Circumvent screen lock with book or paper clip?

Reply

  #1  
Old 11-16-06, 08:49 AM
John Whorfin's Avatar
Member
Thread Starter
Join Date: May 2005
Location: CT
Posts: 170
Received 0 Votes on 0 Posts
Circumvent screen lock with book or paper clip?

I have been searching all over the internet but have not found any real solution to stop this.

It seems that my users are not intelligent enough to remember their password to logon to their PCs. But they are creative to prevent the screen locking after 20 minutes of idle time by putting a book or paper clip on the Ctrl key.

This makes the PC continue to be "active" and will not invoke the screen saver or monitor power save which forces a screen lock. So these users screens never lock up.

So far the only thing I have been able to come up with is to use the registry to stop key repeating. This seems to work somewhat but now I am getting complains that people cannot use the cursor keys or other functions that normally requires key repeat to work.

Anyone heard of this problem before or any suggestions to fix?

Thanks
 
Sponsored Links
  #2  
Old 11-16-06, 09:09 AM
R
Member
Join Date: Sep 2003
Location: Central New York State
Posts: 13,973
Received 0 Votes on 0 Posts
This is not a computer issue, this is a management issue.

Sounds like you need a better policy to make the users do what they are supposed to do.
 
  #3  
Old 11-16-06, 09:25 AM
John Whorfin's Avatar
Member
Thread Starter
Join Date: May 2005
Location: CT
Posts: 170
Received 0 Votes on 0 Posts
Originally Posted by racraft
This is not a computer issue, this is a management issue.

Sounds like you need a better policy to make the users do what they are supposed to do.

While I will not disagree with that, reality is a different story. Policies are just weak company laws, if people obeyed laws the world we be a much better place.

Saying you should not do that anymore is really not a viable solution to a security problem.

Lets just leave the HR aspect aside for now.


Are there any ways that you know of to stop this from happening? This cannot be the first time that this has been thought of. I have been searching but not found anything on the subject.
 
  #4  
Old 11-16-06, 11:25 AM
M
Member
Join Date: Dec 2003
Location: USA
Posts: 994
Received 0 Votes on 0 Posts
I've never tried this, but can't keys on the keyboard be reprogrammed or disabled?
 
  #5  
Old 11-16-06, 12:07 PM
John Whorfin's Avatar
Member
Thread Starter
Join Date: May 2005
Location: CT
Posts: 170
Received 0 Votes on 0 Posts
Yes but

Originally Posted by md2lgyk
I've never tried this, but can't keys on the keyboard be reprogrammed or disabled?
Yes, but without the Ctrl-Alt-Del you cannot logon to the PC. Revamping the entire logon process would probably be more trouble.

thanks for the help, though.
 
  #6  
Old 11-16-06, 04:03 PM
tae's Avatar
tae
tae is offline
Member
Join Date: Nov 2002
Posts: 2,469
Received 0 Votes on 0 Posts
If security is a big enough issue to cause you to edit the registry, then it should certainly be important enough to punish those who do not follow it.

Even if you can keep them from circumventing now, sooner or later someone will figure a workaround. Until then you will apparently get a constant barrage of calls asking for their password.

Simply allow the users to pick their own passwords, that way they should not forget it, and then implement a policy with punishment for those who do not follow the security guidelines.

Anyone running an i t department should be able to come up with a solution to this. Some are cheap, some are expensive. It just depends on how high security is on the list.

If there is no enforced policy, then it is obviously low on the priority list, so who cares?
 
  #7  
Old 11-16-06, 05:51 PM
HotxxxxxxxOKC's Avatar
Banned. Rule And/Or Policy Violation
Join Date: Jul 2006
Location: USA
Posts: 8,044
Received 0 Votes on 0 Posts
We in the Air Force use CAC (Common Access Card) with our computers. It's faster unlocking and logging in then using the typical username/password function. We just insert the CAC in the reader, and enter a PIN #, and you are good to go. Not sure of the technical capabilities of your IM/IT office are, but it's something to consider. We use ActiveGold readers.
 
  #8  
Old 11-17-06, 04:44 AM
John Whorfin's Avatar
Member
Thread Starter
Join Date: May 2005
Location: CT
Posts: 170
Received 0 Votes on 0 Posts
Tae,

The situation here is a little odd, some people are just slapped on the wrist for violating some policies. I am working on this problem with my manager and hopefully can stop these users from circumventing the security. There are a few people that would have been fired at other companies. I have been in IT for years and I am very surprised at how often people get away with stuff. Either the IT manager does not want to get the person fired and does not tell HR. Or the person somehow talks their way around it. I don't get it.

Before I got here things were very very lax, they had one assigned password for all their systems. Nobody ever locked their screens, some people never logged off their PCs.

The admin before me did not use group policy. I have made a huge number of changes, pretty much to the dismay of all users. All the standard stuff, password enforcement, change every x days, force screen lockup, lock people out of unnecessary parts of the OS. Nothing crazy just the normal stuff. Hell they had about half the accounts setup as power users, too lazy or could not figure out how to get apps to run correctly.

Needless to say all the users went from a very lax system to a much tighter one, nothing crazy but to them, a huge change. Since they were used to nothing for years. I get a lot of flak when I implement a new "normal" security issue. So people have been doing what they can to work around it. Apparently not using computer for 20 mins and it locking up is too unbearable for many users.

When I say editing the registry it is just a simple custom group policy setting.


Sorry you got me going, writing a novel here.

Basically I am trying to fix both sides, the human HR aspect and then trying to prevent the actual problem. Still the matter exists and is real, it must happen at other companies. Even if we stop the offending users, it is still a security hole for every company that tries to enforce screen lockup after inactivity. I doubt Microsoft would release a statement saying the solution is to stop those employees from putting something on their keyboard.

Funny thing is, I have been in IT for many years and never heard of people putting something on their keyboard to stop the screen from locking up.

Anyway, I appreciate everyones help so far, I hope I don't come across as being mean or anything. Text is always a tough way to communicate. I have been sticking to the IT solution side, since that is my responsibility.


HotinOKC - Thanks for the info, out of curousity. If someone there leaves their card in their PC and puts a book on the CTRL key, what happens? Does the PC lockup?
 
  #9  
Old 11-17-06, 05:26 AM
J
Member
Join Date: Sep 2002
Location: welland ontario
Posts: 7,528
Received 238 Votes on 209 Posts
I wonder if there could be a piece of software out that forces a user to click OK every 20 minutes even if they are using the machine. Or only detects mouse movement and not key strokes.
 
  #10  
Old 11-17-06, 07:19 AM
M
Member
Join Date: Dec 2003
Location: USA
Posts: 994
Received 0 Votes on 0 Posts
Originally Posted by John Whorfin
Yes, but without the Ctrl-Alt-Del you cannot logon to the PC. Revamping the entire logon process would probably be more trouble.

thanks for the help, though.
The requirement to Ctrl-Alt-Del for login can be disabled. I don't use it.
 
  #11  
Old 11-17-06, 09:58 AM
mango man's Avatar
Member
Join Date: May 2004
Location: Sw FL
Posts: 2,122
Received 0 Votes on 0 Posts
Wink

wire the keyboard into a chair weight sensor , keyboard commands only work if there is 100 lbs in the chair

or you could do a body heat sensor
 
  #12  
Old 11-17-06, 04:20 PM
HotxxxxxxxOKC's Avatar
Banned. Rule And/Or Policy Violation
Join Date: Jul 2006
Location: USA
Posts: 8,044
Received 0 Votes on 0 Posts
Regarding CAC-
I'm not sure if propping the ctrl key down while CAC card is in will keep it unlocked. Myself and everyone I work with are disciplined enough not to try and sercumvent the system. Our stations lock out after 5 minutes regardless if the card is in there or not. I also made it so when I pull my card out, it automatically locks. It sounds like you got some pretty lazy people working with you. If people I worked with got caught doing this, they would lose access to all computers.
 
  #13  
Old 11-17-06, 07:33 PM
tae's Avatar
tae
tae is offline
Member
Join Date: Nov 2002
Posts: 2,469
Received 0 Votes on 0 Posts
here is a good program that has several options to force shutdown/lockout. It will work whether the keys are being depressed or not. It has quit a few options once you start looking at it. batch file run on startup works good and can be easily hidden/protected from the user.
http://tinnes.org.uk/shutdown/index.html
Now {your} trick is going to be installing it with or without the users knowledge, and keeping them from changing the settings.
I like using the cpu usage setting. You might have to play with that a little, depending on the usage of individual computers. If you can get it on there without their knowledge, they won't know how to beat it. Start out with the troublemakers, and even get a little creative telling them about how you are watching them and their keyboard!!! Sounds like you have the knowledge to do this.
 
  #14  
Old 11-20-06, 04:48 AM
John Whorfin's Avatar
Member
Thread Starter
Join Date: May 2005
Location: CT
Posts: 170
Received 0 Votes on 0 Posts
Thanks everyone for the feedback

To md2lgyk:
Thanks, I was vaguely aware of removing the Ctrl-Alt-Del. It is an option and I will keep it in mind. All change here is meet with resistance and not really sure how much flak I would get with this, even though it would make one less step for them. Will keep it in mind, thanks.

To mango man:
hehe I like your thinking

To HotinOKC:
Yes I am sure everyone there is very disciplened, something we are really lacking here. Do you know if you are using any 3rd party software for the screen lockups after 5 minutes? If you are running Microsoft and Active Directory I would love to know if your setup overrides holding the Ctrl key down. I was surprised how well it works to override those security settings.


To Tae:
Thanks for the link, I am looking at this site now, looks like it has some good potential.

Thanks all for your help.
 
  #15  
Old 11-20-06, 11:11 AM
J
Member
Join Date: May 2006
Location: Sparta, NJ
Posts: 169
Received 0 Votes on 0 Posts
Originally Posted by HotinOKC
We in the Air Force use CAC (Common Access Card) with our computers. It's faster unlocking and logging in then using the typical username/password function. We just insert the CAC in the reader, and enter a PIN #, and you are good to go. Not sure of the technical capabilities of your IM/IT office are, but it's something to consider. We use ActiveGold readers.
Same setup here in the Army.
 
Reply
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread
 
Ask a Question
Question Title:
Description:
Your question will be posted in: