• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 428
  • Last Modified:

Users preventing screensavers from coming on.

We have a GPO in place to start a screensaver and lock the screen after so many minutes of inactivity. Unfortunately, some users have figured out that if they put a weight on the keyboard or mouse button while they're away it will prevent the screensaver from kicking on. Obviously I need to come up with a way to stop this from happening. I'm guessing a can use a GPO to set the FilterKeys option to prevent repeated keystrokes or use a script in the event that a setting in Group Policy doesn't exist for this. However, I don't know if there's anything I can do about the mouse? These people will click the left mouse button and tape it down to hold the button down which prevents the screensaver from starting. Any suggestions?
0
mcpp661
Asked:
mcpp661
  • 7
  • 4
  • 3
  • +4
1 Solution
 
LHT_STCommented:
i would be more inclined to use other methods for this.  Have a word with higher up management to see if this can be written into your computer use policy. eg anyone found to be circumventing security features (such as leaving weights on keyboards) will face disciplinary action.  It is a bit beyond reason to expect you to get round things like that. This is just my opinion though.
0
 
mcpp661Author Commented:
I agree with you. It's the most ridiculous thing I've ever seen. But I've found that the workplace is just like grade school except with money. However, I'm still going to be forced to come up with a way to prevent that nonsense. With the keyboard that's something I think can be done, but it's the mouse clicks that have me stumped at this point.
0
 
liddlerCommented:
Unfortunately the best recourse for misbehaving users is robust polices, training and a disciplinary procedure.

It is very difficult to use technology to defeat really determined users, who believe they do not have to abide by policies.

If you don't have a robust data protection policy, that explains why a user should not: leave systems unlocked / share passwords etc, create and circulate one.  Ensure that users understand the problems and that HR and / or line management will support and enforce the policy.

Although I would not recommend it, I have known systems admin's either RDP or go to a PC that is  unlocked, and sent an embarrassing email from there to the persons manager and / or change the language settings, change the mouse orientation to left handed, move icons...  While this would not be allowed in most companies, it was done with the full support of IT management in a company I once worked for and was very effective, if users understand that by leaving a system unlocked, someone may, for instance, buy something on ebay, post to a social media site, sent a sackable email - they may choose to lock their screen.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
rindiCommented:
I think you should rather first have the users sign an agreement to not try any such bypasses of company policy. If you then catch them you have leverage against them.
0
 
mcpp661Author Commented:
I appreciate the responses and you're all correct, but unfortunately none of that's going to help me now. I already spoke with my manager and she's going to speak with her higher-ups, but she asked me to see if there's something that can be done in the meantime to prevent these users from doing what they're doing. Can I effectivity use FilterKeys to stop users from putting a weight on a key to prevent them from getting around the screensaver? Can I do this via group policy? If I have to write a script, what registry key needs modified? Do I have any options as far as the mouse goes? Is there anything I can configure so that they won't be able to get around the screensaver by putting a weight on the mouse button?
0
 
Pr1zCommented:
You could always remove any mouse you found with tape marks "for cleaning" ... a few hours using only key strokes may focus the mind.  Leave a note saying that the mouse button must be broken as it was stuck down ;-)

You can use .NET to hook into the mouse down event ==> http://msdn.microsoft.com/en-us/library/system.windows.forms.control.mousedown.aspx haven't come across a 3rd party app to track this.

Hope this helps - good luck!!

Priz
0
 
mcpp661Author Commented:
It's looking more and more like there's nothing I'm going to be able to do to prevent users from taping the left mouse button down to prevent the screensaver from kicking on.
0
 
Aaron TomoskyTechnology ConsultantCommented:
There has to be something wrong with the screensaver policy for users to go to these lengths to avoid it. Are their passwords really long and the timeout really short? Adding policy to enforce other policy just seems like a downward spiral to me
0
 
mcpp661Author Commented:
The screensavers are set to go off after 7 minutes of inactivity. The password policy isn't excessive, at least I don't think so. Passwords are at least 8 characters and complexity requirements are enabled. I wouldn't mind extending the screensaver timeout by a few more minutes, but I don't see anything out of line regarding my password policy.
0
 
Aaron TomoskyTechnology ConsultantCommented:
Maybe ask the users?
0
 
mcpp661Author Commented:
Ask the users what? If the password policy is too strict? Of course they'll say yes.
0
 
liddlerCommented:
Ask a different question, ask them how long they think other people should be able to read their documents and / or impersonate them
0
 
Aaron TomoskyTechnology ConsultantCommented:
I'd think it would take more time to untape my mouse than type in my password.
0
 
mcpp661Author Commented:
Unfortunately my user community doesn't think that way. They just don't see it as a big deal, they don't see the potential threat in leaving a computer screen out in the open for all to view.
0
 
Lee_YCPCommented:
I assume the intent is safeguarding data to prevent someone else coming to someone's computer and perusing it as them.  7 minutes is pretty short for initiating the screensaver, that could be somone taking a phone call or speaking to someone that enters their office and turning back to their computer to have to login again, but it depends on the risk level of the information on the systems, I guess.  I believe 15 minutes is too short (for me), but that is what I am required to enforce.  If you have to keep users from violating policies by locking them down with some other policy, then you don't really have management's support for the intial policies in the first place.   Policies (like locks) just keep honest people honest anyway.  And (ludicrous) policies to enforce other policies are just more levels to be breached.  After all, there are ways around everything (Law 3 of Microsoft's 10 Immutable Laws of Security).

Some Options:
Option 1:  You might keep "working on it", but put that "priority" on a back burner because its kind of counter-productive to have policies to enforce polices.

Option 2:  As the admin, write the policy/SOP.  Tell your manager that he/she wanted a solution and here it is, in written form, please sign it and distribute.  

Option 3:  Setup an sub-OU in your users general OU with a screensaver timeout of 1 minute.  Let users know that your intent is to place them into that OU for one week if they are found to not follow the rules, because information security is a high priority within your company.  I don't care how much tape and how many paperweights they have they will get tired of having to login or put on tape or find their paperweight.  When they complain to your boss, have your boss make a choice.  Does he/she expect you to enforce the original policy or is he/she going to?  Or, is it really not that big of a deal to them.

Option 4:  I also really liked the mouse cleaning suggestion from "PR1Z".

Option 5:  Maybe suggest some screen filter sheets for users to offset allowing a longer period of time for the screensaver??

Option 5:  Any combination of the above.

0
 
Lee_YCPCommented:
I thought about your dilemma some more as I pondered bosses and reality.  Conversely to my previous suggestion, you could have a TSR that runs continuously and checks for the mouse down event every thirty seconds and saves the results to a log.  Better yet, you could use the AT command to have this script run.  If you find it down 6 or 7 times consecutively, then you know someone has taped their mouse or paper-weighted it and you could have the script send a command to lock the desktop or start the screen-saver.
0
 
mcpp661Author Commented:
TSR? What's that?
0
 
liddlerCommented:
I think the first comment by LHT_ST cover it
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 4
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now