396 Chapter 17 ■ Physical Security
Something increasingly observed in the real world is the replacing or
supplementing of traditional passwords with additional security measures,
including tokens and smart cards. The idea is that the addition of these
devices to existing password systems will markedly improve the security of
systems and environments overall. The problem is that such an approach
carries a large cost up front in terms of upgrades to infrastructure and
equipment. However, do expect these devices and systems to become more
commonplace.Screensavers and Locked Screens
In the past, one of the common ways to gain access to a system was to simply look around
for an unattended system. In many cases, the system would be left logged in and unlocked
by a user who was only going to step away “for a moment” without realizing that a
moment was enough for an attacker to cause mischief or worse.
To thwart intruders from attempting to use an unattended system, you can use a
password-protected screensaver or a locked console. The older of these two mechanisms
is the password-protected screensaver. Its popularity comes from the fact that it is easy to
implement and will stop many a casual intruder. The concept is simple: When a user leaves
a system idle for too long, the screensaver starts and, once it does, only a password can
deactivate it. In most cases, someone walking by wiggling a mouse or tapping the keyboard
will be prompted for a password, usually providing a deterrent sufficient to stop any
further attempts.
Working alongside or instead of screensavers is the newer and more preferred lock
screen. This screen, when available on a given operating system, will actively lock the
desktop until a password and username is entered into the system. The benefit of this
mechanism over screensaver mechanisms is that it provides a much more secure way of
locking a computer than a simple screensaver, which provides minimal protection. In a
Windows environment, pressing Ctrl+Alt+Del will lock the screen manually, while a system
administrator can deploy a policy that will lock the system automatically after a defined
period of time. It is important, however, to make sure that users understand that locking
the screen automatically does not absolve them of any responsibility for making sure they
log out properly.In some environments, smart cards are issued in addition to standard user
names and passwords. The smart card must be inserted into a reader on the
system prior to logging into the desktop.Another mechanism for protecting or defending a system is the use of warning banners.
When in place, a warning banner provides a high-profile message stating that a user of a
system will be held accountable for their actions as well as consenting to other things such
as monitoring. Additionally, warning banners establish what is and is not acceptable on a