Dealing with users who avoid screensaver/lock screen?

Discussion in 'Networking & Security' started by cyclone3d, Nov 9, 2018.

  1. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,606
    Joined:
    Aug 16, 2004
    I've been dealing with users who seem to think it is ok to circumvent our company screensaver/screen lock policies.

    We used to use Mcafee which allowed me to block software by program name matching. in order to try to eliminate the use of mouse jigglers and programs that used keyboard input.. like pressing F15 every once in a while to keep the computer from going idle for too long.

    Then these same users discovered that they could just rename the executable and it would work. So then I had to use the MD5 hash matching feature and that eliminated them being able to use these programs.

    As of late, we have had users use media players and loop videos to keep the screen from locking.

    I have implemented a GPO to allow the screen saver when using Windows Media Player so at least that won't be a problem anymore.

    What do you all do to prevent mouse jigglers and keyboard keypress programs from being used?

    The easiest way I can think of is to create a list of MD5 hashes for all the ones I can find and then write my own program to prevent these from being run.

    This is fairly trivial as I already have a program I wrote that has code to check MD5 hashes for other purposes.

    The only other hurdle I see is that there are apparently hardware mouse jigglers available for cheap that plug into a USB port. Getting and maintaining a list of the GUIDs of these different devices would be a pain but they could be blocked by a GPO.
     
  2. Farva

    Farva King of borked Picture links

    Messages:
    36,086
    Joined:
    Feb 3, 2004
    Acceptable Usage Agreements. Not to mention, blocking the ability for people to install applications (no admin rights).

    If you start seeing people with open screens as you walk around, start sending emails to HR from said desk saying X person left computer open and unsecured?
     
    Last edited: Nov 9, 2018
  3. toast0

    toast0 Gawd

    Messages:
    869
    Joined:
    Jan 26, 2010
    I don't think it's a good idea, but most parts of the company I work for have a culture of light pranking when they find computers that are unlocked. I find this totally unacceptable, especially given that most of us have macs; IT locks the screensaver time at 10 minutes (wtf, why can't i make it a minute or two, like it should be), and apple didn't give us a keyboard shortcut to lock until the the late-2017 flavor of mac os. And it's harder to hit than win+L :(
     
  4. BlueLineSwinger

    BlueLineSwinger Gawd

    Messages:
    520
    Joined:
    Dec 1, 2011

    Pretty much. If you don't already have a such a policy in place it's time to write one up and start enforcing it. Penalties for circumventing security measures (including idle screen locks), such as revocation of admin rights and possible confiscation of systems (if possible). Not sure HR are the proper ones to keep track of transgressions, but maybe cc them just for the record.



    We did the mild prank as well (usually a joke e-mail to a non-official mail list). Worked well for the light shaming that got the violator to pay attention to what they were doing.

    Used to be it was possible to set a macOS screen-lock through, IIRC, Keychain Access. But it was pretty obscure. I've always simply set a hot-corner to lock the screen.
     
    Brian_B likes this.
  5. toast0

    toast0 Gawd

    Messages:
    869
    Joined:
    Jan 26, 2010
    I had trouble with hot-corner and multimonitor, probably because i picked the wrong corner. Anyway, now you can do it with control + command + q, which is a lot easier for me.
     
  6. MikeRotch

    MikeRotch Limp Gawd

    Messages:
    382
    Joined:
    Aug 23, 2013
    We used to "Hoff" people who didn't lock their PCs.

    https://goo.gl/images/3MKg6c

    Not sure if it was this exact picture, but we used one similiar to it and put it as their background and lockscreen and move all of their desktop icons off screen.
     
    TheRagnarok likes this.
  7. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,606
    Joined:
    Aug 16, 2004
    We have a policy that is corporate-wide and all employees and temps have to sign it before they are given access. No employees except IT (me) and one special account (for the lab test machines) have admin rights.

    The lockout time per corporate policy is set at 15 minutes. These jokers that try to go around it are I don't know what.

    I'm sure they will be in for a nice surprise when they realize that a looping video playing no longer keeps the screen from locking. I fully expect them to start using mouse jigglers again. A few years ago, we even had one person that hooked up a second mouse and used a clock and set the mouse on the clock face so that it would jiggle the mouse every time the second hand went in front of the mouse sensor.

    I'm about at the point of getting the same mouse for every computer and then blocking all other mouse GUIDs except the one that is given them.

    I could even go as far as locking the offending people's computers to only use that one (extra crappy) mouse and then everybody else that follows the policy can use nice mice.
     
    Sulphademus likes this.
  8. Zepher

    Zepher [H]ipster Replacement

    Messages:
    16,674
    Joined:
    Sep 29, 2001
    I lock mine every time I leave my desk. I don't want anyone fucking with my PC when I am away from it.
     
    SticKx911, Sulphademus and auntjemima like this.
  9. Zepher

    Zepher [H]ipster Replacement

    Messages:
    16,674
    Joined:
    Sep 29, 2001
    I like screenshotting the desktop and making it the wallpaper and moving all the icons into a folder and watch them try and click shit on the screen.
     
  10. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,764
    Joined:
    Aug 24, 2005
    This is a problem for management, not IT. This is also where it helps to have good relationships throughout your company's management structure.

    Talk to your boss. He may not even care in which case why do you? Talk to their managers, talk to HR. Changing wall paper and backgrounds could be construed as harassment in some jurisdictions and you'd just be opening up your company to hostile workplace lawsuits, no matter how frivolous they seem to you.

    It's up to the business whether or not to enforce an arbitrary screen lock timer, not you.
     
  11. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,606
    Joined:
    Aug 16, 2004
    Same here.

    My boss does care as does the security team. As the sole IT admin at my site, it is my job to enforce the corporate policies. My boss is not even at the site I work at.

    I sent out a warning email today to everybody at my site including management as well as informing the corporate security team.

    As for site management doing anything about it on their end I am not sure that anything would happen.
     
  12. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,764
    Joined:
    Aug 24, 2005
    So they've given you the authority to write up employees for violating the policy, up to and including termination? I highly doubt they've done that, so not sure how you are going to enforce anything.

    It comes back to management
     
  13. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,606
    Joined:
    Aug 16, 2004
    Enforce it as in on the IT side of things.. as in make sure they are unable to circumvent the policy.

    Of course I can only do so much.

    My ideal setup would be to have prox-cards or smart cards. And if they leave the card near their computer I would confiscate them and then let them explain it to management. But there is pretty much no way that they would approve me spending money on that as we are not required by customers to have that level of security.
     
  14. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,764
    Joined:
    Aug 24, 2005
    This is why when implementing controls to mitigate risk, you use more than one. In this case, you've done your part and implemented a technical control. That control can only do so much. Your company has an administrative control in place, now it's up to them to enforce it.

    I get it, it's a security risk, you want to rectify it. Here's the thing though- you don't decide what's an acceptable risk, the business does.

    If you don't mind me asking, how long have you been the IT admin at this site?
     
    FNtastic likes this.
  15. N4CR

    N4CR 2[H]4U

    Messages:
    3,143
    Joined:
    Oct 17, 2011
    Have you considered the fact that people are willing to do this that your security policy might be a bit overbearing, annoying and people are sick of it? Maybe there might be a better way to implement this security? Just my 2c.

    Sometimes it's easier to change course a little and compromise than be the typical communist Sysadmin.

    Do you have some assfuckingly stupid password policy like 'must have 8 characters, must have non alpha, upper + lower case, numeric and some other bullshit'?
    That m@k3$fOraR3@\\y hard to remember password. Which you no doubt force them to change every 3 days or something.... so yeah. Typing hard to remember shit in wastes time and money and is frustrating.

    If so, make your password policy reasonable. Make the minimum longer but the combination simpler. E.g. throwingspears69 is more secure for brute forcing than @1ntieglU9 or some stupid shit people love to force people to use, but also far, far easier to remember.
     
    bluesynk likes this.
  16. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,606
    Joined:
    Aug 16, 2004
    I've been there almost 8 years. I do stuff for other sites when needed as well.. mostly scripting and some programming in VB, C++, whatever.
    Have a few scripts that are being used globally.. as in sites all around the world.
    Our system imaging interface is also my creation.


    Password policy is pretty simple and easy to make passwords for. A password such as "Password1" would be a valid password. And if for some reason somebody has trouble making a password, I'll ask them what they want their password to be and I'll reset their password in AD to whatever they want.
    Passwords only have to be changed every 60 days.

    People really are just that lazy/stubborn about not wanting to lock their machines when they leave their desk.

    I really do try to make stuff as easy as possible for the other employees.
     
  17. Chas

    Chas [H]ardness Supreme

    Messages:
    7,319
    Joined:
    Oct 31, 2005
    Record a WAV/MP3 file and put it in their startup group.

    Have it scream at full volume "I DON'T WANNA LOCK MY SCREEN WHEN I WALK AWAY!"

    Then fuck their brother...
     
    auntjemima likes this.
  18. DrBorg

    DrBorg Gawd

    Messages:
    537
    Joined:
    Jan 22, 2005
    Send an obscene email from their unlocked desktop to their direct boss, then let them explain where it came from.

    Worked for us. :)
     
    Sulphademus and The Mad Atheist like this.
  19. N4CR

    N4CR 2[H]4U

    Messages:
    3,143
    Joined:
    Oct 17, 2011
    Okay fair enough, you sound reasonable then indeed. Maybe make the passwords last a little longer? See if things improve.. worth a shot if you can wing it.
     
  20. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,152
    Joined:
    Mar 4, 2013
    No drivers needed to thwart video screen lock.

    drinkingbird.jpg

    If your company uses ID badges, get a gizmo that when badge inserted, unlocks the PC and when pulled, locks it.
     
    The Mad Atheist and DrBorg like this.
  21. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,764
    Joined:
    Aug 24, 2005
    Yea screensavers are difficult to enforce when they can physically rig something up to move the mouse around.

    What you could do is have the security audit teams (external) come in and tell them to make that a focus so it shows up in the management report. They are more likely to take it serious when it comes from someone else.
     
  22. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,606
    Joined:
    Aug 16, 2004
    Yeah, and if I see something like that it gets confiscated.

    We don't use badges so that won't work and as far as I know, corporate has no current plans to implement them at my site.
     
  23. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,606
    Joined:
    Aug 16, 2004
    Longer than 60 days? Sixty days is already kind of on the high side IMO. That is corporate policy and I have no way to change it even if I wanted to.

    Even if they had permanent passwords the same people would still try to make their screens not auto-lock and the auto-lock delay is 15 minutes. Not like it locks when they look away from the screen for 1-2 minutes.
     
  24. Spartacus09

    Spartacus09 Limp Gawd

    Messages:
    434
    Joined:
    Apr 21, 2018
    You’ve done what you can and beyond frankly, if this is something thats needed/wanted to be enforced by management its time to escalate. If no correction is made action needs to be taken by the department manager.

    We had a recent issue with folks pushing back and removing our mdm and system inventory/management software (linux systems so couldn’t prevent removal as users needed sudo). This was a corporate board mandate as we’re targeting SOC status. We had to get to a final writeup point with an employee by the department executive where if the employee removed it again they would be fired before they finally left it. A heftly audit cost wasn’t going to be compromised over them staying with the company.
     
  25. Stoly

    Stoly [H]ardness Supreme

    Messages:
    6,016
    Joined:
    Jul 26, 2005
    Are you using AD?
     
    cyclone3d likes this.
  26. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,606
    Joined:
    Aug 16, 2004
    Yes, using AD.
     
  27. Stoly

    Stoly [H]ardness Supreme

    Messages:
    6,016
    Joined:
    Jul 26, 2005
    Then no admin rights and GPO should do.
     
    Sulphademus likes this.
  28. Stoly

    Stoly [H]ardness Supreme

    Messages:
    6,016
    Joined:
    Jul 26, 2005
    I just use disable Show Icons and ignore calls and msg from the "victim"

    They freak out as they have dozens of folders on the desktop and think everything is gone. It's hillarious. :ROFLMAO::ROFLMAO::D:D
     
    Zepher likes this.
  29. ChRoNo16

    ChRoNo16 [H]ard|Gawd

    Messages:
    1,281
    Joined:
    Feb 3, 2011
    Policy Policy Policy! You write that policy up, those who dont abide are punished. its just that simple. If anyone other than admin is running any kind of mouse jiggler program, you simple dont have your systems locked down far enough. Our windows images for non IT admins are so stripped you cannot access anything but the 1-2 programs you need to do your job, and the shutdown button. thats it. you cannot run any executables period. as far as plugging devices in, just disable all extra USB ports. Most systems now you can set how many are active, just give them 2, keyboard and mouse and shut the rest off in BIOS. lock down bios, and no problem.

    besides that, a policy of not allowing end users to plug any devices into machines that is not pre-approved by IT, shove that in the orig policy banning the use of ANY software or hardware that circumvents IT security policy and there you have it.
     
  30. BlueLineSwinger

    BlueLineSwinger Gawd

    Messages:
    520
    Joined:
    Dec 1, 2011

    Yes, 60 days is too short a period. All it does is encourage people to simplify their password and write it down somewhere. There's no evidence that consistently changing user passwords increases security.

    If user login security is an issue something like 2-factor auth is a better solution.

    And yeah, unfortunately, it won't do anything to keep users from trying to cheat the screen-lock. 15 minutes is quite reasonable I'd say (I usually set mine to 5, with a 5-second grace period).
     
    Sulphademus likes this.
  31. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,606
    Joined:
    Aug 16, 2004
    Ummm, yeah, that wouldn't work. We are an R&D and manufacturing site. Not like a general office site that only needs access to email and MS Office and maybe a web browser.
     
  32. ChRoNo16

    ChRoNo16 [H]ard|Gawd

    Messages:
    1,281
    Joined:
    Feb 3, 2011
    What do they need access to? I work in a factory.
     
  33. Brian_B

    Brian_B [H]ard|Gawd

    Messages:
    1,820
    Joined:
    Mar 23, 2012
    Seems problem is that security sucks. Your technical solutions are fine and dandy but you still have to work with the meat side of that equation - and they hate your security policy.

    You should think of a better way than some outmoded security policy from 25 years ago.
     
  34. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,076
    Joined:
    Jul 6, 2013
    Install face recognition cameras at each station. As soon as they walk away, it locks. As soon as they return, it unlocks.
     
  35. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,764
    Joined:
    Aug 24, 2005
    I wouldn't want to manage that in a corporate setting, but dynamic lock and windows hello aren't terrible at home.
     
  36. DrBorg

    DrBorg Gawd

    Messages:
    537
    Joined:
    Jan 22, 2005
    You could chip all the workers, and have it auto lock when they walked out of range, or kick in the screensaver whenever someone else walks into the room.

    I understand there are some places that do this.

    I'm not getting chipped or spayed, lol.
     
  37. Spartacus09

    Spartacus09 Limp Gawd

    Messages:
    434
    Joined:
    Apr 21, 2018
    I wouldn't mind getting chipped provided its passive (ie non-location tracking even on site, other than entry/exit scan tracking) and it does EVERYTHING at the company.
    Building access, computer signin, lunch purchases, etc

    The only problem from an audit perspective is a chip isn't visible, in a large company you wouldn't know everyone so company branded identifying badges are the norm.
    So if I gotta wear a badge regardless may as well stay cheap and gimme an rfid card in the badge.
     
  38. Nicklebon

    Nicklebon Gawd

    Messages:
    531
    Joined:
    May 22, 2006
    I'll state more directly what has already been stated earlier in this thread.

    Technical controls without administrative controls to back them up are worthless. You clearly lack the will of management to enforce your technical controls as such you might as well piss into wind. Stop trying to out think your users. You cannot. They will always find a way to beat you. Instead, you need to convince their management to enforce the AUP and give your controls teeth with their controls.
     
    Spartacus09 and GoldenTiger like this.
  39. capt_cope

    capt_cope Gawd

    Messages:
    860
    Joined:
    Apr 12, 2009
    As has been stated many times already, the ONLY way you're going to win this fight is by getting HR / Management to start punishing people who leave an unlocked machine unattended. You can ease the burden by teaching users to use WIN+L keys to lock before they leave their desk (I'm always shocked at how many people don't know about that.) Until people start getting disciplined for the behavior, you won't win.
     
    DrBorg likes this.