Sunday, October 4, 2009

Striking the Right Balance: MS Windows Screensaver Locking
- AutoIt: A Potential Cure for Headaches

Updated 11-16-2010
While there has been plenty of higher stake cyber security challenges dominating my team's attention lately, I stumbled on an interesting approach to address an issue many organizations wrestle with.

The basic, consistent implementation of automatic locking Microsoft Windows PC screen savers, requiring password entry for access after a period of inactivity, poses a number of challenges. At least Microsoft's Active Directory (w/Group Policy Objects) makes implementation technically manageable. However, areas taking issue with implementing a required inactivity lockout often only have occasional legitimate business needs that are not suitable for a full exception. For example, personnel may give presentations and don't want to have disruptions, others may burn DVDs, view network traffic in a locked room, or occasionally engage in other unique activities where there is less interactive PC use- making realistic automatic screen locking burdensome.

To help address this issue, we've been looking at several "Egg Timer" type of PC utilities to provide the means of temporary relief when merited so we can pursue a more consistent implementation of mandatory inactivity screen saver lockouts technical policy measures company-wide. One particular commercial offering has not yet gone to a new release (that we've been waiting on since 4Q2008) with expected pricing $10-$20 per PC plus annual maintenance.

Alternatively, a very interesting, freeware scripting and compilation tool called AutoIt has been available and improving for years. I haven't coded seriously in a long time and wasn't aware of this tool or its capabilities until recently. Surprisingly, the tool and associated slick editor along with lots of sample code, and large community of users together helped rapidly put me at ease. Although I didn't have much time available over the weekend, I still plunged ahead anyway and developed a "Beta" solution for review and feedback. The CDS utility developed since with AutoIt seems to do pretty much what we need and compiles into a reasonably small, single executable file that can just be dropped on the menu or just the desktop - sweet. The latest version supports use of Active Directory groups to authorize specific systems and logs user startup, activation, and exit events (user, timeout) of CDS to the local Windows Application event log and a designated central logging server (if assigned and available).

This excursion is aimed at saving us some hard cash - a good thing in tough times - while also helping make the consistent implementation of screen saver technical controls easier to live with for all involved. Additionally, the sheer ease of using AutoIt underscores how open source-like technology tools are continuing to develop so even the free stuff can be the very good stuff.

Updated 11-16-2010
A SourceForge open source edition of the Corporate Delay Screensaver (CDS) utility - CDS-v100-Open- is now available for download with commented source code, use documentation, and an example AutoIT complied executable at

No comments: