Recipe11.5.Enabling Screensaver Locking

Recipe 11.5. Enabling Screensaver Locking

Problem

You want to enable screensaver locking to prevent an administrator leaving the console of a server unlocked and exposing it to an intruder.

Solution

Using a graphical user interface

The following instructions enable screensaver locking for the currently logged on user:

Right-click the desktop background and select Properties.
Select the Screen Saver tab.
Select Blank for the screensaver, enter the number of minutes to wait before starting the screensaver and check the box beside On resume, password protect.
Click OK.

The following instructions enable screensaver locking using group policy:

Open the Group Policy Management Console (GPMC).
In the left pane, navigate to the target group policy, right-click it, and select edit. This will launch the Group Policy Object Editor.
In the left pane, expand User Configuration Administrative Templates Display.
In the right pane, there are five settings you can modify to control screensaver behavior. These include Hide Screen Saver tab, Activate screen saver, Screen saver executable name, Password protect the screen saver, and Screen Saver timeout.

Using a command-line interface

The following commands enable screensaver locking in the default user profile. Any user who logs in after these commands are run will use these settings. Any user who logged in before these commands are run will retain their original settings.

The following command configures the blank screensaver:

> reg add "\\<ServerName>\HKEY_USERS\.DEFAULT\Control Panel\Desktop" /v  SCRNSAVE.EXE /t R EG_SZ /d scrnsave.scr > reg add "\\<ServerName>\HKEY_USERS\.DEFAULT\Control Panel\Desktop" /v ScreenSaveActive/t REG_SZ /d 1

The following command sets the screensaver timeout to 10 minutes (600 seconds):

> reg add "\\<ServerName>\HKEY_USERS\.DEFAULT\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 600

The following command enables screensaver locking:

> reg add "\\<ServerName>\HKEY_USERS\.DEFAULT\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 1

Using VBScript

' This code enables screensaver locking for all users that log on ' a system even if they've configured other screensaver settings previously. ' ------ SCRIPT CONFIGURATION ------ strComputer = "." strScreenSaveActive    = "1" strScreenSaverIsSecure = "1" strScreenSaveTimeout   = "300" strScrnSave            = "scrnsave.scr" ' ------ END CONFIGURATION --------- const HKEY_USERS = &H80000003     set objReg=GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv") objReg.EnumKey HKEY_USERS, "", arrSubKeys     for each strSubkey in arrSubKeys    WScript.Echo strSubkey    objReg.EnumValues HKEY_USERS, strSubkey & "\Control Panel\Desktop", _                      arrValues, arrTypes    if IsArray(arrValues) then       WScript.Echo "  setting screen saver values"       objReg.SetStringValue HKEY_USERS, strSubkey & "\Control Panel\Desktop", _                             "ScreenSaveActive", strScreenSaveActive       objReg.SetStringValue HKEY_USERS, strSubkey & "\Control Panel\Desktop", _                             "ScreenSaverIsSecure", strScreenSaverIsSecure       objReg.SetStringValue HKEY_USERS, strSubkey & "\Control Panel\Desktop", _                             "ScreenSaveTimeOut", strScreenSaveTimeOut       objReg.SetStringValue HKEY_USERS, strSubkey & "\Control Panel\Desktop", _                             "SCRNSAVE.EXE", strScrnSave    else       WScript.Echo "  NOT setting screen saver values"    end if    WScript.Echo next

Discussion

If you want to implement a login script or batch file to enable screensaver locking for the currently logged on user of a system, you need to modify the following registry values:

HKEY_CURRENT_USER\Control Panel\Desktop "ScreenSaveActive"="1" "ScreenSaverIsSecure"="1" "ScreenSaveTimeOut"="900" "SCRNSAVE.EXE"="scrnsave.scr"

This configures the scrnsave.scr screensaver to turn on after 15 minutes (900 seconds) of inactivity.