PESL-1

PESL-1 Screen Lock

Overview

Unless there is an overriding technical or operational problem, workstation screen-lock functionality is associated with each workstation. When activated, the screen-lock function places an unclassified pattern onto the entire screen of the workstation, totally hiding what was previously visible on the screen. Such a capability is enabled either by explicit user action or a specified period of workstation inactivity (e.g., 15 minutes). Once the workstation screen-lock software is activated, access to the workstation requires knowledge of a unique authenticator. A screen lock function is not considered a substitute for logging out (unless a mechanism actually logs out the user when the user idle time is exceeded).

MAC / CONF	Impact	Subject Area
MACI MACII MACIII	Medium	Physical and Environmental

Details

Threat
Unattended workstations and servers are at risk to unauthorized access to sensitive and classified information if there is not a screen-lock function in place.

Guidance
1. Unless there is an overriding technical or operational problem, workstation screen-lock functionality shall be associated with each workstation. 2. When activated, the screen-lock function shall place an unclassified pattern onto the entire screen of the workstation. This functionality shall totally hide what was previously visible on the screen. 3. Such a capability shall be enabled either by explicit user action or a specified period of workstation inactivity (e.g., 15 minutes) in accordance with agency standard operating procedures. 4. Once the workstation screen-lock software is activated, access to the workstation shall require knowledge of a unique authenticator. 5. A screen lock function shall not be considered a substitute for logging out (unless a mechanism actually logs out the user when the user idle time is exceeded).

Guidance

1. Unless there is an overriding technical or operational problem, workstation screen-lock functionality shall be associated with each workstation.
2. When activated, the screen-lock function shall place an unclassified pattern onto the entire screen of the workstation. This functionality shall totally hide what was previously visible on the screen.
3. Such a capability shall be enabled either by explicit user action or a specified period of workstation inactivity (e.g., 15 minutes) in accordance with agency standard operating procedures.
4. Once the workstation screen-lock software is activated, access to the workstation shall require knowledge of a unique authenticator.
5. A screen lock function shall not be considered a substitute for logging out (unless a mechanism actually logs out the user when the user idle time is exceeded).

References

Database STIG, Version 7, Release 1, 29 October 2004
Secure Remote Computing STIG, Version 1, Release 1, 14 February 2003
Department of Transportation Solaris Secure Baseline Configuration Standards, 20 January 2004)
UNIX STIG, Version 4, Release 4, 15 September 2003
Windows NT STIG, Version 4, Release 2, 18 September 2001
Addendum to Windows NT STIG, Version 3, Release 1, 24 November 2002
Windows XP STIG Version 1, Release 8, 03 December 2002
Windows NT/XP/2000 Addendum Version 4, Release 1 – STIG, 26 February 2004
Department of Transportation Windows 2000 Secure Baseline Configuration Standards, Section 1, 20 January 2004