19.1.3.4 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'

Information

This setting specifies how much user idle time must elapse before the screen saver is launched.

The recommended state for this setting is: Enabled: 900 seconds or fewer, but not 0

Note: This setting has no effect under the following circumstances:

- The wait time is set to zero.
- The 'Enable Screen Saver' setting is disabled.
- A valid screen existing saver is not selected manually or via the 'Screen saver executable name' setting

If a user forgets to lock their computer when they walk away, it is possible that a passerby will hijack it. Configuring a timed screen saver with password lock will help to protect against these hijacks.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: 900 or fewer, but not 0 :

User Configuration\Policies\Administrative Templates\Control Panel\Personalization\Screen saver timeout

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).

Impact:

The screen saver will automatically activate when the computer has been left unattended for the amount of time specified, and the users will not be able to change the timeout value.

See Also

https://workbench.cisecurity.org/benchmarks/14291