One thing that comes up every so often when we're talking with people about our Desktop Single Signon for PeopleSoft product is the issue of having unsecured workstations. If someone walks up to my workstation while I'm at lunch and can just launch a browser to access PeopleSoft as me, then isn't that a security problem?

Of course it is. The same as people writing down passwords on post-it notes or increasing your PeopleSoft session timeouts to some large value.

The good news is that there is an easy way of dealing with this without compromising usability. This article from Microsoft steps through how to use a Windows Group Policy Object (GPO) in order to enforce users having password protected screensavers. The article (which is part of a larger series) implements this for just the domain Administrators, but it can easily be applied to everyone in the domain if you want.

Once the GPO has been implemented for the domain, it takes effect at the time of the next login by each user. Also, this only works for users with Windows 2000 and above. If you have people still running Windows 98 or something, then this doesn't apply to them. You have bigger security problems if you're still running Windows 98 in your organization though.

Note that although this discussion has been in the context of implementing our Desktop Single Signon product, it's good advice for any organization. Having password protected screensavers kick in after a short period of inactivity will help protect more than just your PeopleSoft applications.

(update : see this post for a discussion of implementing forced logoffs for kiosk type environments where locking the screen isn't the right thing to do)

Labels: Microsoft, Security