworded screen savers with timeouts, do you enforce?

[John Piercy <jpiercy () RMWC EDU>]

We somehow need to educate the masses that this is a new day and age
that requires due diligence in all matters regarding data security and
not just from the security professionals. You can set up hundreds of
IDS/IPS sensors, install host-based security agents on every machine you
have, and implement a rigid network access control system totaling
hundreds of thousands of dollars and have your users inadvertently
defeat all of it because they were allowed to argue that re-typing a
pass phrase was too much to handle. Guess who takes the heat when
there's a breech and subsequent data theft as a result of the user who
got up to go get a cup of coffee and go to the restroom... the security
folks who weren't able to get the message across that you are only as
secure as the weakest link in your security chain. We implemented screen
saver passwords and a timeout of 20 minutes (too high in my opinion but
MUCH better than nothing) via AD Group Policy at the domain level. We
can change it in times of crisis if need be and have done so once
already. There has been some grumbling but most people here took the
time to read our explanations as to why it is so important. It seems to
make the argument more concrete when referencing highly reputable
schools that have been slapped with $1,000,000 lawsuits/fines and
expenses incurred for security changes not to mention the press that
goes along with it. It is unfortunate and worth mentioning that many of
these "insecure" institutions have been at the forefront of securing
data and the only reason they ever knew they'd been compromised (and
subsequently reported it - the absolute right thing to do) was because
of good security practices. Consider two neighboring houses: one has
high tech surveillance equipment throughout the house and the other has
only faith that it won't happen to his/her house. They BOTH have a front
door that won't lock properly so - until they have time to fix it - they
leave these doors unlocked. The high-tech surveillance house records an
intruder taking pictures of documents and credit cards and putting them
back exactly where they were found. The break-in is reported to the
police and the police advise the homeowner to cancel all credit cards
and accounts that could have been compromised in any way. The house with
no surveillance sees nothing and assumes nothing has happened. 

Sorry for the long response. Just trying to give you some
arguments/analogies that could help you back this policy.

Good luck and Happy New Year to all! 

John Piercy
Network Manager
Randolph-Macon Woman's College
2500 Rivermont Avenue
Lynchburg, VA 24503
jpiercy () rmwc edu



-----Original Message-----
From: Michael Fox [mailto:Mfox () GEORGIASOUTHERN EDU] 
Sent: Monday, January 08, 2007 5:25 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] passworded screen savers with timeouts, do you
enforce?

Last month I asked for reasons why we should utilize passworded screen
savers and I want to say thanks to everyone that responded. 

Now I need to ask if you enforce the screen saver password  lockout and
if you do how do you do it? Also how did you go about getting it past
the nay sayers that don't want to have anything make them type their
password in more than once a day. 

Any help would be appreciated.

Thanks for the help.

Mike