Dealing with users who avoid screensaver/lock screen?

Yep, seen it everywhere. Keep fighting the end users on it and you'll just be 'that guy' that gets a call from his boss one day because you aren't 'doing a good job'. Or you'll never be promoted because NONE of the other department managers will want to work with you ever.

Sometimes you have to row the boat instead of rocking it
 
I remember a user from a 1500+ employee company we used to do outsourcing a few years ago.

When we entered there were no policies whatsoever and everyone did as they pleased. Gaming, social networks,gambling sites, PRON, you name it.

So we started implementing policies, restricting users. Among those there was enforcing the company wallpaper and screensaver. So this user went berzerk when she could no longer see her little girl picture on the desktop.
She came to me and said I had no right to remove her wall paper from her computer. I told her she was absolutely right... except it wasn't her computer and it was now company policy, but if she still had an issue she could take it over to my boss (who told her pretty much what I said.). So she started climbing up the management ladder after getting her claim rejected every step of the way.

She reached one of the top VPs who was also a mother and also had her kids picture as a wall paper, but didn't complain about the changes. I assumed that would be the end of it, but the VP actually supported the user and made us remove the policy.

The weird thing is that we maganed to implement pretty much every policy we did. Restricting software, social media, browsing, passwords, music and videos and usb devices.
 
Yea the problem is once you let 'x' group of people put 'y' pictures up because of 'z', then just change those variables to pretty much anything and you can no longer say no.

Once exception becomes the policy there is no policy
 
Or, you could just start removing fingers one-by-one with a chisel. At least, that's the way they do it in the Mafia...
 
Or, you could just start removing fingers one-by-one with a chisel. At least, that's the way they do it in the Mafia...

Nah if I tried something like that it would be like that will farrel movie, the casino at the house one, where they put the guys arm in a vise and threaten to cut it off. Then i'd accidentally cut his finger off trying to wrestle the axe away from someone.

Then I'd walk around the next day (assuming I still had a job) and all you would hear is -

"Guys, look! It's the Screen Lock Butcher! Lock your workstations quick!"
 
Nah if I tried something like that it would be like that will farrel movie, the casino at the house one, where they put the guys arm in a vise and threaten to cut it off. Then i'd accidentally cut his finger off trying to wrestle the axe away from someone.

Then I'd walk around the next day (assuming I still had a job) and all you would hear is -

"Guys, look! It's the Screen Lock Butcher! Lock your workstations quick!"
They will all cower in your presence! Muwhahaaha!
 
Same here.



My boss does care as does the security team. As the sole IT admin at my site, it is my job to enforce the corporate policies. My boss is not even at the site I work at.

I sent out a warning email today to everybody at my site including management as well as informing the corporate security team.

As for site management doing anything about it on their end I am not sure that anything would happen.


No, it's your job to implement the policies. This is not an IT policy, this is a security policy. It's up to the security team to make sure the employees are not bypassing the policies set by security and implemented by IT. If you put the GPO in place, and have explained to users why it exists and why they should not bypass it, then next step is to have security start confiscating unlocked machines.

Our company is currently in the middle of this process, and security just finally got approval to start taking machines since users have been warned for a couple weeks.
 
No, it's your job to implement the policies. This is not an IT policy, this is a security policy. It's up to the security team to make sure the employees are not bypassing the policies set by security and implemented by IT. If you put the GPO in place, and have explained to users why it exists and why they should not bypass it, then next step is to have security start confiscating unlocked machines.

Our company is currently in the middle of this process, and security just finally got approval to start taking machines since users have been warned for a couple weeks.

To be clear MANAGEMENT sets policies. MANAGEMENT also enforces policies. Everyone else implements policy, No one other than MANAGEMENT has the ability to set or enforce.
 
To be clear MANAGEMENT sets policies. MANAGEMENT also enforces policies. Everyone else implements policy, No one other than MANAGEMENT has the ability to set or enforce.

Executives set the policy
Management enforces the policy

Everyone else works around the policy to actually get shit done
 
Not sure how getting around a screensaver lock with a 15 minute timer constitutes being able to 'actually get shit done'

New unique password every 60 days with whatever other criteria attached to it — may not be a burden to you, but it drives me up the wall. I have to keep lining out and re-writing new passwords on the sticky note on my monitor, and every time I go piss have to sit there and fumble around trying to remember which it is on the sticky note so I can get back to Facebook and YouTube.
 
We have a policy that is corporate-wide and all employees and temps have to sign it before they are given access. No employees except IT (me) and one special account (for the lab test machines) have admin rights.

The lockout time per corporate policy is set at 15 minutes. These jokers that try to go around it are I don't know what.

I'm sure they will be in for a nice surprise when they realize that a looping video playing no longer keeps the screen from locking. I fully expect them to start using mouse jigglers again. A few years ago, we even had one person that hooked up a second mouse and used a clock and set the mouse on the clock face so that it would jiggle the mouse every time the second hand went in front of the mouse sensor.

I'm about at the point of getting the same mouse for every computer and then blocking all other mouse GUIDs except the one that is given them.

I could even go as far as locking the offending people's computers to only use that one (extra crappy) mouse and then everybody else that follows the policy can use nice mice.

All technical solutions to a non technical problem. I would spend 0 time on this subject and go straight to HR to report policy violations, if there is no policy you should get one made

And if HR doesn't care then you shouldn't care
 
That's what I've been saying lol. If management doesn't care....why rock the boat? Help row that thing instead
 
New unique password every 60 days with whatever other criteria attached to it — may not be a burden to you, but it drives me up the wall. I have to keep lining out and re-writing new passwords on the sticky note on my monitor, and every time I go piss have to sit there and fumble around trying to remember which it is on the sticky note so I can get back to Facebook and YouTube.

HAHAHA. I hope you are being sarcastic.
 
All technical solutions to a non technical problem. I would spend 0 time on this subject and go straight to HR to report policy violations, if there is no policy you should get one made

And if HR doesn't care then you shouldn't care

I would rather have technical solutions in place in order to enforce IT security policy instead of having to walk around all the time to police IT security policy.

I'm guessing you also think that there shouldn't be any type of internet filtering either.
 
I'm trying to understand why the users have the ability to install anything, much less software that can circumvent screen lock / screen saver policies. If I did that at my job I'd probably get written up the first time and shown the door for a repeated offense.
 
I'm trying to understand why the users have the ability to install anything, much less software that can circumvent screen lock / screen saver policies. If I did that at my job I'd probably get written up the first time and shown the door for a repeated offense.

They don't have the ability to install anything besides stuff that we publish through SCCM.

1. Windows Media Player... included in Windows... sometimes needed for work related stuff.
2. Mouse jigglers and key pressers- no install needed. They are standalone single executable files. All they do is either move the mouse a single pixel every once in a while or fake a key press such as F15 which is not used for anything since no keyboards have it.
 
There are even some mouse jigglers that are jar files, so you can't block them from executing unless you block JVM (which is impossible in some use cases depending on what is needed)
 
All technical solutions to a non technical problem. I would spend 0 time on this subject and go straight to HR to report policy violations, if there is no policy you should get one made
I would rather have technical solutions in place in order to enforce IT security policy instead of having to walk around all the time to police IT security policy.

I'm guessing you also think that there shouldn't be any type of internet filtering either.
internet filtering should probably be minimal, i'm ok with blocking ads at the workplace, as they're a big attack vector for malware... but you're probably right, when management wants to talk about blocking social media or other time wasters, a lot of times i push back... if you feel like your output should be higher, give people more work... if they don't complete their work, then write them up.... people want to put IT controls in place so they don't have to do their jobs as managers, and i despise that...
 
There are even some mouse jigglers that are jar files, so you can't block them from executing unless you block JVM (which is impossible in some use cases depending on what is needed)

MD5 hashes. Easy to block anything by using MD5.
 
I would rather have technical solutions in place in order to enforce IT security policy instead of having to walk around all the time to police IT security policy.

I'm guessing you also think that there shouldn't be any type of internet filtering either.

Should have both. The technical solution is to reduce risk when someone violates the policy. Even with that in place, our security guys still do random checks to see if people are following the policy and confiscating machines if they aren't.
 
MD5 hashes. Easy to block anything by using MD5.

Good luck keeping track of each and every one that ever pops up. It's an exercise in futility to try to stay ahead of users who want to circumvent policies without management stepping in and saying "Don't do that again or you're fired".

Nothing is 100% in security, it's why you stack different types of controls on top of each other. Layered defense and all that
 
As someone who has read the entire thread, but who is not in IT or a corporate environment, this is my take...

The people who you answer to have put these policies in place and all down the chain of command have stated they support these policies, including you. As IT, your job was to implement these policies, which you have done.

Now when people circumvent them, you need to set a bar on how far you're willing to go to keep them from doing this. If you have already vowed to yourself to do this indefinitely, kudos, and we'll get back to this; however, if you are indeed sick and tired of having to keep coming up with new ways, as this thread's existence seems to indicate, lets move on...

Here is where others have offered many valid and reasonable solutions. Having another corporate entity whose purview infractions fall under monitoring (looking out for) these sort of things is the best; Security, HR, etc. You've done your part, and they now have to do their's, because quite frankly, that's not your job description to babysit. That being said, when said entity does come across new means, yea, they can bring it to you and then you can deal with it, BUT, if they keep letting the same people get away with it... then they aren't doing their job and it's out of your hands.

That said, if there is no such entity to police in that way, then they need to hire one.
If they won't, then they need to budget in some sort of hardware solution: the webcam for you to write something to detect movement in the immediate vicinity or some such, RFID badge, a pressure switch in the chair hooked to an arduino that triggers lock when there is not 70+lbs in the chair, a damn multi-arm taser-equipped sentry bot... whatever.
If they still won't, then you need to talk to them and either: explain that you are not a babysitter and if they expect you to also be, then they need to increase your pay. OR they need to provide you with the authority to dish out infractions, as well as "time outs" (unpaid leave, reduction of hourly wage for X-amount of time, deduction of bonus pay, etc).

If management doesn't grant something, then you have to explain to them that they really don't care as much about the policies as they originally thought, and as such you won't worry about the circumventing in turn. Further explain that it's not because you are lazy or whatever, it's because you are one man, a single solitary person, up against a hive-mind. Not like Sci-Fi or AI, but in the sense that they are the employee-collective and they "talk". They share in distaste of that policy, and share in the knowledge of getting around it. Short of what has also been suggested, an OS so locked down that even China would want to use it, you are simply outgunned. Not that you aren't well capable of defeating what they come up with, you are definitely the smarter person here. It simply is a matter of numbers. You only have 2 hands, can only work for so many hours per day on a mundane task like this, and can only type so fast. In other words, you're only human, and you have limits. End with you are doing your job, as well as someone else's, and if they can't throw some money at this problem (either a hardware budget or a raise) then its a battle of attrition for you and they have the high ground.

However, if they can alter the policy that everyone signs, to include that you are within your right to shame them in a public way, as others have said that works... so it'd at least let you blow off steam while you train the monkeys how to behave. Remote execution of a very loud sound clip of something like an air-raid siren with a robotic message saying how "<employee's name> has left me unlocked for <number of minutes> and hasn't returned", on loop... might drill the policy home. Epoxy their mechanical speaker volume to max, so that only software control is available. Epoxy the speaker cable into the motherboard if monitors aren't connected via HDMI. If they mess with either it'd be destruction of company property. I'm sure they'd frown upon that! Or even just the volume dial, and wire the speaker jack to also shut down the computer if unplugged. They'd quickly learn, after losing their unsaved work, not to unplug it to circumvent the shaming lol

God speed!
 
Not sure how getting around a screensaver lock with a 15 minute timer constitutes being able to 'actually get shit done'
I won't argue too hard with the 15 minute timer, but have you ever tried to edit a document with a 5 minute screensaver lock timer? Watch a pluralsight video? Ever try working on two machines at once with that timer? Every time you turn from one machine to the other it's locked.
I don't like the idea of running some shady "wiggler" executable, so here's the script that windows task scheduler runs every 4 minutes and 30 seconds after my account logs in:
nosleep.vbs said:
Option Explicit
Dim wshShell

Set wshShell= CreateObject("WScript.Shell")

wshShell.SendKeys "{NUMLOCK}"
WScript.sleep 250
wshShell.SendKeys "{NUMLOCK}"

WScript.Quit

Works like a charm.
 
Enforce it as in on the IT side of things.. as in make sure they are unable to circumvent the policy.

Of course I can only do so much.

Just get management to understand there is always a way around security policies no matter what they are. The policies are meant to be complied with by employees, not as targets to figure ways around. Employees who do not want to comply with company policies are both security risks and liabilities to the company as they are proving they do not care about the company they work for. Failing audits because an employee wants to do whatever they feel like is not acceptable. The proper solution is termination of these employees. If they are really getting around all these things you are talking about then they aren't even productive employees anyway because they are spending way too much time doing crap like this instead of working like they should be. Management needs to have them written up and if behavior does not immediately change and stay within company policies then they need to be terminated. The company wouldnt be losing anyone worthwhile.
 
Last edited:
I think the biggest question to ask first is--why do they not want their screens going to screensaver? There has to be something to this and if you can get to the root of it, I bet you can find a way to implement the policy in a way that also works for the users.

If this is a factory environment where they simple don't want to behave, and if work doesn't need to be persistent, ie it's saved on a file server or what not, it's time to take away the PCs and replace them with windows 98 era thin clients that will rdp to their virtual desktop, which will auto logout after x amount of time. If they want to behave like kids, they can be treated as such. It's why public kiosks are locked down so hard, and if you're dealing with the same type of crowd there's existing solutions to these problems...
 
I think the biggest question to ask first is--why do they not want their screens going to screensaver? There has to be something to this and if you can get to the root of it, I bet you can find a way to implement the policy in a way that also works for the users.

If this is a factory environment where they simple don't want to behave, and if work doesn't need to be persistent, ie it's saved on a file server or what not, it's time to take away the PCs and replace them with windows 98 era thin clients that will rdp to their virtual desktop, which will auto logout after x amount of time. If they want to behave like kids, they can be treated as such. It's why public kiosks are locked down so hard, and if you're dealing with the same type of crowd there's existing solutions to these problems...

The only reason is that they don't want to have to type in their password.

We have floor time clock kiosks and lab machines (that run tests) that never have a screen saver or lock screen come on.

The people that are/were doing this are mostly engineers and other office people.

The something is that they are too freaking lazy or too incompetent in typing that it takes them forever to enter a 6 character password.
 
The only reason is that they don't want to have to type in their password.

We have floor time clock kiosks and lab machines (that run tests) that never have a screen saver or lock screen come on.

The people that are/were doing this are mostly engineers and other office people.

The something is that they are too freaking lazy or too incompetent in typing that it takes them forever to enter a 6 character password.
So why is the screensaver and password upon wake up there in the first place? What's the goal that's trying to be accomplished? Is it to keep from eaves dropping or people messing with others systems?
 
So why is the screensaver and password upon wake up there in the first place? What's the goal that's trying to be accomplished? Is it to keep from eaves dropping or people messing with others systems?

1. Most test machines are not on the network and tests can run for months on end. Screen lock or reboot and the tests get wiped.
2. Koisks - no access to anything on the servers.

3. To keep people from messing with systems... a.k.a.. visiting customers, including international customers as well as anybody else who happens to be visiting at the time. Ya know.. the whole corporate espionage thing. Security is corporate policy.

4. If you have to be asking why there should be security, you shouldn't be anywhere near IT.
 
1. Most test machines are not on the network and tests can run for months on end. Screen lock or reboot and the tests get wiped.
2. Koisks - no access to anything on the servers.

3. To keep people from messing with systems... a.k.a.. visiting customers, including international customers as well as anybody else who happens to be visiting at the time. Ya know.. the whole corporate espionage thing. Security is corporate policy.

4. If you have to be asking why there should be security, you shouldn't be anywhere near IT.
Thank you for the replies.

1. So the screensavers and screenlock are stopping the tests/test results? That would be quite annoying and hinders productivity would it not?

2. So are you saying your kiosks don't have server access? Or that you don't have kiosks since they can't access servers?

3/4. I get these for sure. Makes sense. What about doing a two step lock? Step one would be power saving the monitor after 15m, which would make people that want to mess with these systems think they're not on, and then after say another 15m the screensaver locks it. (I can't remember if this was easy to do in windows or not.)
 
is this really a thing?

What type of work is this that requires users to keep a screen active?

in the environments i have been in (I''m an consultant) its very common for users to go "afk" for many legitimate reasons.
 
is this really a thing?

What type of work is this that requires users to keep a screen active?

in the environments i have been in (I''m an consultant) its very common for users to go "afk" for many legitimate reasons.

Nuclear power plant related.

Yeah, they can go "afk" The screen auto-locks after 15 minutes. Not like they look away and the screen locks after 30 seconds.
 
Lovely--nuclear plant employees who don't want to follow rules. Remind me not to be surprised if there's a meltdown at that location. :eek:
 
I'll tell you this from a user perspective (But also one that has worked in IT). Screensavers and application time outs SUCK. They are a major annoyance and impede on productivity, and serve little to no purpose. While I'm sitting at my PC I don't want crap constantly timing out on me, there is zero use to that from a security stand point. The proper thing to do is to ensure that users lock their PC when they step away.

Instead of forcing time outs on people, ensure that when they step away, they lock their PC. When an app times out, or screensaver comes on, users just shake the mouse or log back in. So for about 1 second or maybe 1 minute the app will be locked, otherwise it will be unlocked. That 1 minute of the app being locked is not going to mean much.

If someone happens to come in the building and puts a gun to my head to login to something, it does not matter if it locks or not, chances are I'll just comply and log in to it anyway.

For a while they were forcing a screensaver GPO on us so I wrote a program that toggles the scroll lock key and gave it to everyone. If that had not worked we would have come up with a hardware solution such as a spinning mirror to put under the mouse. In a way the hardware solution is probably better as it does not involve potentially breaching any kind of rules about unauthorized software. Thankfully our manager pushed IT to ensure they remove the GPO from our PCs. Though we still have to fight with lot of apps that time out, which is just as bad, if worse, than screensavers. I'd say a good percentage of my job is spent reviving apps that have timed out. These time outs serve no purpose from a security standpoint and are simply an annoyance.
 
Longer than 60 days? Sixty days is already kind of on the high side IMO. That is corporate policy and I have no way to change it even if I wanted to.

Even if they had permanent passwords the same people would still try to make their screens not auto-lock and the auto-lock delay is 15 minutes. Not like it locks when they look away from the screen for 1-2 minutes.

60 days is insanely short period. The Android app for my bank!!! sets 1.5 year password update period for a reasonable 8 character password. 60-90 days are already on a very short end of password update period, and all it encourages is to have passwords like Password1, Password2,.... Password35,.... Pasword96. Congrats to have 60 day password update policy.
 
We had this policy where I used to work; Changed every 30 days, no reuse, 14 characters and include everything, Upper, lower, punct.

I wrote my passwords down in hexadecimal ASCII and taped them to the monitor.

No one else could read hex. Other people used German, or angloed Chinese.

I always locked my shit, because I was the guy that would send a porno to the CEO with someone else's computer, and CC all the staff. :)

Whatever works. :D
 
Back
Top