The system configuration is not set with a password-protected screen saver.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-1122 | 5.006 | SV-29501r1_rule | Medium |
| Description |
|---|
| The system should be locked when unattended. Unattended systems are susceptible to unauthorized use. The screen saver should be set at a maximum of 15 minutes and password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer. |
| STIG | Date |
|---|---|
| Windows 2008 Member Server Security Technical Implementation Guide | 2019-06-18 |
Details
| Check Text ( C-518r1_chk ) |
|---|
| If the any of the registry values don’t exist or are not configured as follows, then this is a finding: Registry Hive: HKEY_CURRENT_USER Subkey: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ Value Name: ScreenSaveActive Type: REG_SZ Value: 1 Value Name: ScreenSaverIsSecure Type: REG_SZ Value: 1 Value Name: ScreenSaveTimeOut Type: REG_SZ Value: 900 (or less) Documentable Explanation: Terminal servers and applications requiring continuous, real-time screen display (i.e., network management products) require the following and need to be documented with the IAO. -The logon session does not have administrator rights. -The display station (i.e., keyboard, monitor, etc.) is located in a controlled access area. |
| Fix Text (F-5816r1_fix) |
|---|
| Configure The policy values for User Configuration -> Administrative Templates -> Control Panel -> Display as follows: “Screen Saver” will be set to “Enabled” (“Activate screen saver” on Windows 2000) “Password protect the screen saver” will be set to “Enabled” “Screen Saver timeout” will be set to “Enabled: 900 seconds” (or less) |