Details
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
The recommended state for this setting is: 900 or fewer second(s), but not 0.
Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit.
Rationale:
If a user forgets to lock their computer when they walk away it’s possible that a passerby will hijack it.
Impact:
The screen saver will automatically activate when the computer has been unattended for the amount of time specified. The impact should be minimal since the screen saver is enabled by default.
Solution
To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0:
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Machine inactivity limit
Default Value:
0 seconds. (There is no inactivity limit).
Additional Information:
Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020
Vul ID: V-205633
Rule ID: SV-205633r569188_rule
STIG ID: WN19-SO-000120
Severity: CAT II
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Configuration Management, Identification and Authentication.This control applies to the following type of system Windows.