RE: Workstation Locking

["Scott Ramsdell" <Scott.Ramsdell () cellnet com>]

Aladdin has a key fob that does just this.  You will have to replace msgina.dll with Aladdin's though.

One of the coolest features of the Aladdin fob is that it will synch password changes with AD on behalf of the user.  
This would allow you to set a password policy that included very long complex passwords that expired fairly often.  The 
user would never know their password was updating.

For remote access, they again simply use the fob.

Alternatively, if you've implemented a PKI, the Aladdin fob will store the certs.

Kind Regards,
 
Scott Ramsdell
CISSP, CCNA, MCSE
Security Network Engineer


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of oomplah () oomplah net
Sent: Friday, May 11, 2007 1:09 PM
To: 'Hitesh Patel'; security-basics () securityfocus com
Subject: RE: Workstation Locking

I believe what you're looking for as mentioned in other replies is simply
either not cost effective or difficult to use.  The root of the issue really
is here is that being found with a unlocked workstation results in no
consequence.  A occasional reminder or e-mail won't do the trick even with
the fear of termination/god/whatever.

A policy that is enforced by the employee's management is probably the most
cost effective option.  In any environment if managers catch the employee
with a unlocked workstation they should be subject to some form of
disciplinary action.  A simple "warning" will only last you a few weeks
perhaps.  A actual ding against their quarterly review/goals and/or threat
of other disciplinary action would be enough to get people locking.  (Might
be enough for that manager to get rid of that low-performing employee)

The key to this too however is to make it "easier" for them to lock/unlock
their workstation.  Insane password policies, placing the printer too far
away from the employee, or constant up and down in their job doesn't lend to
encourage the employee to comply.

Perhaps a smart card/USB Keyfob system where the employee is required to
remove the card to lock, and place it back in to unlock may make it easier.
A 8-10 case-sensitive, alpha-numeric+special character password is difficult
to type even for the experienced typer. A smart-card/USB Keyfob would only
involve placing it in, and entering a pin (in some cases).  In a "perfect"
world this would make it easier for the employee vs. a insane password.

Another thing I used to do was to embarrass the hell out of the employee and
send stupid and embarrassing e-mail to their manager and co-workers using
their unlocked workstations.  It got their attention.  Send a admin
assistant out on their floors/buildings and have them e-mail the employee's
managers with a gentle fyi would be a fun event for all!  

--Me

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Hitesh Patel
Sent: Wednesday, May 09, 2007 1:34 PM
To: security-basics () securityfocus com
Subject: Workstation Locking

Hello
        Everyone,
We are currently looking to enforce password locking policy for certain
users. We do not want to use GPO in 2k domain. Our management like to
see something that automatically lock workstation as soon as users are
out of certain proximity range. And also want to automatically unlock as
soon as comeback at desk without typing longer password. Anyone have any
suggestion on product? Like to know what others are using?
I have not found many product out there. Only found following:
 http://www.ensuretech.com/products/demo/demo.html
thank you

HP





-----------------------------------------
CONFIDENTIALITY NOTICE: This message and any attached documents may
contain confidential information from Hyland Software, Inc. The
information is intended only for the use of the individual or
entity named above. If the reader of this message is not the
intended recipient, or an employee or agent responsible for the
delivery of this message to the intended recipient, the reader is
hereby notified that any dissemination, distribution or copying of
this message or of any attached documents, or the taking of any
action or omission to take any action in reliance on the contents
of this message or of any attached documents, is strictly
prohibited. If you have received this communication in error,
please notify the sender immediately by e-mail or telephone, at
(440) 788-5000, and delete the original message immediately. Thank
you.