Title

A screen saver must be enabled on the system. (Cat II impact)

Discussion

Unattended systems are susceptible to unauthorized use and must be locked when unattended. Enabling a password-protected screen saver to engage after a specified period of time helps protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.

Check Content

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ Value Name: ScreenSaveActive Type: REG_SZ Value: 1 Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO: -The logon session does not have administrator rights. -The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area.

Fix Text

Configure the policy value for User Configuration -> Administrative Templates -> Control Panel -> Personalization -> "Enable screen saver" to "Enabled".

Additional Identifiers

Rule ID: SV-226359r794620_rule

Vulnerability ID: V-226359

Group Title: SRG-OS-000031-GPOS-00012

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.