Operating systems

Lock your screen while away from the computer

Locking your laptop or workstation while away from it is good security sense. Learn a number of different ways to do so, both on MS Windows and common open source Unix-like operating systems.

Locking your laptop or workstation while away from it is good security sense. Learn a number of different ways to do so, both on MS Windows and common open source Unix-like operating systems.


A common part of corporate workstation security policy is a requirement for employees to lock their workstations while away from their desks, as suggested in 5 tips to improve physical access security. This is not only good advice for the workplace. In fact, it is even better advice in some other circumstances, such as when using a laptop at a coffee shop.

There are many ways to do so. Each version of MS Windows has its own way to lock the system when the user is away, and open source Unix-like systems offer a number of different ways to do it as well. What follows is a quick survey of some of those methods of locking the system, focusing solely on screen locking rather than password-protected screen savers or logging out.

Unix-like systems:

Open source tools for Unix-like systems are several and varied, offering options that meet the needs of different circumstances and tastes. The most common options are the BSD lock utility and the separate, copyleft licensed vlock utility for virtual console locking, and the slock and xlock tools for X session locking.

lock

The lock command appeared for the first time in 3.0BSD, decades ago, and some version of it has existed in the major BSD Unix systems that have been available ever since. The versions of lock included in the base systems of FreeBSD, NetBSD, and OpenBSD differ slightly in the command line options they provide today.

All three of them lock a standard virtual console. FreeBSD's lock in particular, distributed under copyfree terms (a BSD License), behaves as follows, by default.

  1. It asks for a "key", or password, that can be used to unlock the terminal at any time.
  2. It locks the terminal for fifteen minutes, or until it is unlocked with that key -- whichever comes first.

The -n option can be specified to disable the timeout value, or an alternate value can be specified with the -t option. The -p option specifies that it should use the current user's password as the key, rather than requiring a user-specified key. Finally, -v prevents the user from switching consoles, effectively locking the whole computer against any local access until either the lock expires or the correct key is entered.

slock

The "suckless" project provides "quality software with a focus on simplicity, clarity, and frugality." The slock utility in particular is an X display locker distributed under copyfree terms (MIT/X11 License). In the words of the suckless page for slock:

Simple X display locker. This is the simplest X screen locker we are aware of. It is stable and quite a lot of people in our community are using it every day when they are out with friends or fetching some food from the local pub.

Its only command line option is -v, which prints the software version and copyright to standard output. Any other command line options (such as -h, --help, or --foobar) provide the following usage information.

usage: slock [-v]

If executed without any options, it blanks the screen of your X session unless and until the password for the current user is entered at the keyboard. The common way to use it is to set a keyboard shortcut for it with whatever facility is provided by the window manager or with a third-party keyboard shortcut tool.

vlock

For those who are not lucky enough to have the lock utility available as part of their favorite Unix-like system, or even for those who do but prefer to use something else to lock virtual consoles, there is a utility called vlock that provides similar functionality and is distributed under copyleft terms (GPLv2). Similarly to the lock command, it simply locks the current virtual console.

It does not support specifying a key, but only defaults to requiring the password of the current user. It also does not support a time limit on the lock the way the BSD Unix lock utility does. Its command line option to alter default behavior is the -a or --all option, which will "Lock all console sessions and disable VC switching." The -c or --current option causes it to only lock the current session, which is default behavior. The -h or --help option provides a brief help message, while -v or --version prints the version number to standard output.

xlock

Another way to lock an X Window System session, besides the suckless project's slock utility, is xlock. It is a much more complex tool than slock, with dozens of non-default behaviors that can be specified with command line options, including some fairly fine-grained control over screen saver behavior.

The full set of options can be found in the xlock manpage. It is distributed under a simple, copyfree-style custom license:

Copyright (c) 1988-1991 by Patrick J. Naughton

Copyright (c) 1993-2005 by David A. Bagley

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation.

The original BSD daemon is Copyright (c) 1988 Marshall Kirk McKusick. All Rights Reserved.

DEC, HP, IBM, Linux, SCO, SGI, and Sun icons have their respective copyrights.

MS Windows systems:

MS Windows, being a GUI-centric OS, offers no virtual consoles -- and thus, no virtual console locking tools. Each release version of MS Windows has its own, relatively simple screen locking mechanism built in.

Windows 2000 and XP

  1. Give the three-finger salute: <Ctrl> + <Alt> + <Delete>
  2. Select the "Lock Workstation" option.

In WinXP, the user can also hold down the Windows key on the keyboard (if the keyboard has one) and press the <L> key. This keyboard shortcut will save a little bit of mousing around.

Windows Vista and 7

  1. Open the Start menu.
  2. Click the padlock icon.

Limitations

Each of these approaches to locking the system has its limitations. For instance, locking the screen within the X Window System using slock or xlock does not prevent the user from switching to a virtual console and logging in there (though a valid user account is still needed to do anything in a virtual console that is not logged in), and neither vlock nor lock is well suited to use within an X session, except in the rare case of only wanting to lock a single terminal emulator's shell session.

Crashing or killing the GUI can have interesting effects, which differ depending on the specific OS version being used, for any GUI-specific screen locking tool.

Of all the mentioned options, lock -nv (at least on FreeBSD) is probably the safest and most fully secured way to lock a system while away, with vlock offering a suitable replacement where lock is not available. Ultimately, the means of locking the screen of a computer while away from it is the user's responsibility, or the responsibility of policy makers in a corporate environment.

Of course, the safest option of all, as long as your system is set up properly, is to simply log out and turn off the computer.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

49 comments
TobiF
TobiF

A friend of mine had a little piece of plastic in his pocket and a corresponding USB stick in the computer (and some software, of course) It used some very low power radio. As soon as he walked away more than 7-8 meters from the computer, it would lock automagically. And when he got back to his chair, the computer opened up again, all by itself. Just in case, he could also use a password to unlock the computer. It should be possible to do the same with the built-in bluetooth radio and my phone with Bluetooth, don't you think? That would be very neat.

roysky
roysky

I think its very useful especialy to those who have a very important file or something that is private....

omyda
omyda

how to lock the iMac?

TobiF
TobiF

No need to search for the mouse if you just want to lock your workstation.

Mabrick
Mabrick

"In WinXP, the user can also hold down the Windows key on the keyboard (if the keyboard has one) and press the key" You forgot to mention this also works in Windows 7 and Vista.

maecuff
maecuff

If anyone in IT walks away and leaves their station open, someone will step in and send an email to the entire department, usually having to do with sexual orientation. A couple of times, I have walked away and when I got back, I found out that I was gay. And announced it to everyone.

Oz_Media
Oz_Media

Where are those stats from, the USA? I've worked at some of the largest multinational corps. in North America, with no real policies beyond a mention of 'don't get caught surfing porn at work'. That and the normal, don't steal our database, don't use the email to send out spam, etc. I've only seen two WRITTEN policies in my life, and they were pretty basic too. I know that a lot of companies, even TINY ones have some insanely restrictive computer policies though, usually because the IT manager or owner reads horror stories from blogs etc. and decides he'll be 'the protector'. I just didn't realise it was a 'common part' of corporate security, well I haven't heard of it or run into it anywhere yet, but then again, maybe I don't get out enough. Damn, I'd hate to work down there these days, talk about micro management and overly paranoid IT departments! Is it perhaps just overly zealous IT department managers trying to make it seem like they are really important or have a unique insiders knowledge to make their roles seem even more necessary?

Sterling chip Camden
Sterling chip Camden

I've been using a shortcut to xscreensaver-command -lock, but I hadn't thought of the fact that someone could simply Ctrl+Alt+F1 to get back to my main console. I just tried out lock -nv, which works great. Even with X going, as long as you do it from a console instead of an xterm, it seems to be bulletproof. This is a timely post for me, because I'm just getting ready to head out the door to the Synergex SPC in Sacramento -- not that I intend to leave my laptop lying around.

Rustys
Rustys

We use to open mupital windows on unlocked systems. Where all they see is little boxes in the task bar.

Jaytmoon
Jaytmoon

Windwos 7: lock= Windows button+L Sorry If I repeated post!

elangomatt
elangomatt

A while back, we wanted to force all staff/faculty computers to lock when the screen saver comes up. Apparently we were not allowed to put that policy in place though for some reason. All we can do now is encourage people to lock their computers, and most people don't. My method of locking my computer? Windows Key+L or when my screen saver kicks in.

scav8tor
scav8tor

Creating a shortcut on the desktop or Quick Launch toolbar will also lock a Windows machine easily. %windir%\System32\rundll32.exe user32.dll,LockWorkStation

Neon Samurai
Neon Samurai

I remember an app for PalmOS that did PAN authentication. It watched for a specific combination of bluetooth devices. If they where all present then you where also. The weakness is simple spoofing. Since the devices identify the person and are always on; you just take a scan of devices when they pass by. Set your spoofing devices based on the scan and your in.

apotheon
apotheon

You're right, I did. Thanks for pointing it out.

surenraju
surenraju

I use VISTA Ultimate. Even in VISTA (and probably Windows 7), you can still use to get to the option-screen allowing you to Lock the workstation.

pooderbill
pooderbill

I have answered questions for hundreds of companies and done security consulting for SMB's to big corporations. The requirements for a written and enforced security policy usually come from the lawyers and the auditors, not the IT manager. It is a pain to enforce but without such a policy, the company (and the officers) can be held liable for lack of due diligence should information be lost or stolen. Those that don't implement meaningful policies will eventually have to do so, usually after a lawsuit. If a company handles credit card information, they are obligated to follow PCI regulations. Then there are the Sarbanes-Oxley and HIPAA federal regulations for data security. External auditors are usually the first to find any violations.

Old Guy
Old Guy

to your last question is , Yes.

robo_dev
robo_dev

and, sorry OZ, you may need to get out more. It's more common that there is an awareness program with a sign-off process to nobody can say they did not get the memo.

apotheon
apotheon

I'm happy to help -- especially to help a fellow FreeBSD user.

robo_dev
robo_dev

It's printed on the mousepad here

pooderbill
pooderbill

At most companies, it is irresponsible for IT to allow unlocked PCs and terminals. Most have a security policy in place and many demand that this action take place and be verified. Many security officers roam the halls, confiscating keyboards (after locking the screen) and leave a note for the employee. The note requests that they contact their manager to setup a meeting with security to receive additional coaching about security -- and then they get their keyboard back.

techrepublic@
techrepublic@

This is the default hot key combo. Can be changed.

joshuamy
joshuamy

WIN button + L works in XP and Win7

Firedrake
Firedrake

I use a utility called QStart (from Stardust Software). Just double-click the icon and it starts the screensaver (which, of course, requires a password to shut off). A desktop icon or Quicklaunch shortcut does the trick for me.

Slayer_
Slayer_

Guess Chad was wrong.

apotheon
apotheon

Configure it to lock when you walk away, and to require the password to unlock.

TobiF
TobiF

Meaning you'd need an application running on your phone, and then it's suddenly soo much more tricky.

surenraju
surenraju

I use VISTA Ultimate. Even here, you can still use CTRL ALT DEL to get to the option-screen which allows you to lock the workstation.

fatman65535
fatman65535

I remember some older systems that had a 'key lock' on the front, which if turned off, locked out the keyboard. Since most of the machines at that time used the same key, it was just a case of `flipping the switch` - voila keyboard locked.

robo_dev
robo_dev

(Note: this is only for bosses/employees with sense of humor) Dear Mr. Jones: It is with great sadness that I submit my resignation. Having saved enough money, I now must go to Sweden to get the operation so I can live my life as a Woman. P.S. This will teach Tom not to leave his PC unlocked. :)

Oz_Media
Oz_Media

MOST companies? MOST have a security policy in place and MANY demand this action? Security roaming the halls? Where do you work, Folsom? How much do they pay you to put up with that BS?

apotheon
apotheon

I like that policy. It might backfire slightly, creating a contentious relationship between users and IT/security support, which might in turn lead to a deterioration in trust and so on -- but it might be a win overall. Only implementation of the policy can really prove it one way or another. Do you have any ideas for how to stave off that potential for negative side effects?

Jellimonsta
Jellimonsta

But they can't. His post said they were 'not allowed' to put the GPO in place.

apotheon
apotheon

Do you know whether crashing the screen saver would grant an unauthorized user access to the system UI?

apotheon
apotheon

When did I say you couldn't lock the screen from the command line?

Jellimonsta
Jellimonsta

Yes and no. While that method can be employed from command line, or batch file. It is more a 'calling of dll' than 'command line/ console command'. So Chad was correct, and incorrect at the same time. :p

Neon Samurai
Neon Samurai

I think the app I looked at locked the Palm device specifically so if you put it down and walked away, it would lock based on the absence of the other BT devices (so, alias and MAC address pairing). Maybe it could be done with a client app on each device and certificate authentication. Then you have to protect the certificates during transfer and in device storage. With a different cert for each device, you'd need to get them all before spoofing your identity to the core device; makes it harder than a shared cert/password or simple alias/mac pair sniffing. Today, one would probably stick with your friend's method; RFID (pref encrypted) and sensors. You can buy a starter kit from Thinkgeek.

Jellimonsta
Jellimonsta

It is pretty easy to masquerade an Email as coming from one user by telnet to the mail server. You don't actually need access to the users PC or Email program. I played a prank on a couple of my old coworkers by masquerading an Email sent to a few friends as coming from my manager to the entire company. Their reactions were pretty hilarious and our managers got a kick out of it. :D :p

pooderbill
pooderbill

I answer questions for hundreds of companies and have worked in the banking industry where this policy is not just an accepted practice (security roaming the halls), it is mandated by auditors and the Feds. Other small companies that provide services for government (state and federal) as well as any company that accepts a credit card payment are also under similar rules. Personally identifiable data (ie, your SSN, driver's license #, credit card numbers, etc) cannot exist in an open environment. See PCI in Wikipedia: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

apotheon
apotheon

I appreciate the reminder. It has been a long time since I've seen a screen saver crash when it's password protected.

Jellimonsta
Jellimonsta

In 9x you could bypass a screensaver password by hitting ctrl+alt+del and ending the screensaver task, but 2000+ will display the unlock/ login prompt.

pjboyles
pjboyles

Then it displays the C - A - D prompt (XP) or login GUI (Vista or Win 7). To test, simply kill the screen saver to simulate a crash. Use a task or remotely kill the task.

apotheon
apotheon

I've seen it done once, on XP, about five years ago. I do not know the specifics. I would not be surprised if there was more than one way to do it. I have also seen screen savers on MS Windows crash on their own, usually when there's some kind of memory leak or processor-intensive application running. It does not happen often, but it does happen, at least with a few MS Windows releases prior to Vista. I have not had nearly as much professional experience with MS Windows from Vista onwards as with earlier releases, however, so I cannot vouch for the presence of absence of this problem since Vista hit the market. My question was more hypothetical than specific, anyway. I know that sometimes software is vulnerable to a denial of service in some way, and that a screen saver might be software that could be affected by that. If this allows a way to bypass the need for a password, it could be a security risk.

maj37
maj37

I also use qstart and love it since it starts my picture slide show and locks the system if the screen saver is set to. Tell me how to crash a screen saver and I will test it. maj