Task 2.8: Locking the Computer Using an Idle Time-out
One of the most common insider attacks on systems occurs when users walk away from their computers and fail to lock the desktop. Locking the system should be a heavily stressed part of security-awareness training for all users, but users often forget.
Scenario
You are an administrator responsible for the maintenance and security of the workstations in the organization. You want to maximize security even when the supposedly well-trained users forget to lock their systems when stepping away from them.
Scope of Task
Duration
This task should take 20 minutes.
Setup
You will demonstrate the ways to manually lock a computer in a way that users should accomplish prior to stepping away from the systems. You will then configure a system with a password-protected screen saver specifying a wait period (idle time-out). This “locked” mode keeps the system running.
Caveat
It is common that workers will not need the use of a computer to perform every task required of them, so they will often spend several minutes working on other items. If the user does not type or move the mouse for the wait period specified on the password-protected screen saver, the screen saver kicks in and locks the computer, requiring the user to reenter their username and password to access the system again. Users are often frustrated with the frequency they are required to reenter this information and see it as a detriment to their performance.
Also, if the user doesn’t know or forgets the password, the user must contact the administrator or the help desk to either reset or provide the password, or to unlock the system. Again, this could negatively impact the overall performance of the worker(s).
Procedure
After logging onto the computer, you will perform three different methods for manually locking a workstation that will require the user to log on to access the desktop again. Then you will navigate to the screen saver dialog box, where you will enable a password-protected screen saver with a wait period that will require the user to log on to access the desktop after the screen saver is triggered.
Equipment Used
For this task, you must have:
- Any Windows XP, Windows Vista, or Windows 7 workstation or Server 2003, 2008, or 2008 R2 system. This exercise will present the views of a Windows Server 2008 R2 server.
- For one of the manual locking methods, a Windows-logo keyboard.
- Local or Domain Administrator access.
The different operating systems will vary slightly on specifics, but the locking concepts remain largely the same. Windows XP provides a Standby mode, which resembles hibernation; the system shuts down, but resumes quickly and to the same user session and session state, with the same applications and data placed back into memory. Windows XP also provides the standard Log off User option, but this option does not retain session properties.
Details
Manually Locking the Computer System: Method 1
1. Log on to a system as a Local or Domain Administrator.
2. Allow the desktop to stabilize.
3. On the keyboard, press and hold the Windows-logo key and press the L key (for locking).
4. Observe that the desktop is now locked and will require either the user or an administrator to unlock the system by providing a username and password.
Manually Locking the Computer System: Method 2
1. On the keyboard, press Ctrl+Alt+Delete. Note the Locked indication on the login screen.
2. Log on to a system as the Local or Domain Administrator.
3. Allow the desktop to stabilize.
4. On the keyboard, press Ctrl+Alt+Delete.
5. Select the Lock This Computer option.
6. Observe that the desktop is now locked and will require either the user or an administrator to unlock the system by providing a username and password.
Manually Locking the Computer System: Method 3
1. Log on to a system as the Local or Domain Administrator.
2. Allow the desktop to stabilize.
3. Click the Start menu, click the arrow beside the Log Off button, and select Lock from the pop-up menu.
The Start menu combination varies slightly from one Microsoft operating system to another. On Windows 7, the arrow is next to the Shut Down button. On Windows XP and Vista, you click Shut Down from the Start menu, and then, from a drop-down menu in the resulting dialog box, you select Log Off (to stop the user’s session) or Standby (to retain the user’s session), and click OK.
4. Observe once again that the desktop is now locked and will require either the user or an administrator to unlock the system by providing a username and password.
Configuring a Password-Protected Idle Time-out (Screen Saver)
1. Log on to a system as the Local or Domain Administrator.
2. Allow the desktop to stabilize.
3. Click the Start menu and select Control Panel.
4. In the upper-right corner of the Control Panel window, in the search field type screen saver.
5. Select the Turn Screen Saver On Or Off option.
6. When the Screen Saver Settings dialog box opens, select a screen saver of your choice from the Screen Saver drop-down box.
7. Configure a wait time of 1 minute.
8. Click the On Resume, Display Logon Screen check box.
Typically, you would set the wait time (idle time-out) value to 5 minutes for very strict (and annoying) security, 15 minutes for strong security, and 30 minutes for the standard user. In this exercise, you are setting this idle time-out value to 1 minute to quickly verify its functionality.
9. Click OK to apply the new configuration and close the dialog box.
10. Close Control Panel.
11. Do not touch the mouse or keyboard for at least one minute. The screen saver should launch.
12. Once the screen saver launches, move the mouse to deactivate it. Note that the system is locked.
13. On the keyboard, press Ctrl+Alt+Delete.
14. Log on to a system as the Local or Domain Administrator.
15. Allow the desktop to stabilize.
16. Click the Start menu and select Control Panel.
17. In the upper-right corner of the Control Panel window, in the search field, type screen saver.
18. Select the Turn Screen Saver On Or Off option.
19. Configure a wait time of 30 minutes.
20. Click OK to apply the new configuration and close the dialog box.
21. Close Control Panel.
Criteria for Completion
You have completed this task when you have demonstrated three ways to manually lock a computer and have configured and tested a password-protected idle time-out to automatically lock a computer when it may have been left unattended.