Educause Security Discussion mailing list archives
Re: passworded screen savers with timeouts, why?
From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Fri, 15 Dec 2006 11:42:03 -0700
Most of what has been said covers your answer, but here's one extra thought. Adding a screen-blanker policy can add a layer of slightly less cumbersome yet "passer-by" defending security mechanism. Locking a session out after five minutes can be a real pain to the user if a full login following policy (say 20 character passphrase, or 10 character hardened gibberish) has to occur every five minutes of inactivity. I can easily be caught reading and re-reading a particularly provocative email for more than five minutes. The screen blanker can add a less-than-full policy lock that would allow say a three character text key preventing casual passer-by attacks, while not being so odious in work interruption. Good for high traffic areas where you cannot physically isolate the machine. In either case, the locking of a session on inactivity is simply a backup to employees not following a credential management policy and logging out themselves. It has to be done since OSs like WinXP suffer from privilege escalation attacks that take 20 seconds or less at an open keyboard. A lot of bad things can be done in less than a minute as a result. The phosphor burn and other reasons don't apply much anymore on modern power managing hardware, and the ability to lock, so needed in Win95, is intrinsic in the only MS supported systems left. Of course this answer might have to be modified to account for the capabilities of other OSs, I'm mostly talking to a Wincentric crowd. Finally, and trivially, an open screen blanker policy can provide some sense of customization and personal expression that is valuable for employee morale. A session lock is a lot less glamorous than a 20 minute slide-show of the kids, a gee-whiz geometric sequence, or favorite philosophical quote of the day. Anyone who remembers the old green or orange colored monochrome text only terminals back in the 80's knows it is much nicer to have a season based piece of art on the desktop and some sort of interesting activity going on the screen than having a dull blinking cursor or plaintext system property message staring at you all day. Best regards, Jim ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** -----Original Message----- From: Michael Fox [mailto:Mfox () GEORGIASOUTHERN EDU] Sent: Thursday, December 14, 2006 2:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] passworded screen savers with timeouts, why? We are in the implementation stage of password and workstation policies. My questions, which comes from a number of users, is why a screen saver with a timeout period that requires entering a password when unlocking the screen saver? I have my answers (not a lot) for this but I would like to see what others would have to say about this. It is part of a DID from my perspective, but not the only piece for the workstation. Any opinions about this one way or another would be appreciated (hopefully most would be for locking the workstation). Oh, by the way we are doing this with Novell Zenworks. Thanks in advance, Mike Mike Fox Georgia Southern University Information Technology Services Office of Information Security mfox () georgiasouthern edu (912)871-1592 Jeremiah 29:11-16
Current thread:
- passworded screen savers with timeouts, why? Michael Fox (Dec 14)
- <Possible follow-ups>
- Re: passworded screen savers with timeouts, why? Selden E Ball Jr (Dec 14)
- Re: passworded screen savers with timeouts, why? Chris Green (Dec 14)
- Re: passworded screen savers with timeouts, why? Bob Kehr (Dec 14)
- Re: passworded screen savers with timeouts, why? Bruce Curtis (Dec 14)
- Re: passworded screen savers with timeouts, why? Chris Green (Dec 14)
- Re: passworded screen savers with timeouts, why? Jim Dillon (Dec 15)
- Re: passworded screen savers with timeouts, why? Valdis Kletnieks (Dec 15)
- Re: passworded screen savers with timeouts, why? Waller, Michael A. (HSC) (Dec 15)
- Re: passworded screen savers with timeouts, why? Geoffrey S. Nathan (Dec 15)