Title

The system must be configured with a password-protected screen saver. (Cat II impact)

Discussion

Unattended systems are susceptible to unauthorized use and must be locked when unattended. Enabling a password-protected screen saver to engage after a specified period of time helps protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.

Check Content

If any of the registry values do not exist or are not configured as follows, this is a finding: Registry Hive: HKEY_CURRENT_USER Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\ Value Name: ScreenSaveActive Value Type: REG_SZ Value: 1 Value Name: ScreenSaverIsSecure Value Type: REG_SZ Value: 1 Value Name: ScreenSaveTimeout Value Type: REG_SZ Value: 900 (or less) Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO. -The logon session does not have administrator rights. -The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area.

Fix Text

Configure the policy values for User Configuration >> Administrative Templates >> Control Panel >> Personalization >> as follows: "Enable Screen Saver" to "Enabled". "Password protect the screen saver" to "Enabled". "Screen Saver timeout" to "Enabled: 900 seconds" (or less).

Additional Identifiers

Rule ID: SV-25201r2_rule

Vulnerability ID: V-1122

Group Title: Password Protected Screen Saver

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.