5  

For me, this has become habit. On a Windows machine, pressing Windows-L is a quick way of locking the machine.

对我来说,这已成为习惯。在Windows机器上,按Windows-L是锁定机器的快捷方式。

The solution might be social rather than technical. Convince people that they don't want anyone else reading their email or spoofing their accounts when they step away.

解决方案可能是社交而非技术。说服人们,当他们离开时,他们不希望任何其他人阅读他们的电子邮件或欺骗他们的帐户。

11  

The primary real world risks are your co-workers "goating" you. You can enforce this by setting a group policy to run the screen saver after X minutes, which can lock the computer as well.

主要的现实世界风险是你的同事“哄骗”你。您可以通过设置组策略以在X分钟后运行屏幕保护程序来强制执行此操作,这也可以锁定计算机。

3  

In my org (government), yes. We deal with sensitive data (medical and SSN). It's instinctual for me: Windows+L every time I walk away.

在我的组织(*),是的。我们处理敏感数据(医疗和SSN)。这对我来说是本能的:每当我走开时​​,Windows + L.

The policy is both social and technical. On the social side, we're reminded that personal security is important, and everyone is aware of the data with which we are privy. On the technical side, the workstations use a group policy that turns on the screensaver after 2 minutes, with "On resume, password protect" turned on (and unable to be turned off).

该政策既社会又技术。在社交方面,我们被提醒个人安全很重要,每个人都知道我们所知道的数据。在技​​术方面,工作站使用组策略,在2分钟后打开屏幕保护程序,“打开恢复,密码保护”打开(并且无法关闭)。

2  

No, but I'm an organization of 1 - the last time I worked in a large organization, we were not required, but encouraged to. If I were in an enviroment with other people, I would probably lock my workstation now when I left it. While certainly people with physical access can add hardware keyloggers, locking it does add an additional level of security. Depending on the type of organization you are, I think the risks are more from internal organizational snooping than over-the-wire attacks.

不,但我是1的组织 - 我最后一次在一个大型组织工作,我们不是必需的,但我们鼓励他们。如果我和其他人在环境中,我可能会在离开时锁定我的工作站。当然,具有物理访问权限的人可以添加硬件键盘记录器,但锁定它确实增加了额外的安全级别。根据您所在的组织类型,我认为风险更多来自内部组织窥探而非线上攻击。

2  

I used to work at a very large corp where the workstation required your badge to be inserted inside it to work. You weren't allowed to move in the building (you needed the badge to open the doors anyway) without that badge on you. Taking the badge out of the workstation's smartcard reader logged you out automatically.

我曾经在一个非常大的公司工作,工作站需要将你的徽章插入其中才能工作。你不允许在建筑物内移动(你需要徽章才能打开门)没有你的徽章。从工作站的智能卡读卡器中取出徽章会自动将您注销。

Off topic but even neater, the workstations were more like "networkstations" (note that it is not a necessity to use the system I've just described, though) and the badge held your session. Pop it into another workstation in another building and here's your session just as you left it when you pulled the badge on the other computer.

关闭主题,但更整洁,工作站更像是“网络站”(请注意,它不是必须使用我刚才描述的系统)并且徽章举行了会议。将其弹出到另一个建筑物中的另一个工作站,这就是您在另一台计算机上拉动徽章时离开时的会话。

So they basically solved the issue by physically forcing people to log off their workstation, which I think is the best way to enforce any kind of security-critical policy. People forget, it's human nature.

所以他们基本上通过强制人们注销他们的工作站解决了这个问题,我认为这是实施任何类型的安全关键策略的最佳方式。人们忘了,这是人性。

1  

The only place I have seen where this is truly important is government, defense, and medical facilities. The best way to enforce it is through user policies on Windows and "dot files" on Unix systems where a screensaver and timeout are pre-chosen for you when you log in and you aren't allowed to change them.

我所看到的唯一真正重要的地方是*,国防和医疗设施。实施它的最佳方法是通过Windows上的用户策略和Unix系统上的“点文件”,在您登录时为您预先选择屏幕保护程序和超时,并且您不允许更改它们。

1  

I never lock my workstation.

我从不锁定我的工作站。

When my coworker and friend mocked me and theatened to send embarassing emails from my machine, I mocked him back for thinking that locking does ANYTHING when I have physical access to his machine, and I linked him to this url:

当我的同事和朋友嘲笑我并且发誓要从我的机器发送尴尬的电子邮件时,我嘲笑他,因为当我有物理访问他的机器时,锁定会做任何事情,并且我将他链接到这个网址:

http://www.google.com/search?hl=en&q=USB+keylogger

I don't work with any sensitive data my coworkers wouldn't already have equal access to, but I am doubtful of the effectiveness of workstation locking against a determined snoopish coworker.

我不会处理我的同事不能同等访问的任何敏感数据,但我怀疑工作站锁定对一个坚定的窥探同事的有效性。

edit: the reason I don't lock is because I used to, but it kept creating weird instabilities in windows. I reboot only on demand, so I expect my machine to run for months without becoming unstable and locking was getting in the way.

编辑:我不锁定的原因是因为我曾经,但它一直在Windows中创建奇怪的不稳定。我只是按需重新启动,所以我希望我的机器可以运行几个月而不会变得不稳定并且锁定正在阻碍。

1  

Goating can get you fired, so I don't recommend it. However, if that's not the case where you work, it can be effective, even if it's just a broad email that says, "I will always lock my workstation from now on."

Goating会让你被解雇,所以我不推荐它。但是,如果不是你工作的情况,它就会很有效,即使它只是一封广泛的电子邮件,上面写着“我将永远锁定我的工作站”。

At the very least, machines should lock themselves after X minutes of inactivity, and this should be set via group policy.

至少,机器应该在X分钟不活动后自行锁定,这应该通过组策略设置。

Security is about raising the bar, making a greater amount of effort necessary to accomplish something bad. Not locking your workstation at all lowers that bar.

安全就是要提高标准,做出更多努力来完成不好的事情。根本没有锁定你的工作站。

1  

We combine social and technical methods to encourage IT people to lock their PCs: default screen saver/locking settings plus the threat of goating. (The last place I worked actually locked the screen saver settings.)

我们结合社交和技术方法来鼓励IT人员锁定他们的PC:默认屏幕保护程序/锁定设置加上goating威胁。 (我工作的最后一个地方实际上锁定了屏幕保护程序设置。)

One thing to keep in mind is that if you have applications (particularly if they are SSO) that track activity, changes, or both, the data you collect may be less valuable if you can't be sure the user recorded in the data is the user who actually made those changes.

要记住的一件事是,如果您有跟踪活动,更改或两者的应用程序(特别是如果它们是SSO),如果您无法确定数据中记录的用户是实际进行这些更改的用户。

Even at a company like ours, where there isn't a lot of company-related sensitive information available to most users, there's certainly potential for someone to acquire NBR data from another employee via an unlocked workstation. How many people save passwords to websites on their computer? Amazon? Fantasy football? (A dangerous goating technique: drop a key player from someone else's roster. It's really only funny if the commish is in on it with you, so the player can be restored ...)

即使在像我们这样的公司,大多数用户都没有很多与公司相关的敏感信息,有可能有人通过解锁工作站从另一名员工那里获取NBR数据。有多少人将密码保存到计算机上的网站上?亚马逊?幻想足球? (一种危险的射门技术:从其他人的名单中剔除一名关键球员。如果你的球员和你在一起,那真的很有趣,所以球员可以恢复......)

Another thing to consider is that you can't be sure that everyone in your building belongs there. It's much easier to hack into a network if you're actually in the building: of course the vast majority of people in the building are there because they're allowed to be, but you really don't want to be the victimized company when that one guy in a million does get into the building. (It doesn't even have to be an intentionally bad guy: it could be somebody's kid, a friend, a relative ...) Of course the employee who let that person in could also let that person use their computer, but that kind of attack is much more difficult to stop.

另一件需要考虑的事情是,您不能确定您建筑物中的每个人都属于那里。如果你真的在建筑物中,那么攻击网络要容易得多:当然,建筑物中的绝大多数人都在那里,因为他们被允许,但你真的不想成为受害公司。百万人中的一个人确实进入了大楼。 (它甚至不一定是故意的坏人:它可能是某个人的孩子,朋友,亲戚......)当然,让那个人进入的员工也可以让那个人使用他们的电脑,但那种攻击更难以制止。

1  

locking your workstation each time you go for a coffee means that you type your password 10 times per day rather than once. And everyone around you can see you type it. And once they have that password they can impersonate you from remote computers which is far more difficult to prove than using your PC in the office with everyone watching. So surely locking your workstation is actually more of a security risk?

每次去咖啡时锁定工作站意味着您每天键入密码10次而不是一次。你身边的每个人都可以看到你输入它。一旦他们拥有了这个密码,他们就可以用远程计算机冒充你了,这比在办公室里和每个人都在看的PC一样难以证明。因此,确定锁定工作站实际上更具安全风险吗?

1  

I'm running Pageant and have my SSH-public key distributed over all the servers here. Whoever sits down on my workstation can basically log into any account everywhere with my keys.

我正在运行Pageant并将SSH公钥分发到所有服务器上。坐在我的工作站上的人基本上可以使用我的钥匙登录任何地方的任何帐户。

Therefore I always lock my machine, even for a 30s break. (Windows-L is basically the only Windows-key based shortcut I know.)

因此,我总是锁定我的机器,即使是30秒的休息时间。 (Windows-L基本上是我所知道的唯一基于Windows密钥的快捷方式。)

0  

I personally think the risk is low, but in my experience most of the time it's not matter of opinion -- it's often a requirement for big corporate or government clients who will actually come in and audit your security. In that case, some kind of technical (group policy) solution would be best because you can actually prove you are complying with the requirement. I would also do it in cases where there is a legal privacy requirement (like medical data and HIPAA.)

我个人认为风险很低,但根据我的经验,大部分时间都不是意见问题 - 对于那些真正进入并审计您的安全性的大公司或*客户来说,这通常是一个要求。在这种情况下,某种技术(组策略)解决方案最好,因为您实际上可以证明您符合要求。如果有法律隐私要求(如医疗数据和HIPAA),我也会这样做。

0  

I worked at a place where the people who supplied some of our equipment were from a company in direct competition with us. They were in the building when the equipment required maintenance. An email would go out every now and then saying they would be there, please lock your machine when you're not at it. If a competitor got our source because a developer forgot to lock their machine, the developer would be looking for a new job.

我在一个供应我们设备的人来自与我们直接竞争的公司工作的地方工作。当设备需要维护时,他们在建筑物内。一封电子邮件会不时出现,然后说它们会在那里,当你不在时,请锁定你的机器。如果竞争对手因为开发人员忘记锁定他们的机器而获得我们的来源,那么开发人员就会寻找新的工作。

0  

We are required to at work, and we enforce it ourselves. Mass chats are started professing love for people, emails are sent, backgrounds are changed, etc. Gotta love the first day when it happens to a new hire, everyone is sure to leave a nice note :)

我们需要在工作,我们自己执行。群众聊天开始表现出对人的爱,发送电子邮件,改变背景等等。在第一天碰到一个新的雇员时,每个人都肯定会留下一个很好的说明:)

0  

The place I used to work had a policy on always locking your workstation. They enforced it by setting up a company wide mailing list - if you left your workstation unlocked, your co-workers would send an embarrassing mail to the list from your account, then lock your machine. It was kind of funny, and also kind of annoying, but it generally worked.

我以前工作的地方有一个总是锁定你的工作站的政策。他们通过设置公司范围的邮件列表来强制执行 - 如果您将工作站解锁,您的同事会从您的帐户向列表发送令人尴尬的邮件,然后锁定您的计算机。它有点搞笑,也有点烦人,但它一般都有效。

0  

You could start sitting down at people's workstations and loading up [insert anything bad here] right after they walk away. That will work I'm sure.

你可以开始坐在人们的工作站上,并在他们离开后立即加载[在这里插入任何不好的东西]。我肯定会这样做。

0  

In some/most government offices I've visited, that have the possibility of having members of the public walking about they have smartcards that plug into a USB reader on the PC. The card is on a necklace around the user's neck and locks the workstation when it's removed.

在我访问的一些/大多数*办公室中,有可能让公众走动,他们有智能卡插入PC上的USB读卡器。卡片放在用户脖子周围的项链上,并在工作台移除后将其锁定。

0  

The owner of my company (and a developer), will make a minor change to your code window if you left your computer unlocked, making you go crazy wondering why your code isn't working until you find it.

如果您将计算机解锁,我公司的所有者(以及开发人员)会对您的代码窗口进行微小的更改,让您疯狂地想知道为什么您的代码在找到之前无法正常工作。

Have to say, I never keep my computer unlocked after hearing about that prank, I go crazy enough as it is with some of my code.

不得不说,在听到这个恶作剧之后我从来没有让我的电脑解锁,我疯了,因为它与我的一些代码一样。

0  

You could rig up a simple foolproof way, have a fingerprint reader plugged into the computer programmed for your password, then wear this necklace with a usb receiver, and if you move away from the workstation, the screen saver actively locks it, then when you appear within the range, swipe your finger off the fingerprint reader to unlock the workstation - I think that would be a quite cheap way of doing it, simple, un-intrusive, and clutter free, no forgetting to lock via 'WinKey+L'

您可以设置一个简单的万无一失的方法,将指纹识别器插入为您的密码编程的计算机,然后将该项链与USB接收器一起使用,如果您离开工作站,屏幕保护程序会主动锁定它,然后当您出现在该范围内,从指纹读取器上滑下手指以解锁工作站 - 我认为这样做是一种非常便宜的方式,简单,不干扰,杂乱无章,不会忘记通过'WinKey + L'锁定

Hope this helps, Best regards, Tom.

希望这会有所帮助,最好的问候,汤姆。

0  

Is it important or is it a good habit? Locking your computer is may not be important say in your own house, but if you are at a client's office and walk away then I would say it is important.

这很重要还是一个好习惯?在您自己的房子里锁定您的计算机可能并不重要,但如果您在客户的办公室并走开,那么我会说这很重要。

As for how to enforce...

至于如何执行......

After reading Jeff's blog entry on Don't Forget To Lock Your Computer; I like to change co-worker's desktop backgrounds to...

阅读Jeff关于“不要忘记锁定计算机”的博客文章;我喜欢将同事的桌面背景改为......

1,238px × 929px

1,238px×929px

Needless to say, co-workers started locking their computers.

毋庸置疑,同事们开始锁定他们的电脑。

0  

GateKeeper is an easy solution to this. It locks the workstation automatically when the user walks away, and unlocks automatically when the user comes back within range of the computer. It can also require two factor authentication and other methods of lock/unlock.

GateKeeper是一个简单的解决方案。它在用户离开时自动锁定工作站,并在用户回到计算机范围内时自动解锁。它还可能需要双因素身份验证和其他锁定/解锁方法。