From Windows Server 2008 R2 Member Server Security Technical Implementation Guide
Part of Password Protected Screen Saver
Associated with: CCI-000056 CCI-000057 CCI-000060
The system should be locked when unattended. Unattended systems are susceptible to unauthorized use. The screen saver should be set at a maximum of 15 minutes and password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.
If any of the registry values don’t exist or are not configured as follows, then this is a finding: Registry Hive: HKEY_CURRENT_USER Subkey: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ Value Name: ScreenSaveActive Type: REG_SZ Value: 1 Value Name: ScreenSaverIsSecure Type: REG_SZ Value: 1 Value Name: ScreenSaveTimeOut Type: REG_SZ Value: 900 (or less) Documentable Explanation: Terminal servers and applications requiring continuous, real-time screen display (i.e., network management products) require the following and need to be documented with the IAO. -The logon session does not have administrator rights. -The display station (i.e., keyboard, monitor, etc.) is located in a controlled access area.
Configure the policy values for User Configuration -> Administrative Templates -> Control Panel -> Personalization -> as follows: “Enable Screen Saver” will be set to “Enabled”. “Password protect the screen saver” will be set to “Enabled”. “Screen Saver timeout” will be set to “Enabled: 900 seconds” (or less).
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer