CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark
2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' (Scored)
ProfileApplicability:
Level 1 (L1) - Corporate/Enterprise Environment (general use)
Description:
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
The recommended state for this setting is: 900 or fewer second(s), but not 0 .
Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit.
Rationale:
If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System: InactivityTimeoutSecs
Remediation:
To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0 :
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit
Impact:
The screen saver will automatically activate when the computer has been unattended for the amount of time specified. The impact should be minimal since the screen saver is enabled by default.
191 | P a g e
Made with FlippingBook - Online magazine maker