Password Protected Screensaver

To: Engineering Faculty, Staff, and Students
From: Dave Carmichael, IT Director - College of Engineering
Date: Wednesday, December 5, 2007
Subject: Password Protected Computer Screen Savers as a Security Measure

All computers at Purdue should be configured such that a password protected screen saver runs after 15 minutes or less of idle time.

A password protected screen saver has been set on ECN maintained Solaris and Linux computers before June 20, 2007.

ECN will begin enforcing this on supported PCs running WindowsXP on Wednesday, December 19, 2007.

People that administer their own computers (including laptops) are expected to comply with these guidelines.   Some useful sites are listed below:

• Windows XP - Protecto your files by using a screen saver password
• MacOS X - How do I lock my Mac OS X workstation?
• Linux/Unix - see the man() page for xscreensaver. 

If you would like more information about these guidelines and policies, please read on

In response to questions and comments relating to the automatic password protected screen saver policy, the Purdue Internal Audit Office states: " ... as a governmental unit subject to the requirements established by the Indiana State Board of Accounts (SBOA), Purdue University must adhere to the SBOA's recommendations for logical security requirements. These requirements specify that, for inactive terminals, the user must be automatically prevented from accessing the computer after 15 minutes of no activity until the user's password is entered.

Since the computer resources at Purdue have significant value and our students and the citizens of Indiana expect us to be good stewards of these resources, we strive to take all reasonable precautions to protect them. The University's security guidelines call for you to lock the workstation whenever it will be left unattended. Consider the 15 minute screen saver and password requirement to be a safety-net to help prevent inappropriate access. It is hard to make a case that the additional time to type a few keystrokes is an unreasonable burden."

We recognize that the auto-lock feature introduces a certain level of inconvenience as we interact with computing resources on a daily basis. However, Purdue has a very clear policy in this regard.  Under the Log-in Process section of the Information Security Standards on the SecurePurdue website it states: "It is expected that any user of one of these devices will activate a lock facility prior to leaving the machine unattended."

Further, a best practice policy has been established by Purdue's IT Security & Policy group here on campus that recommends that the system be forced to lock after a given time of inactivity and states: "default is 15 minutes, but it is advisable to set it less than 15 minutes".

It is prudent that we therefore continue the implementation of the 15-minute automatic password-protected screen saver mechanism if we are to be in compliance with Purdue security standards recommendations, and best practices.