Re: passworded screen savers with timeouts, why?

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

Most of what has been said covers your answer, but here's one extra
thought.

Adding a screen-blanker policy can add a layer of slightly less
cumbersome yet "passer-by" defending security mechanism.  Locking a
session out after five minutes can be a real pain to the user if a full
login following policy (say 20 character passphrase, or 10 character
hardened gibberish) has to occur every five minutes of inactivity.  I
can easily be caught reading and re-reading a particularly provocative
email for more than five minutes.  The screen blanker can add a
less-than-full policy lock that would allow say a three character text
key preventing casual passer-by attacks, while not being so odious in
work interruption.  Good for high traffic areas where you cannot
physically isolate the machine.

In either case, the locking of a session on inactivity is simply a
backup to employees not following a credential management policy and
logging out themselves. It has to be done since OSs like WinXP suffer
from privilege escalation attacks that take 20 seconds or less at an
open keyboard.  A lot of bad things can be done in less than a minute as
a result.

The phosphor burn and other reasons don't apply much anymore on modern
power managing hardware, and the ability to lock, so needed in Win95, is
intrinsic in the only MS supported systems left. 

Of course this answer might have to be modified to account for the
capabilities of other OSs, I'm mostly talking to a Wincentric crowd.

Finally, and trivially, an open screen blanker policy can provide some
sense of customization and personal expression that is valuable for
employee morale.  A session lock is a lot less glamorous than a 20
minute slide-show of the kids, a gee-whiz geometric sequence, or
favorite philosophical quote of the day.  Anyone who remembers the old
green or orange colored monochrome text only terminals back in the 80's
knows it is much nicer to have a season based piece of art on the
desktop and some sort of interesting activity going on the screen than
having a dull blinking cursor or plaintext system property message
staring at you all day.

Best regards,

Jim

*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************
 
 
-----Original Message-----
From: Michael Fox [mailto:Mfox () GEORGIASOUTHERN EDU] 
Sent: Thursday, December 14, 2006 2:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] passworded screen savers with timeouts, why?

 We are in the implementation stage of password and workstation
policies. My questions, which comes from a number of users, is why a
screen saver with a timeout period that requires entering a password
when unlocking the screen saver?

I have my answers (not a lot) for this but I would like to see what
others would have to say about this. It is part of a DID from my
perspective, but  not the only piece for the workstation.

Any opinions about this one way or another would be appreciated
(hopefully most would be for locking the workstation). 

Oh, by the way we are doing this with Novell Zenworks.

Thanks in advance,

Mike

Mike Fox
Georgia Southern University
Information Technology Services
Office of Information Security
mfox () georgiasouthern edu
(912)871-1592

Jeremiah 29:11-16