Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-1122 | 5.006 | SV-32294r1_rule | PESL-1 | Medium |
Description |
---|
The system should be locked when unattended. Unattended systems are susceptible to unauthorized use. The screen saver should be set at a maximum of 15 minutes and password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer. |
STIG | Date |
---|---|
Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide | 2012-09-05 |
Check Text ( C-32919r1_chk ) |
---|
If any of the registry values don’t exist or are not configured as follows, then this is a finding: Registry Hive: HKEY_CURRENT_USER Subkey: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ Value Name: ScreenSaveActive Type: REG_SZ Value: 1 Value Name: ScreenSaverIsSecure Type: REG_SZ Value: 1 Value Name: ScreenSaveTimeOut Type: REG_SZ Value: 900 (or less) Documentable Explanation: Terminal servers and applications requiring continuous, real-time screen display (i.e., network management products) require the following and need to be documented with the IAO. -The logon session does not have administrator rights. -The display station (i.e., keyboard, monitor, etc.) is located in a controlled access area. |
Fix Text (F-28808r1_fix) |
---|
Configure the policy values for User Configuration -> Administrative Templates -> Control Panel -> Personalization -> as follows: “Enable Screen Saver” will be set to “Enabled”. “Password protect the screen saver” will be set to “Enabled”. “Screen Saver timeout” will be set to “Enabled: 900 seconds” (or less). |