All our workstations are on WinME.
I currently create a different screen saver depending upon the DAY that the user logs on.

In other words, a Monday logon sees that machine with the 3d Pipes, Tuesday is the Marquee screen saver, etc

I would like to capture the User's login password. Then password protect the screen saver with the password being the user's Login password.

That might give each workstation some added security when the user is away and has not logged out.

code:

---

RUN "START Control Passwords"

---

In my particular objective, I'm not intending to record the password nor disclose it. All I want to do is expand the usage to the screen saver.

Frankly some of our users are hard pressed to simply log onto their systems. Getting them to remember a second password would be taxing the neurons for some <g>.

Michael

[ 18 August 2001: Message edited by: Ashpoint ]

I suppose going to Win2k is not an option? They have LAN password screensavers built in. All you need to move from ME to 2k is a bit more RAM.

Still, the legal stuff bothers me. If you monitor their activity and can reprimand/fire them over it, then the fact their password is not 100% secret could make a case for them in a court of law.

The other thing is that I don't think the screensaver password on win9x/ME machines are all that secure in the way they are stored. I believe there are some third party screensavers out there that will use the LAN password. I had one back in my DOS days (a very long time ago). Now all my high security accounts are on Win2k.

[ 18 August 2001: Message edited by: LLigetfa ]

Thanks for the prompt response.

Going to Win2K is not an option although the machines are P3/800 with 128mb RAM and 10/20gb disks. Rather it's the money for licenses. Down here Win2k OEM is about $140 additional and the client is a charity with tight budget control. We did a turnkey operation with 50+ new workstations and the additional money was not available. Frankly they under estimated the numbers of users and we are currently scrounging to get the additional workstations.

Users are a collection of salaried staff and volunteers with varied abilities.

They all log in and log out at the start and end of the day but often walk away from their stations leaving the screensaver.

I'm aware that the security with Win9x is not all that good but they MUST log on with a valid paasword and can't get access to the local workstation by pressing Cancel at the Logon. There are probably only 1 or 2 at the site who "might" understand that the password access on screensavers can be bypassed. They're really not a worry.

Isn't often said that locks are designed to inconvenience honest folk. The determined professional will get around the lock?

I'll see if I can get a screen saver using the logon password.

Michael.

Ashpoint,

Another good reason not to capture/read/write the users password is that
unless your organization has very good firewall systems and Admins that know how to protect it, it is possible for remote users to sniff out these passwords as they will now be in clear text format.
This will possibly allow someone to much more easily penetrate and damage your system.

I assume that if it is important enough that you want someone to password protect their screen saver, then you have data important enough that you don't want outsiders to take.

I would agree with LLigetfa to try to pop up a dialog box asking them to set a password if possible (I have not tried it either)

Possibly search the Internet for some kind of screen saver that can take advantage of the Network password.

Some links to topics on the board
http://kixtart.org/cgi-bin/ultimatebb.cgi?ubb=get_topic&f=1&t=001109 securing screensaver
http://kixtart.org/cgi-bin/ultimatebb.cgi?ubb=get_topic&f=1&t=002687 screen saver password
http://kixtart.org/cgi-bin/ultimatebb.cgi?ubb=get_topic&f=2&t=000880 screen saver by policies
Short reaction about catching users password:

• on our office everybody was told don't give your password to anybody.
  
• catching password in one or other way - in this case without the knowledge of user - decrease
  the responsibility for the user. in this case it is for a good goal, but another
  person can misuse it.
  Administrators of server never ask a password, but they only change it for their
  work when necesarry and they change it only with permission of the user. Normally
  a lot of sensitive information will open up after a successful logon session.
  Some super privileges are only for doing your job and not for spying around. Knowledge of
  not 'known' information can be very bad for your sleep.
  
• we know that some internet applications store their secure information in the
  registry, which can catch easily and can misuse also easily. Most people doesn't
  know in which way and where sensitive information will be stored on your system.
  All kind of information which can damage your privacy.
  Mostly we advise to reenter the password to such programs all the time.
  

In some organizations we are working for we advise two policies about screen savers:

• all users must have a screen saver which will be activated within an acceptable
  time f.e. 5 minutes.
  
• special users must have a screen saver with a password f.e. employees of human
  resource and accounting department.
  

Thanks for the response.

Welcome back from your holiday - I missed your comprehensive responses to questions.

Do to the (almost) universal criticism of my original request on the BBS, I shelved the problem. Management sent a memo to all staff suggesting their responsibility for the security of their personal data and to the business data.

Frankly the responses have been disappointing with many workstations not logging out each evening and many users with passwords of PASSWORD or (surname), etc. When I visit the office over the weekend, I see several workstations still active with user Word documents open and Outlook open etc.

I've realised that I'm paid to give my advice but actioning my advice is a perogative of the management.

Best regards from Down Under...
Michael

The same. Nearly everybody is returning from holidays.
The last days we read a lot of interest stuff on the board. Of course with 750 new topics it isn't possible to read everything in one day.
We are always glad, that we can give some ideas.
Greetings.

Prior to implementation, you could warn all users via mail or something that the new policy for computer usage is that all logged on workstations will be automatically shut down at say, 22:00, and that if they leave files open, the changes will be lost. Kinda rough, but it will work...

This will acomplisch a couple of things: Any updates/changes/checks you run via the logon script will now be done every day, so no need to hunt down PC's that never log on but keep all sessions active.
Also, users are more likely to shut down their computer, not wanting to lose data, so security is better kept, and power is saved for the company...
There are at least a couple of tools out there that provide this function, and are freeware...

Also, we have 'tattler' software on internet activity, the side effect of which, is that wiley users will find an unsecured PC to do their porn surfing. They (we ) are a malicious bunch, and if they encounter an unsecured email, will use it to disparage management. Of course, the unsecured user will take the heat, for which (s)he has no defense as company policy is very clear on securing the PC.

Once, on a contract job I was on, with the collaboration of management we sent off a letter of resignation from an unsecured PC. When the unsuspecting user returned, he read the repy from management, accepting his resignation with best wishes in his new endeavour. He went with hat in hand to the manager to plead for his job back. This became common knowledge and changed most user's habits.

Ashpoint,
Perhaps after the toothless management receive a few disparaging emails, they may better enforce policy.

I also don't like forced logoffs. The client uses databases quite intensely and I've alsways worried about damage to fragile tables if open files are involved.

Frankly I sorta still believe my simple process of cpaturing the user password and then forcing a password protection of the screen saver (all via KiXtart) would be a useful tool to achieve my aims.

I didn't intend to retain or record the password and once the KiXtart script concluded, there would be no record of the password being retained.

However - apossible problem (as outlined by MCA) to my thinking is that the screen saver passwords may be retained in plain text within the registry or .INI files.

BTW, management has made all employees sign a legal document relating to the use of the provided electronic communication devices accepting certain "rights" by management to observe non-work related e-mails, personal calls, obscene content mail and web pages, etc.

Michael

NTDOC and MCA are correct when they say the "stolen" password would pass as clear text. Also, on Wintendo, the screen saver password is not that secure, meaning that it could be ripped.

I strongly feel that knowledge of users' passwords nullifies users' legal responsibility and that seems to be MCA's opinion as well.

There are other security concerns with Wintendo as well. FAT32 has no security, meaning anyone that can get access to the drive can rip temp file remnants. Also, if shares exist, they too are easily breached.

Real security cannot be achieved by technology alone. I have demonstrated to my HR manager and others with what ease confidential documents may be compromised simply by ripping temp files. Most people will use the same password on multiple systems, oblivious to the fact that some systems pass them as clear text. I have sniffer traces to prove it. We have demonstrated 'brute force' attacks against our SAM database and managed to crack 80% of the passwords in minutes. They were 'dictionary word' passwords. Security needs to be a mix of technology and education. It is your responsibility to bring this message to management.

All I can say is that if security is that important, then the resources must be sought to take the PCs up to Win2k and the time taken to educate the users.

You are simply trying to make a silk purse from a sow's ear. I'm sorry for the hellfire and brimstone sermon, by this is one topic I feel stongly about.