Dealing with users who avoid screensaver/lock screen?

Discussion in 'Networking & Security' started by cyclone3d, Nov 9, 2018.

  1. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,781
    Joined:
    Aug 24, 2005
    Yep, seen it everywhere. Keep fighting the end users on it and you'll just be 'that guy' that gets a call from his boss one day because you aren't 'doing a good job'. Or you'll never be promoted because NONE of the other department managers will want to work with you ever.

    Sometimes you have to row the boat instead of rocking it
     
  2. Stoly

    Stoly [H]ardness Supreme

    Messages:
    6,029
    Joined:
    Jul 26, 2005
    I remember a user from a 1500+ employee company we used to do outsourcing a few years ago.

    When we entered there were no policies whatsoever and everyone did as they pleased. Gaming, social networks,gambling sites, PRON, you name it.

    So we started implementing policies, restricting users. Among those there was enforcing the company wallpaper and screensaver. So this user went berzerk when she could no longer see her little girl picture on the desktop.
    She came to me and said I had no right to remove her wall paper from her computer. I told her she was absolutely right... except it wasn't her computer and it was now company policy, but if she still had an issue she could take it over to my boss (who told her pretty much what I said.). So she started climbing up the management ladder after getting her claim rejected every step of the way.

    She reached one of the top VPs who was also a mother and also had her kids picture as a wall paper, but didn't complain about the changes. I assumed that would be the end of it, but the VP actually supported the user and made us remove the policy.

    The weird thing is that we maganed to implement pretty much every policy we did. Restricting software, social media, browsing, passwords, music and videos and usb devices.
     
  3. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,781
    Joined:
    Aug 24, 2005
    Yea the problem is once you let 'x' group of people put 'y' pictures up because of 'z', then just change those variables to pretty much anything and you can no longer say no.

    Once exception becomes the policy there is no policy
     
  4. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,097
    Joined:
    Jul 6, 2013
    Or, you could just start removing fingers one-by-one with a chisel. At least, that's the way they do it in the Mafia...
     
  5. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,781
    Joined:
    Aug 24, 2005
    Nah if I tried something like that it would be like that will farrel movie, the casino at the house one, where they put the guys arm in a vise and threaten to cut it off. Then i'd accidentally cut his finger off trying to wrestle the axe away from someone.

    Then I'd walk around the next day (assuming I still had a job) and all you would hear is -

    "Guys, look! It's the Screen Lock Butcher! Lock your workstations quick!"
     
  6. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,097
    Joined:
    Jul 6, 2013
    They will all cower in your presence! Muwhahaaha!
     
  7. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,082
    Joined:
    Nov 16, 2009

    No, it's your job to implement the policies. This is not an IT policy, this is a security policy. It's up to the security team to make sure the employees are not bypassing the policies set by security and implemented by IT. If you put the GPO in place, and have explained to users why it exists and why they should not bypass it, then next step is to have security start confiscating unlocked machines.

    Our company is currently in the middle of this process, and security just finally got approval to start taking machines since users have been warned for a couple weeks.
     
  8. Nicklebon

    Nicklebon Gawd

    Messages:
    531
    Joined:
    May 22, 2006
    To be clear MANAGEMENT sets policies. MANAGEMENT also enforces policies. Everyone else implements policy, No one other than MANAGEMENT has the ability to set or enforce.
     
  9. Brian_B

    Brian_B [H]ard|Gawd

    Messages:
    1,898
    Joined:
    Mar 23, 2012
    Executives set the policy
    Management enforces the policy

    Everyone else works around the policy to actually get shit done
     
  10. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,781
    Joined:
    Aug 24, 2005
    Not sure how getting around a screensaver lock with a 15 minute timer constitutes being able to 'actually get shit done'
     
    GoldenTiger and ZeqOBpf6 like this.
  11. Brian_B

    Brian_B [H]ard|Gawd

    Messages:
    1,898
    Joined:
    Mar 23, 2012
    New unique password every 60 days with whatever other criteria attached to it — may not be a burden to you, but it drives me up the wall. I have to keep lining out and re-writing new passwords on the sticky note on my monitor, and every time I go piss have to sit there and fumble around trying to remember which it is on the sticky note so I can get back to Facebook and YouTube.
     
    ZeqOBpf6 likes this.
  12. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    9,804
    Joined:
    Nov 4, 2005
    All technical solutions to a non technical problem. I would spend 0 time on this subject and go straight to HR to report policy violations, if there is no policy you should get one made

    And if HR doesn't care then you shouldn't care
     
  13. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,781
    Joined:
    Aug 24, 2005
    That's what I've been saying lol. If management doesn't care....why rock the boat? Help row that thing instead
     
  14. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,666
    Joined:
    Aug 16, 2004
    HAHAHA. I hope you are being sarcastic.
     
    GoldenTiger likes this.
  15. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,666
    Joined:
    Aug 16, 2004
    I would rather have technical solutions in place in order to enforce IT security policy instead of having to walk around all the time to police IT security policy.

    I'm guessing you also think that there shouldn't be any type of internet filtering either.
     
  16. Dan_D

    Dan_D [H]ardOCP Motherboard Editor

    Messages:
    52,500
    Joined:
    Feb 9, 2002
    I'm trying to understand why the users have the ability to install anything, much less software that can circumvent screen lock / screen saver policies. If I did that at my job I'd probably get written up the first time and shown the door for a repeated offense.
     
  17. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,666
    Joined:
    Aug 16, 2004
    They don't have the ability to install anything besides stuff that we publish through SCCM.

    1. Windows Media Player... included in Windows... sometimes needed for work related stuff.
    2. Mouse jigglers and key pressers- no install needed. They are standalone single executable files. All they do is either move the mouse a single pixel every once in a while or fake a key press such as F15 which is not used for anything since no keyboards have it.
     
  18. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,781
    Joined:
    Aug 24, 2005
    There are even some mouse jigglers that are jar files, so you can't block them from executing unless you block JVM (which is impossible in some use cases depending on what is needed)
     
  19. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    9,804
    Joined:
    Nov 4, 2005
    internet filtering should probably be minimal, i'm ok with blocking ads at the workplace, as they're a big attack vector for malware... but you're probably right, when management wants to talk about blocking social media or other time wasters, a lot of times i push back... if you feel like your output should be higher, give people more work... if they don't complete their work, then write them up.... people want to put IT controls in place so they don't have to do their jobs as managers, and i despise that...
     
    Brian_B likes this.
  20. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,666
    Joined:
    Aug 16, 2004
    MD5 hashes. Easy to block anything by using MD5.
     
  21. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,082
    Joined:
    Nov 16, 2009
    Should have both. The technical solution is to reduce risk when someone violates the policy. Even with that in place, our security guys still do random checks to see if people are following the policy and confiscating machines if they aren't.
     
  22. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,781
    Joined:
    Aug 24, 2005
    Good luck keeping track of each and every one that ever pops up. It's an exercise in futility to try to stay ahead of users who want to circumvent policies without management stepping in and saying "Don't do that again or you're fired".

    Nothing is 100% in security, it's why you stack different types of controls on top of each other. Layered defense and all that
     
  23. Formula.350

    Formula.350 [H]ard|Gawd

    Messages:
    1,040
    Joined:
    Sep 30, 2011
    As someone who has read the entire thread, but who is not in IT or a corporate environment, this is my take...

    The people who you answer to have put these policies in place and all down the chain of command have stated they support these policies, including you. As IT, your job was to implement these policies, which you have done.

    Now when people circumvent them, you need to set a bar on how far you're willing to go to keep them from doing this. If you have already vowed to yourself to do this indefinitely, kudos, and we'll get back to this; however, if you are indeed sick and tired of having to keep coming up with new ways, as this thread's existence seems to indicate, lets move on...

    Here is where others have offered many valid and reasonable solutions. Having another corporate entity whose purview infractions fall under monitoring (looking out for) these sort of things is the best; Security, HR, etc. You've done your part, and they now have to do their's, because quite frankly, that's not your job description to babysit. That being said, when said entity does come across new means, yea, they can bring it to you and then you can deal with it, BUT, if they keep letting the same people get away with it... then they aren't doing their job and it's out of your hands.

    That said, if there is no such entity to police in that way, then they need to hire one.
    If they won't, then they need to budget in some sort of hardware solution: the webcam for you to write something to detect movement in the immediate vicinity or some such, RFID badge, a pressure switch in the chair hooked to an arduino that triggers lock when there is not 70+lbs in the chair, a damn multi-arm taser-equipped sentry bot... whatever.
    If they still won't, then you need to talk to them and either: explain that you are not a babysitter and if they expect you to also be, then they need to increase your pay. OR they need to provide you with the authority to dish out infractions, as well as "time outs" (unpaid leave, reduction of hourly wage for X-amount of time, deduction of bonus pay, etc).

    If management doesn't grant something, then you have to explain to them that they really don't care as much about the policies as they originally thought, and as such you won't worry about the circumventing in turn. Further explain that it's not because you are lazy or whatever, it's because you are one man, a single solitary person, up against a hive-mind. Not like Sci-Fi or AI, but in the sense that they are the employee-collective and they "talk". They share in distaste of that policy, and share in the knowledge of getting around it. Short of what has also been suggested, an OS so locked down that even China would want to use it, you are simply outgunned. Not that you aren't well capable of defeating what they come up with, you are definitely the smarter person here. It simply is a matter of numbers. You only have 2 hands, can only work for so many hours per day on a mundane task like this, and can only type so fast. In other words, you're only human, and you have limits. End with you are doing your job, as well as someone else's, and if they can't throw some money at this problem (either a hardware budget or a raise) then its a battle of attrition for you and they have the high ground.

    However, if they can alter the policy that everyone signs, to include that you are within your right to shame them in a public way, as others have said that works... so it'd at least let you blow off steam while you train the monkeys how to behave. Remote execution of a very loud sound clip of something like an air-raid siren with a robotic message saying how "<employee's name> has left me unlocked for <number of minutes> and hasn't returned", on loop... might drill the policy home. Epoxy their mechanical speaker volume to max, so that only software control is available. Epoxy the speaker cable into the motherboard if monitors aren't connected via HDMI. If they mess with either it'd be destruction of company property. I'm sure they'd frown upon that! Or even just the volume dial, and wire the speaker jack to also shut down the computer if unplugged. They'd quickly learn, after losing their unsaved work, not to unplug it to circumvent the shaming lol

    God speed!
     
    goodcooper likes this.
  24. capt_cope

    capt_cope Gawd

    Messages:
    888
    Joined:
    Apr 12, 2009
    I won't argue too hard with the 15 minute timer, but have you ever tried to edit a document with a 5 minute screensaver lock timer? Watch a pluralsight video? Ever try working on two machines at once with that timer? Every time you turn from one machine to the other it's locked.
    I don't like the idea of running some shady "wiggler" executable, so here's the script that windows task scheduler runs every 4 minutes and 30 seconds after my account logs in:
    Works like a charm.
     
    Brian_B and Aluminum like this.
  25. EniGmA1987

    EniGmA1987 [H]Lite

    Messages:
    93
    Joined:
    May 2, 2017
    Just get management to understand there is always a way around security policies no matter what they are. The policies are meant to be complied with by employees, not as targets to figure ways around. Employees who do not want to comply with company policies are both security risks and liabilities to the company as they are proving they do not care about the company they work for. Failing audits because an employee wants to do whatever they feel like is not acceptable. The proper solution is termination of these employees. If they are really getting around all these things you are talking about then they aren't even productive employees anyway because they are spending way too much time doing crap like this instead of working like they should be. Management needs to have them written up and if behavior does not immediately change and stay within company policies then they need to be terminated. The company wouldnt be losing anyone worthwhile.
     
    Last edited: Nov 21, 2018
  26. SamirD

    SamirD [H]ard|Gawd

    Messages:
    1,697
    Joined:
    Mar 22, 2015
    I think the biggest question to ask first is--why do they not want their screens going to screensaver? There has to be something to this and if you can get to the root of it, I bet you can find a way to implement the policy in a way that also works for the users.

    If this is a factory environment where they simple don't want to behave, and if work doesn't need to be persistent, ie it's saved on a file server or what not, it's time to take away the PCs and replace them with windows 98 era thin clients that will rdp to their virtual desktop, which will auto logout after x amount of time. If they want to behave like kids, they can be treated as such. It's why public kiosks are locked down so hard, and if you're dealing with the same type of crowd there's existing solutions to these problems...
     
  27. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,666
    Joined:
    Aug 16, 2004
    The only reason is that they don't want to have to type in their password.

    We have floor time clock kiosks and lab machines (that run tests) that never have a screen saver or lock screen come on.

    The people that are/were doing this are mostly engineers and other office people.

    The something is that they are too freaking lazy or too incompetent in typing that it takes them forever to enter a 6 character password.
     
  28. SamirD

    SamirD [H]ard|Gawd

    Messages:
    1,697
    Joined:
    Mar 22, 2015
    So why is the screensaver and password upon wake up there in the first place? What's the goal that's trying to be accomplished? Is it to keep from eaves dropping or people messing with others systems?
     
  29. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,666
    Joined:
    Aug 16, 2004
    1. Most test machines are not on the network and tests can run for months on end. Screen lock or reboot and the tests get wiped.
    2. Koisks - no access to anything on the servers.

    3. To keep people from messing with systems... a.k.a.. visiting customers, including international customers as well as anybody else who happens to be visiting at the time. Ya know.. the whole corporate espionage thing. Security is corporate policy.

    4. If you have to be asking why there should be security, you shouldn't be anywhere near IT.
     
    FNtastic likes this.
  30. SamirD

    SamirD [H]ard|Gawd

    Messages:
    1,697
    Joined:
    Mar 22, 2015
    Thank you for the replies.

    1. So the screensavers and screenlock are stopping the tests/test results? That would be quite annoying and hinders productivity would it not?

    2. So are you saying your kiosks don't have server access? Or that you don't have kiosks since they can't access servers?

    3/4. I get these for sure. Makes sense. What about doing a two step lock? Step one would be power saving the monitor after 15m, which would make people that want to mess with these systems think they're not on, and then after say another 15m the screensaver locks it. (I can't remember if this was easy to do in windows or not.)
     
  31. Orddie

    Orddie 2[H]4U

    Messages:
    2,211
    Joined:
    Dec 20, 2010
    is this really a thing?

    What type of work is this that requires users to keep a screen active?

    in the environments i have been in (I''m an consultant) its very common for users to go "afk" for many legitimate reasons.
     
  32. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,666
    Joined:
    Aug 16, 2004
    Nuclear power plant related.

    Yeah, they can go "afk" The screen auto-locks after 15 minutes. Not like they look away and the screen locks after 30 seconds.
     
  33. Orddie

    Orddie 2[H]4U

    Messages:
    2,211
    Joined:
    Dec 20, 2010
    Let me guess. Union workers?
     
  34. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,666
    Joined:
    Aug 16, 2004
    Nope, not union workers. After my first job at a union shop, I vowed to never work at a union shop again.
     
  35. SamirD

    SamirD [H]ard|Gawd

    Messages:
    1,697
    Joined:
    Mar 22, 2015
    Lovely--nuclear plant employees who don't want to follow rules. Remind me not to be surprised if there's a meltdown at that location. :eek:
     
  36. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,666
    Joined:
    Aug 16, 2004
    Not a nuclear plant... R&D and manufacturing.
     
  37. SamirD

    SamirD [H]ard|Gawd

    Messages:
    1,697
    Joined:
    Mar 22, 2015
    Whew! Good to hear. :)

    Still doesn't solve the problem though. I say leave it and wait until management come to talk to you about it.
     
  38. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,213
    Joined:
    Nov 29, 2009
    I'll tell you this from a user perspective (But also one that has worked in IT). Screensavers and application time outs SUCK. They are a major annoyance and impede on productivity, and serve little to no purpose. While I'm sitting at my PC I don't want crap constantly timing out on me, there is zero use to that from a security stand point. The proper thing to do is to ensure that users lock their PC when they step away.

    Instead of forcing time outs on people, ensure that when they step away, they lock their PC. When an app times out, or screensaver comes on, users just shake the mouse or log back in. So for about 1 second or maybe 1 minute the app will be locked, otherwise it will be unlocked. That 1 minute of the app being locked is not going to mean much.

    If someone happens to come in the building and puts a gun to my head to login to something, it does not matter if it locks or not, chances are I'll just comply and log in to it anyway.

    For a while they were forcing a screensaver GPO on us so I wrote a program that toggles the scroll lock key and gave it to everyone. If that had not worked we would have come up with a hardware solution such as a spinning mirror to put under the mouse. In a way the hardware solution is probably better as it does not involve potentially breaching any kind of rules about unauthorized software. Thankfully our manager pushed IT to ensure they remove the GPO from our PCs. Though we still have to fight with lot of apps that time out, which is just as bad, if worse, than screensavers. I'd say a good percentage of my job is spent reviving apps that have timed out. These time outs serve no purpose from a security standpoint and are simply an annoyance.
     
  39. faugusztin

    faugusztin 2[H]4U

    Messages:
    2,607
    Joined:
    Mar 9, 2008
    60 days is insanely short period. The Android app for my bank!!! sets 1.5 year password update period for a reasonable 8 character password. 60-90 days are already on a very short end of password update period, and all it encourages is to have passwords like Password1, Password2,.... Password35,.... Pasword96. Congrats to have 60 day password update policy.
     
  40. DrBorg

    DrBorg Gawd

    Messages:
    566
    Joined:
    Jan 22, 2005
    We had this policy where I used to work; Changed every 30 days, no reuse, 14 characters and include everything, Upper, lower, punct.

    I wrote my passwords down in hexadecimal ASCII and taped them to the monitor.

    No one else could read hex. Other people used German, or angloed Chinese.

    I always locked my shit, because I was the guy that would send a porno to the CEO with someone else's computer, and CC all the staff. :)

    Whatever works. :D