Discussion on:

Lock your screen while away from the computer

Creating a shortcut on the desktop or Quick Launch toolbar will also lock a Windows machine easily. %windir%\System32\rundll32.exe user32.dll,LockWorkStation

Guess Chad was wrong.

Yes and no.
While that method can be employed from command line, or batch file. It is more a 'calling of dll' than 'command line/ console command'. So Chad was correct, and incorrect at the same time.

When did I say you couldn't lock the screen from the command line?

I use a utility called QStart (from Stardust Software). Just double-click the icon and it starts the screensaver (which, of course, requires a password to shut off). A desktop icon or Quicklaunch shortcut does the trick for me.

Do you know whether crashing the screen saver would grant an unauthorized user access to the system UI?

I also use qstart and love it since it starts my picture slide show and locks the system if the screen saver is set to.

Tell me how to crash a screen saver and I will test it.

maj

I've seen it done once, on XP, about five years ago. I do not know the specifics. I would not be surprised if there was more than one way to do it.

I have also seen screen savers on MS Windows crash on their own, usually when there's some kind of memory leak or processor-intensive application running. It does not happen often, but it does happen, at least with a few MS Windows releases prior to Vista. I have not had nearly as much professional experience with MS Windows from Vista onwards as with earlier releases, however, so I cannot vouch for the presence of absence of this problem since Vista hit the market.

My question was more hypothetical than specific, anyway. I know that sometimes software is vulnerable to a denial of service in some way, and that a screen saver might be software that could be affected by that. If this allows a way to bypass the need for a password, it could be a security risk.

Then it displays the C - A - D prompt (XP) or login GUI (Vista or Win 7).

To test, simply kill the screen saver to simulate a crash. Use a task or remotely kill the task.

In 9x you could bypass a screensaver password by hitting ctrl+alt+del and ending the screensaver task, but 2000+ will display the unlock/ login prompt.

I appreciate the reminder. It has been a long time since I've seen a screen saver crash when it's password protected.

WIN button + L works in XP and Win7

This is the default hot key combo. Can be changed.

A while back, we wanted to force all staff/faculty computers to lock when the screen saver comes up. Apparently we were not allowed to put that policy in place though for some reason. All we can do now is encourage people to lock their computers, and most people don't.

My method of locking my computer? Windows Key+L or when my screen saver kicks in.

Set via a group policy

But they can't. His post said they were 'not allowed' to put the GPO in place.

At most companies, it is irresponsible for IT to allow unlocked PCs and terminals. Most have a security policy in place and many demand that this action take place and be verified. Many security officers roam the halls, confiscating keyboards (after locking the screen) and leave a note for the employee. The note requests that they contact their manager to setup a meeting with security to receive additional coaching about security -- and then they get their keyboard back.

I like that policy. It might backfire slightly, creating a contentious relationship between users and IT/security support, which might in turn lead to a deterioration in trust and so on -- but it might be a win overall. Only implementation of the policy can really prove it one way or another.

Do you have any ideas for how to stave off that potential for negative side effects?

MOST companies? MOST have a security policy in place and MANY demand this action? Security roaming the halls?

Where do you work, Folsom? How much do they pay you to put up with that BS?

I answer questions for hundreds of companies and have worked in the banking industry where this policy is not just an accepted practice (security roaming the halls), it is mandated by auditors and the Feds. Other small companies that provide services for government (state and federal) as well as any company that accepts a credit card payment are also under similar rules. Personally identifiable data (ie, your SSN, driver's license #, credit card numbers, etc) cannot exist in an open environment. See PCI in Wikipedia: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

(Note: this is only for bosses/employees with sense of humor)

Dear Mr. Jones:

It is with great sadness that I submit my resignation. Having saved enough money, I now must go to Sweden to get the operation so I can live my life as a Woman.

P.S. This will teach Tom not to leave his PC unlocked.

It is pretty easy to masquerade an Email as coming from one user by telnet to the mail server. You don't actually need access to the users PC or Email program. I played a prank on a couple of my old coworkers by masquerading an Email sent to a few friends as coming from my manager to the entire company. Their reactions were pretty hilarious and our managers got a kick out of it.

I do it at home!