Does Your Organization Still Lack Basic Controls to Protect Unattended Workstations?

For years, analysts have been reporting on the risks of unattended employee workstations. For example, a user who sits down at a co-worker’s PC could access sensitive data, send email from the PC owner’s account or even introduce malware into the network. To make matters worse, such misuse of an unattended workstation is difficult to detect and prove.

Don’t Rely on Employee Policies Alone

The first step in protecting your organization from these risks is to establish clear policies and educate users about them. In particular, make sure users understand:

  • Whenever they leave a workstation unattended, even if only for a few minutes, they must either log off or lock the workstation with a password.
  • Whenever they finish a particular job, they must terminate or lock the session.
  • They must log off all systems and networks as sessions are finished. In educational settings such as classrooms, teachers should remind students to log off.
  • Users will be held accountable for any actions originating from their workstations or usernames.

In addition, if a workstation’s primary function is to process data while unattended, the organization should consider moving it to a physically secure area.

For More Effective Security, Supplement Policies with Technology

However, it’s unrealistic to rely on these policies to deliver the comprehensive security you need. Users forget to lock their PCs, or don’t realize how important it is to do so even for a short break, and they dislike having to log back in when they return.

Therefore, it’s critical to supplement your employee policies with technology that automates many of the tasks involved. In particular, you should:

  • Equip every workstation with an automatic, password-protected screen saver set to run after a certain period of inactivity. Different types of devices might merit different timeout settings; for example, you might want mobile devices to have very short timeouts since they are easier for others to get their hands on than a PC that stays inside an office. (As a bonus, putting PCs that aren’t being used to sleep also reduces energy costs.) You can use Group Policy to control sleep settings (Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings).
  • Be aware that there are applications specifically designed to prevent computers from going to sleep. You should prevent employees from installing these utilities.
  • Configure applications and network sessions — especially those that access sensitive data — to time out after a reasonable period of inactivity and require users to re-enter their credentials to regain access.
  • Consider proximity technology that can automatically log a user out or lock the workstation if the user moves away. These solutions ensure that the workstation is locked immediately when the user leaves, instead of only after the timeout period has passed, and also help avoid unnecessary timeouts, such as when a user is on the phone and not actively using the workstation.

Learn More

To learn more about securing your organization’s workstations, register for an on-demand webcast, “12 Security Controls for Workstations,” hosted by Windows security guru and Microsoft MVP Randy Franklin Smith.