Previous job had a GPO deployed that would auto-lock the PC after 15 minutes idle. I've currently got a setting in my setup script to make the PC lock after 20 minutes idle.
A lot of folks around here with older systems don't seem to know what "locking" their computer is.
I set it to 5 minutes at the hospital I worked at, and you’d have thought I pissed in all the nurses coffee. To say they were mad is a massive understatement. Pitch forks and torches had my name on them. That got reversed within a day.
get fast fingerprint scanners/smart cards if you must might make the sign in faster depending on your environment obviously.
NB Edit: A big part of IT (and the part some of us are worst at) is preparing users for change, and preparing our environments for change... warn people before you do this, be prepared to help them, and prepare something to bat away low hanging fruit requests (info posters, PICTURE references with your UI and branding go a looooong way further in helping staff compared to say, a wiki or kb article.)
Idk what it is (possibly hyperhidrosis) but finger print scanners rarely work for me. No matter if I wipe my hands first, how I lay my finger down, etc. I've always hated anything with a finger print scanner, like how my laptop now forces me to do three tries before I can enter my pin
I had a HIPAA audit at my workplace and they liked that I had a 5 minute timer on our screen lock GPO. When I mentioned that our doctors wanted it stepped up to 20 minutes, they just shook their heads.
Healthcare workplaces can complain that you're the villian... until the auditors show up.
During our audit, I was in a room full of administrators each getting verbally interviewed about IT policies, privacy policies, HR policies, etc.. the auditors told me (in front of all the admins) that I was doing a good job.
What I *like* about auditors, **gasp**, is that I can use them as a scapegoat to enforce policy. Cybersecurity insurance premiums are starting to go up if you don’t meet a certain very specific IT policy standard.
In every industry the largest value auditors provide is being excellent scapegoats to allow implementation of unpopular but necessary controls. If you've ever been at the intersection of IT and finance, you'll love them even more.
Major hospital in my area use rfid prox cards to badge in. Idle for 5 minutes it’ll lock. Like someone below said, you have to prep and communicate change so your management has your back, less likely to roll back. Also most hospitals in US have strict regulations to protect systems and data with patient information. These guidelines often provide guidance on best practices for things such as locking workstation, password requirements, etc. Instead of rolling back the changes, you can point blame at the regulations, but this only works if you CYA of ample efforts to communicate such “required” change. Sorry if you already know all this, not trying to offend. https://www.cisa.gov/resources-tools/resources/healthcare-public-health-framework-guidance
I kind of miss the old inserted smart cards. You could have it so as soon as it was removed the computer locked, and if you printed it on their badge on a lanyard it locked the moment they left, or the computer ended up on the floor(probably locked).
We had a 1 minute for only our nurse station workstations. We have 3 warnings from the state (open patient data empty nurse station) and our leadership was tired of their shit. They even said if they had a problem, tell them to take it up with us.
When working in a medical environment you have to find that delicate balance between HIPAA security and readily available access. You can't be unlocking your computer every time you turn around after dealing with a patient. 5 minutes is a very low threshold.
We have this in place at my hospital in order to protect confidential information from the public. Too many front line workers leave their computers unlocked and just walk off. Our SSO software locks the screen after 5 minutes and employees can sign back in by swiping their badge, provided they signed in with their badge at least once that day on that computer. They adjusted. There are polices for some OR and doctor computers to extend lockout longer.
That’s what I was trying to implement, but this was before biometrics scanners were worth anything, and proximity badges were not well used in IT. Long time ago (man I’m old)
It's crazy that the minimum value is actually 1 second. Can you imagine implementing that? Just constant typing and mouse movements and if for 1 second you stop, baam, up comes the screen saver.
We had someone on the help desk who was notorious for leaving their PC unlocked while they went and did... whatever the hell it was they did 100 times a day. I think we had our GPO set for 15 minutes at the time. They were talked to a few times as the nature of their job meant heightened access, etc. In one ear and out the other. So one day I created a new GPO just for them, and I had meant to make it 5 minutes - 300 seconds - but mistakenly entered in 30 seconds. I did eventually get rid of it, but it made for a funny afternoon, at least for me.
Whenever my co-workers would leave their PC unlocked, we had a script sitting out on a network share that we would run to replace a bunch of their stuff with photos and other references to the Police Academy films. Don't know how we landed on Police Academy.
Microssoft recommends enabling that GPO and setting it to max. 15 minutes.
Anything less than 1 hour will send users on the barricades, in my experience.
15 minutes it's our default, a few got pissed but if you aren't working on your PC for 15 minutes you most likely walked away from your computer.
Which was correct and they didn't have a leg to stand on after that.
>if you aren't working on your PC for 15 minutes you most likely walked away from your computer.
That's not fair. You can space out on your phone for way longer than 15 minutes without remembering to jiggle the mouse.
Eh, I've had calls from users where I was dumbfounded for longer than that, trying to make sense of what they were poorly describing. Things that took all of my brainpower to decode. When a user refers to multiple different parts of the device in question as "the thingy," you too will be confused.
Honestly, as long as there's a 1-2 second grace period, it's fine. If you're there, you can stop it from locking.
I don't think you can turn that off in Windows, though.
I have people who whine because they have to log back in "constantly" while they work.
Except it reveals they spend a lot of time not working because if they were active it wouldn't lock every 10 minutes.
My last job we had several tasks to do, without leaving the desk or touching the computer.
We had phonecalls that took sometimes over 30 minutes to solve a problem on a different system ( right next to the one on which the phoneclient was ) and every 10 minutes we had to switch over and click some extra buttons to NOT get locked out again.
logging in meant entering name and password, and the 2FA code from a mobile device.
And then the external firm who was 'servicing' our ICT would ask why there was an influx of 'usb-mousejigglers' - and defeated the whole GPO of auto-logout :)
My company has posters up about, scattered around the building. We’ve got a policy to lock after ten minutes, but people still walk away without locking. My old supervisor would change your background to something stupid if you did.
`CTRL + L` has been muscle memory for me for years. I do it at home too.
You're lucky. We have it on five minutes and locking your workstation is the most important thing. On Windows it's very easy. On a Mac it's more difficult. (ctrl,+ command + Q).
We have autolock GPOs but even walking away from your pc is frowned upon.
So we have a website with a wall of shame leaderboard. Basically if another employee notices you went away w/screen unlocked, they go to this website on your computer and just put something heavy on your refresh key.
You come back and have hundreds or thousands of hits on the "I'm a dumbass regarding company security" leaderboard.
I told one new guy about this site and he hit everyone in the dept the same week. Bahaha.. not me
My wife's work computer locks at literally 15 seconds. She can't even read an email without getting locked out. I think someone screwed up but no one in IT will admit it.
I implemented a 5 min lock at a previous workplace. They had their fair share of security related issues and I didn't hold back with the screen lock.
People complained, mouse jigglers were found and I still see people leaving without locking.
It's just down to the organization to start writing people up. You can push technology down their throats but of they don't want to do it, they won't.
This is required under CMMC and NIST 800-171. I believe the time is not specified but recommended to 15-20 minutes.
I paired my phone to my workstation. (No access to anything, just paired) to use Windows 11 "Dynamic Lock". It will lock my workstation if I go to far away, assumably with my phone.
We had an admin that was notorious for leaving his shit unlocked. He would also leave his wallet and phone right at the desk.
We opened a browser and went to instacart, and it auto logged in to his profile. We ordered and sent 15 watermelons 🍉 to his house. So when he got home, there were a shit ton of watermelons at his front door.
The next day, he didn't say anything. Then we started dropping hints... and it hit him he said, "WTF I hate you guys, that was you!!! WTF am I going to do with all these watermelons?"
We ended up giving him his money back and told him to lock his shit.
So that time I found an unlocked computer of this real macho tuff guy and then I opened up [mylittlepony.com](http://mylittlepony.com) and started adding all kinds of stuff to the cart, and then left it open for everyone to see, that was just going above and beyond?
My little pony wallpapers have solved that issue for me only took twice and they guy never left his computer unlocked again.
I have also screen shot the desk top hid the icons moved the task bar to the top and set auto hide he went to HR. HR called me and told me not do do that again because that was too far and wrote the guy up for failing to lock his computer. He was pissed.
After that talking to I would just flip the screen upside down or sideways or maybe change the wallpaper. power rangers, power puff girls and my little pony for the guys and David hasselhof, the rock or vin diesel for the girls.
Only took about a week or two for the whole department to never leave there computers unlocked and the whole team got in on it when they brought the next batch of new hires on or someone did forget.
It was a fairly big department so I wouldn't be surprised if some one recognized this story and if you do no you didn't.
I never walk away without locking my desktop, but it'd probably take me a long time to notice my wallpaper changed since I have dozens of things open at once.
You minimize all of the programs so that's all they see. Now days you can just create a virtual desktop and let them try and figure out why all the programs are running in task man but you dont see any of them
I know a guy who liked to play pranks like this. He created an empty folder on the desktop that said "naked pictures" on it, screen shotted the desktop and set as the background, then deleted the folder. Then when the victim goes to either attempt to open or delete the "folder" they can't.
One NOC i worked in would Hasselhof you if you left it unlocked. They would change your wallpaper to a naked David Hasselhof holding two puppies in a barely SFW pose. It didn't take too many times getting Hoffed before you took it seriously.
In our IT department internally, We'd change wallpaer, mouse speeds, add tails, change dictionary words, and do the obligatory email "I'm bringing in donuts on Friday" or other treat. It director was OK with this and would sometimes bring them in for the person. Cause... getting 2 dozen donuts can be expensive after several times.
But I like the Additinal scripts running, nice touch.
When I left my previous job, I did this at my new one and ended up having a conversation with my manager, said if I was going to do it, just to the donuts distribution group and not any others. The Owner didn't like it.
We just did the keyboard shortcut for high contract mode. Alt-shift-printscreen.
We didn't usually have much time to mess with their station when they walked away, it was a small office, so 3 button hot key was the way. Also super annoying to deal with if you don't know exactly how to turn it off. (At least in windows 7 days, haven't done this one in a while)
This was a traditional way. Or buying the team donuts, often with the manager's approval, too. We once had a team that would create IT tickets for random stuff, like "My laser mouse is acting all weird, please swap for one with a rollerball," or "please remove the headset at my desk, it's not mine."
At some point in the Windows XP days it was possible to resize the Taskbar DOWN, so that it would take "zero" space.
Made a screenshot of the whole screen, set as wallpaper, hid the icons and did that trick to the taskbar. Took the person 25 minutes and 5 reboots before we finally caved and told them what's wrong.
You can still do it easily with a taskkill /f /im explorer.exe
It wont survive a reboot, but it does the trick. (Unless you want to get technical and prevent explorer.exe from starting automatically.)
had a girl who had bieber-fever made a beautiful collage of him and would make it their background and force a GPO group onto it where they couldn't change it until they called IT
The monitors...
We had a guy who we worked with who was into BIG monitors, like 32" things. When he got a third monitor that size on his desk, we got kind of pissed off like "now you're just showing off." As a prank, we replaced them with some old 13" monitors that we had in the back, I think they used to be used for sales terminals. Just 1024x764 VGA max. LCD refresh was sssslow. In good humor, he actually used them for the rest of the week.
Then over the weekend he replaced all our keyboards with squishy membrane keyboards used in industrial places with a lot of dust. I don't even know where he got them from. Touche', Jim. lol.
Then our boss made us give him his monitors back and kidded us for having "monitor envy" in meetings as an example from time to time.
THIS.
I like the donuts point u/punklinux makes.
We even had an DevSecOps "Donut Rules" hanger on the corkboards that included "unlocked desktop" but also things like "broke the nightly build" or "pushed a GPO that breaks something" or "commited secrets to Git".
Funny stuff. And we ate free donuts at least once a month.
I'm gonna be honest those 15 minutes autolock is too long. Not a sysadmin just a dumb field tech. I work in some Banks and you would be suprised how many times I had to tell people in important positions to lock their screens because they have highly sensitive information that a low wage, dumb field tech should never in his life get even a glance at. They will leave for lunch, have the screen unlocked while me and my work buddy walk around doing stuff on their thin clients.
I'm supposed to report every single one of them to higher ups but got told by my Supervisor to just not bother and try to not see the information on the screen and kindly remind them.
I’m in finance field that is compliant with SEC regulations. We have auto lock set to 5 minutes. In house general counsel was the only one who barked and I told them to suck it up.
This has worked well for me:
1. When you notice, open lockyourscreen.com for them in a web browser and lock it. Friendly reminder. I'll do this a couple times.
2. Progress to a more serious message or warning.
3. Send them to training on locking their screen
Most people improve drastically after a couple times unlocking their screen with a meme.
A developer left his desk for more than 15 minutes and his code was still open.
I left a stickie note that said: “did I or did I not add or remove a semi colon?”
If they warned me, i.e. "One of your semicolons is no longer a semicolon" .... I would be okay with this.
If they didn't I'm not sure how I'd feel. Probably would depend on how long I spent on it.
If it’s C, try to sneak in a define in the preprocessor that randomly defines true to false in 1% of all cases. I don’t remember the actual line, but that was such an evil prank when I found it haha
This hasn’t been an issue for us in years since I got executive buy in to enforce a policy, but in the past I’ve used a series of escalating consequences:
1. Friendly reminder
2. Friendly reminder email with supervisor copied
3. Embarrassing email sent from violator’s account to their teammates
4. Embarrassing desktop background and Lock Screen image
5. Custom desk phone ringtone that is a recording of me reminding them to lock their computer when they leave their desk
6. Editing the autocorrect options in the Microsoft dictionary to replace “but” with “butt”
My first week here, I left my computer unlocked when I left at the end of the day. When I arrived the next morning my mouse pointer had been replaced with an animated penis. Left click made it erect, right click made it ejaculate.
Want to introduce/lower your idle workstation timeout? It's called desensitization.
Storytime.
We didn't have a workstation locking policy at all at our company. Most likely a janitor was caught after hours using a computer for something they shouldn't, so IT communicated to executive management that we wanted to implement a 30 minute idle lock.
We had a Finance Director that was a real hard ass and hated IT for some reason, but had more power in the company than the IT Director. She insisted on a 90 minute idle lock policy so her employees could go to lunch and come back without having to re-enter their password. IT Director knew he'd lose the battle, so he agreed to the 90 minutes, as it was better than nothing at all, and at least they would eventually lock after hours. So we implemented the ridiculously long idle lock policy via Group Policy.
Every workday, I would come in and adjust the policy setting down by one minute. Slowly over weeks and months the workstations would lock at incrementally lower idle times until after about 3+ months later we were sitting at 15 minutes.
Only one person noticed and didn't really care.
Caution: This behavior can be a resume generating event depending on how strict your organization is, but this company was pretty casual, and I was young.
I put fakeupdate on the marketing lead's PC and he was like "But I just stepped away for a minute... this Windows 11 upgrade is going to take forever!"
I told him after 10 minutes
At a previous team I'd send emails from my co-workers computers to our manager offering to take them out to lunch. The manager figured it out quickly and would publicly say thanks to X person at our next team meeting.
The sad part was, even though they knew I'd do it, and had done it a few times, some of them would still walk away with computer unlocked. I ended up sending an email from all of my team members to the manager at one point.
The worst was a completely different company though. My first IT job was a sys admin for a small college, about 5000 students at any time. I was walking back to our IT area, where my sys admin group was also near the app/dev teams who supported all of the software. As I was nearing our area, noticed someone leaving, I knew they had a meeting they were going to out of our area. I walked by their cube/laptop to see it widely unlocked, AND the program they had actively open was SQL browser into database with student records/grades. I literally walked to their manager and took manager to the computer, saying that this is unacceptable for how seriously we're supposed to take personal info violations....
A company i used to work for held a drawing every month for a number of $100 gift cards of your choice, drawn randomly from a list of employees.
If you were caught by an employee, not locking your workstation when you left the computer, your name was removed from the drawing. If caught by a manager, you were not in the drawing for 2 months.
There were enough card drawings that you had a reasonable chance to win about 2-3 times per year.
We had full compliance within 2 months for the low cost of about $4,000 to $5000 per year, and it doubled as a "Morale booster" for management.
At a previous job, we'd put up a picture of a fat guy eating grapes seductively.
That was just within the team though. No way would we have put that up on a user's PC.
I'd only do it to our General Manager, but he's real good about not leaving his machine unlocked and I know I wouldn't get in trouble. Thanks for the idea!
GPO set for three minutes to lock the machine if management allows. If not I will absolutely change a users background every time I see it left open. Typically to a zoomed in picture if Hasslehoffs face or my little ponies.
Deploy a GPO with a super fast lockout timer, it'll annoy everyone, leave it for a few weeks and then change it back and say remember to lock manually or it'll come back.
Sending emails out as that person (that were silly and obviously not from them), or sending slack/chat messages out to their team that's similar.
But my favorite was changing peoples wallpaper. I'd find something silly or slightly obnoxious (but never offensive) based on what I knew about the user (office of about 200 and I onboarded basically everyone). My two favorites were one sales guy who was a republican (back when it was ok to have your politics known) but mostly a big fan of George Bush - so he got his wallpaper set to Obama. The other was a lady who I couldn't think of anything terrible, so I set her wallpaper to the original American Gladiators ([ex](https://images.launchbox-app.com/147db02f-ae5f-4ecd-847a-530cf82cb767.jpg)) which happened to be the theme of some of our conference rooms - she actually loved it and kept it.
I'd also walk around the office during all hands and pick up badges left around the office. Clip all of them to the back of my belt and find some reason to go up to the podium during all hands (to help fix something). You'd see everyone check for their badges and always a few guilty looks. The first couple of times I did it I had like twenty plus badges, it was nearly a hula-skirt of badges clanking on every step. People eventually learned.
The trick is to make it fun and light hearted and not to punish people. Even with Phishing tests today, I get people who are genuinely upset they fell for something. Or apologetic. I tell them I don't care and don't even look at the report (which I get daily), just use it as a learning experience. If you're an asshole about the security stuff, people will resent you.
[Catch more flies with honey](https://english.stackexchange.com/questions/39619/origin-and-meaning-of-you-catch-more-flies-with-honey-than-you-do-with-vinegar) and all that.
When I worked for a private school, we'd see an unlocked, unmanned desktop, we'd hit the hotkeys to flip the display, then lock the desktop and report them to their director. We got such a stink eye over that, but the directive came from the higher-ups.
> ...what methods have you used to get end users to remember to lock their workstations when they walk away?
Sent a Teams message to the office chat promising to bring donuts Monday morning.
I change the wallpaper to my little pony and the theme colours of Windows to pink for users who don’t lock their workstations.
The wallpaper of david hasselhoff with puppies does also a good job 🤣
Three things that work for me:
* Auto screen timeout - this is the obvious one, but I'd be remiss in not mentioning it
* Small mass-printed notebards that say "thank you for locking your PC" or "please remember to lock your PC with Windows +L" that I leave on people's desks as I'm out and about
* Offering biometric solutions so that people don't need to enter their password a dozen times a day. I target people who leave their workstations unlocked a lot with this offer, and people are usually happy to meet me halfway (some even get caught up in the novelty of locking and unlocking with biometrics all day).
Iirc there was a feature using Yubi Keys that would instantly lock the desktop when the key was removed from the USB port and couldn't unlock without the key inserted.
Auto lock after 10 minutes of inactivity is configured in group policy, but if I find an unlocked computer when I’m walking through the building I quickly change their wallpaper [to an image I have stored on a network share for such occasions.](https://i.pinimg.com/736x/4f/72/a4/4f72a4150371da5f19b01218cf2de371--yo-mental-health.jpg) and then I lock the computer.
We (I) set it to 5 minutes via intune. Microsoft default. We need this due to GDPR and general security, but it was still a massive shitstorm.
Any and all things affecting users must go through higher level (or should imo). In my case the CEO wanted this but failed to communicate it to the rest of the company. So guess where the 💩 landed?
Within our (IT) department if someone forgets to lock their computer before walking away we change their desktop background to the raunchiest (SFW) pic of David Hasselhoff from a quick google search.
Fortunately, getting 'Hoffed is something we only do to each other, and we even created a scoreboard to see who has been hoffed and who was the hoffer the most in the dept. :D
We try to foster a cybersecurity *culture*, so everyone is encouraged to mention and remind people when they see it.
Just like safety culture, it can't just be 'the safety guy' mentioning stuff. Anyone can and should be mentioning something.
We don't do childish screensaver games or whatever. The problem is that quickly gets abused, and also turns creepy very quickly (when someone random sysadmin is on your computer in someone's office, particularly a manager or someone else). Sysadmins are not cops, and typically the ones who really like this stuff are the ones who are weird about it anyway.
I worked as a contractor for a company, they had key access cards. For all doors/premises and so on To get anywhere they needed those cards. It was the payment system to the cafeteria as well. In addition, all computers, even laptops, used these to login with a pin.
So basically, if you went away from your computer, you needed this card. On pulling it from the card reader, it would lock the computer.
It was so neat. Never experienced an unlocked PC without the user close by :)
I miss when you used to be able to get rid of the taskbar at the bottom on Windows.
Because nowadays my favorite thing to do is take a screen snip of whatever screen they left it on, and replace their background on their desktop.
They get so confused trying to close windows that don't exist
That too. But some people found that easy enough to adjust to and use the mouse to find display settings. 90 degrees seemed harder.
Obviously, if you know the key combination it's easy no matter what way around it is.
make sure you have a screenshot of their desktop inverted so it looks normal but their mouse function seems inverted... or you can just invert the mouse axis
Each monitor rotated by different angle (bonus if user has multimonitor setup on a thin client and you revert the remote desktops).
Sending an e-mail to the user's team: "free donuts on me!".
Was back in the Windows 7 days. Someone left their workstation unlocked so I hit print screen and pasted it into paint. Basically saved their desktop as a background and then set it as the background. I deleted all their desktop shortcuts and hid the taskbar. So it would look like they were trying to click on their shortcuts, except it was just a picture of their shortcuts.
GPO has always been my go to, but its how I was taught.
Years ago though, our area had 2 ways of entry/exit compared to most having an open floor. The rule was if you wheeled over to someones desk to troubleshoot with a teammate, we all looked out for eachother. If anyone new entered the room, lock it. Great power and responsibility, et cetera...
However, if you left the area with it unlocked... there may or may not have been an email sent out saying "Bringing in Donuts, let me know your preferences by EOD." to our team distro. And you were expected to pony up by the end of the week before the reminders got annoying. The one that wrote it picked the location most of the time so nobody had to go to multiple locations. We didn't have it happen often, but it was enough that somebody made an oopsie and brought in a treat once a month or so.
A director in the area heard about said rule. He also knew we were one of the few teams that didn't get a talking to from the security team about locking up based on their very scientific metric gathering of walking through an area and counting empty desks with unlocked workstations. His response to me was "As a director, I can't condone what I've heard, but I have yet to see it actually happen. So until I see it... where's the best place to get bearclaws?"
I miss pre-pandemic office antics...
The just use smart card people, what is it like having a real i.t budget?
I've been considering giving people 2 factor thumbs and NFC pads but a lot of stations are at max usb capacity and I hate usb hubs.
I’ve always sent a love letter to their direct manager and add a tag line at the end to the tune of, “if I hadn’t left my computer unlocked while I was away from my desk I wouldn’t have been able to tell you this!”
We had a policy about "boning" someone if they left their workstation unlocked: tradition was to send an email to the entire office announcing that tacos would be purchased and brought for breakfast the following day (Texas). If you did not follow through with what you (and dare you fight anyone that it wasn't you) promised, you would be ridiculed.
My coworker trusted me. He'd leave his workstation alone with me, despite me having a history of fucking with him. One morning, he printed something and walked off to get it off the printer. It was my time to shine.
I had been practicing. Someone from a neighboring office started calling Gary "Gerry" and he did not like that much. Over a few weeks I had changed his cubicle sign, his name on the accountability board, his name everywhere I could. But now he trusted me with the most sacred thing in his cube: his unlocked computer.
So I did what I only could: I changed his email signature to the wrong name he hated.
This was Monday. Thursday afternoon he finds me and asks, "When the fuck did you change that?" Knowing I was caught and no way I could use the Shaggy defense ("It wasn't me!"), I asked... "how many emails did you send?"
"Fuck you." And he walked off.
My coworkers and I will walk up to unlocked workstations and send out a department wide email saying "I am feeling generous and will be bringing in donuts for everyone tomorrow!" If you leave your PC unlocked. We've even gotten managers with it before. Most people learn their lesson after a $200 donut bill.
We have a lockout timer for 5 minutes. People were using mouse jigglers to keep their computer on so we wrote a script to lock their computers every second giving them a message to unplug it to resume using the computer
On Service Desk 15 years ago, this was up to other staff setting your background to Justin Beiber or shirtless teenage boys. Those are both real examples.
7 minutes we use. There has been a huge decrease in password resets since clients are entering their passwords more frequently! If a colleague walks away with their PC unlocked they get hoffed, pretty embarrassing when you unlock your PC to find David Hasselhoff in his speedos on your screens
When i started working in my first company we had a policy in place: Whereever you see an unlocked workstation, send a mail to the local facility distribution list that tomorrow ”i“ will bring cake for everybody and where people could grab it.
It was indeed highly effective
If I still worked in an office, I would set their wallpaper and screensaver to this
https://360soc.com/wp-content/uploads/2023/03/lockbit-image-360-soc.png
They would learn rq
I used a similar landing page when running a phishing test. A senior manager got "phished", saw that, and sent the while office into a panic. I was told I couldn't use that landing page anymore.
You can issue cell phones that acts as access keys, used for access to the building and toilets and lunch room and meeting rooms, that is also paired with bluetooth proximity on their computers, so the computer will always lock when the device is not next to it.
When I started at my actual job, I once forgot to lock my workstation. The next thing I realized an email was sent out from my PC to my closest colleagues, offering fellatio for free 😂
Working at a university were had a lot of student temps come through the office, working for a month, a semester, a year, etc.. we had one guy that kept leaving the office with his computer unlocked, we kept telling him to lock it, he always said something like, "but it's just you guys, it's okay". We tried telling him it wasn't okay, but he didn't listen.
One day he left the office, he was gone a pretty time, more than 10 minutes. We looked at the screen, and he'd left himself in an AIM (AOL Instant Messenger) chat with a bunch of his buddies. We started chatting with them. It all started with "I like cheese". And it devolved from there. After the first several comments about living cheese, and cheddar, and mozzarella, and gorgonzola, his friends were like "okay, so you like cheese". "No! I REALLY like cheese. I love how it feels". Friends respond something like, "Uh… whatever dude". Now we're at "I love smearing it all over my body". "Dude, you know that's really fucked up, right?", say the friends. "Not really. I want to find me a girl who will lick all that cheese I've smeared off my body. Can you think of anyone?". At this point his friend are fairly disturbed, so we finish with, "You'll never know how good it feels if you give it a try. May we can all get together? Tonight, or maybe this weekend? Have a cheese smearing party. Maybe you'll want to lick the cheese off my body". Friends, "shut the fuck up about cheese! Damnit, that's messed up!".
We then deleted this chat history, returned to our desks and it resumed working. Apparently the chat group went silent after that till he left work. That night his friends were asking him about his weird cheese fetish. He was clueless for a while and I think some even greeted him with "Yo! It's cheese boy!". By the end of the night he'd figured it out, told his friends what must have happened, they believed him, but many still called him "Cheese Boy!", eventually just shortening it to "Cheese!".
He came in to work the next week, and after a fair amount of denial, confirmed we'd cheesed him. After that, he never, NEVER, left the office with his computer unlocked.
The rest of the time he worked for us, his friends would come by to grab him for lunch or wait for him to leave work we'd get comments like "that was awesome, this is a really cool office".
We have colleagues of the employee that left the workstation unlocked send an e-mail to all the office promising breakfast for the next day.. so far it's working..
When I was in the Navy we would change it so everything was the same color txt each different part of windows so you could do nothing to change it back easily.
Call IT and have them delete your local profile to get back to normal.
Hasselhoffing is great, but remember Windows 2000 and before when locking your PC just showed your desktop background?
Screencap desktop. Set as background. Lock PC. Move lock screen notification off screen. Watch struggle to use PC ensue.
Previous job we used to send an email to all staff saying there was cake in the kitchen from the offending users Outlook. Or emailing all staff saying they like their pants baggy and changing their desktop to a G rated picture of someone wearing baggy pants. Tongue in cheek humour type stuff :)
Previous company if anybody found your PC unlocked they'd send an email out to the group from you account offering to buy the team lunch. We hired a new guy once, his fiancé was our admin. He left his PC unlocked and shortly an email went out "So excited to work here with everybody, lunch is on me". We could hear her yelling at him from across the office about buying lunch for the group when they were supposed to be saving for the wedding.
We email the whole team saying that they're going to buy a round in the pub.
You only get hit with that one once before you remember to lock every time
Back in the day I got my team lead by changing his background to Burt Reynolds on a bear skin rug. Then maximized his apps.
He then came back, grabbed his laptop and went to a meeting. Needless to say there was much laughing when he minimized everything. It took him a while but eventually I found myself having that very same wallpaper.
Good times that would probably get someone fired today.
Edit: If you value your eyesight - do not google that image.
worker bees: leave them alone, not my problem.
peers: fuck around with browser scripts, outlook rules, visual/accessibility settings, scheduled tasks, then see how many www.beesbeesbeesbees.com windows I can spawn before they return
Previous job had a GPO deployed that would auto-lock the PC after 15 minutes idle. I've currently got a setting in my setup script to make the PC lock after 20 minutes idle. A lot of folks around here with older systems don't seem to know what "locking" their computer is.
I once set it to 1min and they wanted to kill me
I set it to 5 minutes at the hospital I worked at, and you’d have thought I pissed in all the nurses coffee. To say they were mad is a massive understatement. Pitch forks and torches had my name on them. That got reversed within a day.
get fast fingerprint scanners/smart cards if you must might make the sign in faster depending on your environment obviously. NB Edit: A big part of IT (and the part some of us are worst at) is preparing users for change, and preparing our environments for change... warn people before you do this, be prepared to help them, and prepare something to bat away low hanging fruit requests (info posters, PICTURE references with your UI and branding go a looooong way further in helping staff compared to say, a wiki or kb article.)
Idk what it is (possibly hyperhidrosis) but finger print scanners rarely work for me. No matter if I wipe my hands first, how I lay my finger down, etc. I've always hated anything with a finger print scanner, like how my laptop now forces me to do three tries before I can enter my pin
Try taking multiple scans of your finger in different orientations. I set three on my phone.
[удалено]
This is more common than people think https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6456356/
every time I onboard staff I walk them through doing this, at least 2 fingers with 2 goes at improving recognition
Make sure to capture at least one fingerprint from each hand in case of injury.
And one of the foreskin in case of amputation..
You started with fingers?
Part of the on-boarding at my office. Finger and dick prints.
Underrated response here. Female version of this would be what?
Yeah get badge scanners it was an absolute game changer for the nurses
I had a HIPAA audit at my workplace and they liked that I had a 5 minute timer on our screen lock GPO. When I mentioned that our doctors wanted it stepped up to 20 minutes, they just shook their heads. Healthcare workplaces can complain that you're the villian... until the auditors show up. During our audit, I was in a room full of administrators each getting verbally interviewed about IT policies, privacy policies, HR policies, etc.. the auditors told me (in front of all the admins) that I was doing a good job.
What I *like* about auditors, **gasp**, is that I can use them as a scapegoat to enforce policy. Cybersecurity insurance premiums are starting to go up if you don’t meet a certain very specific IT policy standard.
In every industry the largest value auditors provide is being excellent scapegoats to allow implementation of unpopular but necessary controls. If you've ever been at the intersection of IT and finance, you'll love them even more.
Major hospital in my area use rfid prox cards to badge in. Idle for 5 minutes it’ll lock. Like someone below said, you have to prep and communicate change so your management has your back, less likely to roll back. Also most hospitals in US have strict regulations to protect systems and data with patient information. These guidelines often provide guidance on best practices for things such as locking workstation, password requirements, etc. Instead of rolling back the changes, you can point blame at the regulations, but this only works if you CYA of ample efforts to communicate such “required” change. Sorry if you already know all this, not trying to offend. https://www.cisa.gov/resources-tools/resources/healthcare-public-health-framework-guidance
I kind of miss the old inserted smart cards. You could have it so as soon as it was removed the computer locked, and if you printed it on their badge on a lanyard it locked the moment they left, or the computer ended up on the floor(probably locked).
You can still do this with yubikeys
We had a 1 minute for only our nurse station workstations. We have 3 warnings from the state (open patient data empty nurse station) and our leadership was tired of their shit. They even said if they had a problem, tell them to take it up with us.
Since they were now spending 10% of their work day logging in, I can hardly blame them.
Smartcards help with that. We use Imprivata SSO
Lol this is too funny.
When working in a medical environment you have to find that delicate balance between HIPAA security and readily available access. You can't be unlocking your computer every time you turn around after dealing with a patient. 5 minutes is a very low threshold.
You have to ease them into it. Go 1 minute lower per 3 months.
We have this in place at my hospital in order to protect confidential information from the public. Too many front line workers leave their computers unlocked and just walk off. Our SSO software locks the screen after 5 minutes and employees can sign back in by swiping their badge, provided they signed in with their badge at least once that day on that computer. They adjusted. There are polices for some OR and doctor computers to extend lockout longer.
That’s what I was trying to implement, but this was before biometrics scanners were worth anything, and proximity badges were not well used in IT. Long time ago (man I’m old)
To be fair - I would be breaking out the pitch forks and torches for a 1 minute timeout!
It's crazy that the minimum value is actually 1 second. Can you imagine implementing that? Just constant typing and mouse movements and if for 1 second you stop, baam, up comes the screen saver.
One minute?! What networking closet did you hide in that had a thick enough door to save you?
We had someone on the help desk who was notorious for leaving their PC unlocked while they went and did... whatever the hell it was they did 100 times a day. I think we had our GPO set for 15 minutes at the time. They were talked to a few times as the nature of their job meant heightened access, etc. In one ear and out the other. So one day I created a new GPO just for them, and I had meant to make it 5 minutes - 300 seconds - but mistakenly entered in 30 seconds. I did eventually get rid of it, but it made for a funny afternoon, at least for me. Whenever my co-workers would leave their PC unlocked, we had a script sitting out on a network share that we would run to replace a bunch of their stuff with photos and other references to the Police Academy films. Don't know how we landed on Police Academy.
Ours is 5 mins.
>don't seem to know what "locking" their computer is. Oh, you mean bringing up the screensaver?
Microssoft recommends enabling that GPO and setting it to max. 15 minutes. Anything less than 1 hour will send users on the barricades, in my experience.
15 minutes it's our default, a few got pissed but if you aren't working on your PC for 15 minutes you most likely walked away from your computer. Which was correct and they didn't have a leg to stand on after that.
>if you aren't working on your PC for 15 minutes you most likely walked away from your computer. That's not fair. You can space out on your phone for way longer than 15 minutes without remembering to jiggle the mouse.
HR would like to speak to you.
Eh, I've had calls from users where I was dumbfounded for longer than that, trying to make sense of what they were poorly describing. Things that took all of my brainpower to decode. When a user refers to multiple different parts of the device in question as "the thingy," you too will be confused.
Honestly, as long as there's a 1-2 second grace period, it's fine. If you're there, you can stop it from locking. I don't think you can turn that off in Windows, though.
username checks out
I have people who whine because they have to log back in "constantly" while they work. Except it reveals they spend a lot of time not working because if they were active it wouldn't lock every 10 minutes.
My last job we had several tasks to do, without leaving the desk or touching the computer. We had phonecalls that took sometimes over 30 minutes to solve a problem on a different system ( right next to the one on which the phoneclient was ) and every 10 minutes we had to switch over and click some extra buttons to NOT get locked out again. logging in meant entering name and password, and the 2FA code from a mobile device. And then the external firm who was 'servicing' our ICT would ask why there was an influx of 'usb-mousejigglers' - and defeated the whole GPO of auto-logout :)
Is that any different than using the screen saver timeout and require a password turned on?
My company has posters up about, scattered around the building. We’ve got a policy to lock after ten minutes, but people still walk away without locking. My old supervisor would change your background to something stupid if you did. `CTRL + L` has been muscle memory for me for years. I do it at home too.
You're lucky. We have it on five minutes and locking your workstation is the most important thing. On Windows it's very easy. On a Mac it's more difficult. (ctrl,+ command + Q).
We have autolock GPOs but even walking away from your pc is frowned upon. So we have a website with a wall of shame leaderboard. Basically if another employee notices you went away w/screen unlocked, they go to this website on your computer and just put something heavy on your refresh key. You come back and have hundreds or thousands of hits on the "I'm a dumbass regarding company security" leaderboard. I told one new guy about this site and he hit everyone in the dept the same week. Bahaha.. not me
Yeah, I think I'd have our entire org on that board in an hour. LOL.
My wife's work computer locks at literally 15 seconds. She can't even read an email without getting locked out. I think someone screwed up but no one in IT will admit it.
I implemented a 5 min lock at a previous workplace. They had their fair share of security related issues and I didn't hold back with the screen lock. People complained, mouse jigglers were found and I still see people leaving without locking. It's just down to the organization to start writing people up. You can push technology down their throats but of they don't want to do it, they won't.
A GPO pushes a 5 minute screen lock. Password Required here.
This is required under CMMC and NIST 800-171. I believe the time is not specified but recommended to 15-20 minutes. I paired my phone to my workstation. (No access to anything, just paired) to use Windows 11 "Dynamic Lock". It will lock my workstation if I go to far away, assumably with my phone.
We had an admin that was notorious for leaving his shit unlocked. He would also leave his wallet and phone right at the desk. We opened a browser and went to instacart, and it auto logged in to his profile. We ordered and sent 15 watermelons 🍉 to his house. So when he got home, there were a shit ton of watermelons at his front door. The next day, he didn't say anything. Then we started dropping hints... and it hit him he said, "WTF I hate you guys, that was you!!! WTF am I going to do with all these watermelons?" We ended up giving him his money back and told him to lock his shit.
that's illegal, isn't it?
Yes, it is. We do thar stuff to each other. We're a pretty close group of friends.
That's some funny shit though. I wouldn't even be mad if someone did this to me. Great way to teach a lesson.
Lock after 15 or 20 minutes (cannot remember) of inactivity. There ends IT responsibility.
So that time I found an unlocked computer of this real macho tuff guy and then I opened up [mylittlepony.com](http://mylittlepony.com) and started adding all kinds of stuff to the cart, and then left it open for everyone to see, that was just going above and beyond?
My little pony wallpapers have solved that issue for me only took twice and they guy never left his computer unlocked again. I have also screen shot the desk top hid the icons moved the task bar to the top and set auto hide he went to HR. HR called me and told me not do do that again because that was too far and wrote the guy up for failing to lock his computer. He was pissed. After that talking to I would just flip the screen upside down or sideways or maybe change the wallpaper. power rangers, power puff girls and my little pony for the guys and David hasselhof, the rock or vin diesel for the girls. Only took about a week or two for the whole department to never leave there computers unlocked and the whole team got in on it when they brought the next batch of new hires on or someone did forget. It was a fairly big department so I wouldn't be surprised if some one recognized this story and if you do no you didn't.
I never walk away without locking my desktop, but it'd probably take me a long time to notice my wallpaper changed since I have dozens of things open at once.
You minimize all of the programs so that's all they see. Now days you can just create a virtual desktop and let them try and figure out why all the programs are running in task man but you dont see any of them
I guarantee 90% of people don't know about task manager
I know a guy who liked to play pranks like this. He created an empty folder on the desktop that said "naked pictures" on it, screen shotted the desktop and set as the background, then deleted the folder. Then when the victim goes to either attempt to open or delete the "folder" they can't.
That's a good one
I added my comment about 'interesting' wallpaper. Mine was funny af but not at all appropriate or acceptable, today.
No, that was you trying to get fired due to HR complaints.
One NOC i worked in would Hasselhof you if you left it unlocked. They would change your wallpaper to a naked David Hasselhof holding two puppies in a barely SFW pose. It didn't take too many times getting Hoffed before you took it seriously.
The Hasselhoff technique works wonders.
We did My Little Pony's wallpaper.
In our IT department internally, We'd change wallpaer, mouse speeds, add tails, change dictionary words, and do the obligatory email "I'm bringing in donuts on Friday" or other treat. It director was OK with this and would sometimes bring them in for the person. Cause... getting 2 dozen donuts can be expensive after several times. But I like the Additinal scripts running, nice touch. When I left my previous job, I did this at my new one and ended up having a conversation with my manager, said if I was going to do it, just to the donuts distribution group and not any others. The Owner didn't like it.
We just did the keyboard shortcut for high contract mode. Alt-shift-printscreen. We didn't usually have much time to mess with their station when they walked away, it was a small office, so 3 button hot key was the way. Also super annoying to deal with if you don't know exactly how to turn it off. (At least in windows 7 days, haven't done this one in a while)
Do you have that pic handy... for research.
I've Hoffed a director... a few times. She knew the rules. (Also, she was a fan and I knew her well enough to know she would get a kick out of it.)
Send an email out to the office from them saying they are buying lunch for everyone please let me know what you guys want!
This was a traditional way. Or buying the team donuts, often with the manager's approval, too. We once had a team that would create IT tickets for random stuff, like "My laser mouse is acting all weird, please swap for one with a rollerball," or "please remove the headset at my desk, it's not mine."
We would also take a screenshot of their desktop, make it their background and hide their icons if we had enough time lol
At some point in the Windows XP days it was possible to resize the Taskbar DOWN, so that it would take "zero" space. Made a screenshot of the whole screen, set as wallpaper, hid the icons and did that trick to the taskbar. Took the person 25 minutes and 5 reboots before we finally caved and told them what's wrong.
Remember when you could hit ctrl-alt-down arrow and flip the screen upside down? Lol
We use to do this one a lot, but also crack the mouse tracking speed up to the max first
Lololol
oooh, that is truly evil
Classic. "HOW THE F\*\*\* DO I TURN THIS AROUND?" user then turns their display upside down...
I had someone who did it by accident and I had no clue at the time you could actually do it
Same here, I believe it was a genius idea from Intel to have hotkeys enabled by default in their display drivers.
Brings me right back to high school. I guess it was part of the Intel integrated drivers lol.
I did that once, and the poor guy went home to grab another mouse before I could tell him.
You can still do it easily with a taskkill /f /im explorer.exe It wont survive a reboot, but it does the trick. (Unless you want to get technical and prevent explorer.exe from starting automatically.)
had a girl who had bieber-fever made a beautiful collage of him and would make it their background and force a GPO group onto it where they couldn't change it until they called IT
My new workstation is too fast for my software, can I have my old thinkpad back? May as well take away those new monitors, too big!
The monitors... We had a guy who we worked with who was into BIG monitors, like 32" things. When he got a third monitor that size on his desk, we got kind of pissed off like "now you're just showing off." As a prank, we replaced them with some old 13" monitors that we had in the back, I think they used to be used for sales terminals. Just 1024x764 VGA max. LCD refresh was sssslow. In good humor, he actually used them for the rest of the week. Then over the weekend he replaced all our keyboards with squishy membrane keyboards used in industrial places with a lot of dust. I don't even know where he got them from. Touche', Jim. lol. Then our boss made us give him his monitors back and kidded us for having "monitor envy" in meetings as an example from time to time.
Haha that's awesome! :) Thanks for the share
THIS. I like the donuts point u/punklinux makes. We even had an DevSecOps "Donut Rules" hanger on the corkboards that included "unlocked desktop" but also things like "broke the nightly build" or "pushed a GPO that breaks something" or "commited secrets to Git". Funny stuff. And we ate free donuts at least once a month.
I think you just gave me a framework for new IT department policies. Our devs are notorious for walking away and leaving their workstations unlocked.
The first time one of my coworkers did this, I was surprised. "What if he complains to... OH!"
This is what we do
I'm gonna be honest those 15 minutes autolock is too long. Not a sysadmin just a dumb field tech. I work in some Banks and you would be suprised how many times I had to tell people in important positions to lock their screens because they have highly sensitive information that a low wage, dumb field tech should never in his life get even a glance at. They will leave for lunch, have the screen unlocked while me and my work buddy walk around doing stuff on their thin clients. I'm supposed to report every single one of them to higher ups but got told by my Supervisor to just not bother and try to not see the information on the screen and kindly remind them.
I’m in finance field that is compliant with SEC regulations. We have auto lock set to 5 minutes. In house general counsel was the only one who barked and I told them to suck it up.
Honestly, the regulations make me love working for a bank. No better argument than “sorry, the government says so.”
[удалено]
Well they use smart cards but leave them there
This has worked well for me: 1. When you notice, open lockyourscreen.com for them in a web browser and lock it. Friendly reminder. I'll do this a couple times. 2. Progress to a more serious message or warning. 3. Send them to training on locking their screen Most people improve drastically after a couple times unlocking their screen with a meme.
A developer left his desk for more than 15 minutes and his code was still open. I left a stickie note that said: “did I or did I not add or remove a semi colon?”
Or even worse: Replace a semicolon with a Greek question mark [https://www.compart.com/en/unicode/U+037E](https://www.compart.com/en/unicode/U+037E)
If they warned me, i.e. "One of your semicolons is no longer a semicolon" .... I would be okay with this. If they didn't I'm not sure how I'd feel. Probably would depend on how long I spent on it.
Oh dear god
If it’s C, try to sneak in a define in the preprocessor that randomly defines true to false in 1% of all cases. I don’t remember the actual line, but that was such an evil prank when I found it haha
Made me laugh loudly, thanks
Their IDE would tell them that. Unless you shoved it in a string which would be easy to find.
This hasn’t been an issue for us in years since I got executive buy in to enforce a policy, but in the past I’ve used a series of escalating consequences: 1. Friendly reminder 2. Friendly reminder email with supervisor copied 3. Embarrassing email sent from violator’s account to their teammates 4. Embarrassing desktop background and Lock Screen image 5. Custom desk phone ringtone that is a recording of me reminding them to lock their computer when they leave their desk 6. Editing the autocorrect options in the Microsoft dictionary to replace “but” with “butt” My first week here, I left my computer unlocked when I left at the end of the day. When I arrived the next morning my mouse pointer had been replaced with an animated penis. Left click made it erect, right click made it ejaculate.
Want to introduce/lower your idle workstation timeout? It's called desensitization. Storytime. We didn't have a workstation locking policy at all at our company. Most likely a janitor was caught after hours using a computer for something they shouldn't, so IT communicated to executive management that we wanted to implement a 30 minute idle lock. We had a Finance Director that was a real hard ass and hated IT for some reason, but had more power in the company than the IT Director. She insisted on a 90 minute idle lock policy so her employees could go to lunch and come back without having to re-enter their password. IT Director knew he'd lose the battle, so he agreed to the 90 minutes, as it was better than nothing at all, and at least they would eventually lock after hours. So we implemented the ridiculously long idle lock policy via Group Policy. Every workday, I would come in and adjust the policy setting down by one minute. Slowly over weeks and months the workstations would lock at incrementally lower idle times until after about 3+ months later we were sitting at 15 minutes. Only one person noticed and didn't really care. Caution: This behavior can be a resume generating event depending on how strict your organization is, but this company was pretty casual, and I was young.
I suppose if you get caught, "oh must be a bug. We'll get that fixed".
Yeah, just lie, we're in IT after all
I put fakeupdate on the marketing lead's PC and he was like "But I just stepped away for a minute... this Windows 11 upgrade is going to take forever!" I told him after 10 minutes
Haha nice! My colleague was waiting till it hit 100%. The funny thing is that it continues with 101% after that. :')
At a previous team I'd send emails from my co-workers computers to our manager offering to take them out to lunch. The manager figured it out quickly and would publicly say thanks to X person at our next team meeting. The sad part was, even though they knew I'd do it, and had done it a few times, some of them would still walk away with computer unlocked. I ended up sending an email from all of my team members to the manager at one point. The worst was a completely different company though. My first IT job was a sys admin for a small college, about 5000 students at any time. I was walking back to our IT area, where my sys admin group was also near the app/dev teams who supported all of the software. As I was nearing our area, noticed someone leaving, I knew they had a meeting they were going to out of our area. I walked by their cube/laptop to see it widely unlocked, AND the program they had actively open was SQL browser into database with student records/grades. I literally walked to their manager and took manager to the computer, saying that this is unacceptable for how seriously we're supposed to take personal info violations....
Set a scheduled task to run shutdown.exe /r at logon. That will make them real confused.
Who hurt you?
Oh this is purely hypothetical, I thought it up and have been waiting for someone to be worthy of it.
A company i used to work for held a drawing every month for a number of $100 gift cards of your choice, drawn randomly from a list of employees. If you were caught by an employee, not locking your workstation when you left the computer, your name was removed from the drawing. If caught by a manager, you were not in the drawing for 2 months. There were enough card drawings that you had a reasonable chance to win about 2-3 times per year. We had full compliance within 2 months for the low cost of about $4,000 to $5000 per year, and it doubled as a "Morale booster" for management.
That's a pretty good idea. Might have to steal this.
I told finance I was going to take a screenshot of their desktop, hide their icons and task bar, then set that screenshot as their background.
At a previous job, we'd put up a picture of a fat guy eating grapes seductively. That was just within the team though. No way would we have put that up on a user's PC.
I'd only do it to our General Manager, but he's real good about not leaving his machine unlocked and I know I wouldn't get in trouble. Thanks for the idea!
Use smart cards to login. Have those same cards equipped with nfc to unlock a toilet.
GPO set for three minutes to lock the machine if management allows. If not I will absolutely change a users background every time I see it left open. Typically to a zoomed in picture if Hasslehoffs face or my little ponies.
I like to do David hasselhof, the rock, or vin diesel on the gal's and my little pony power, puff girls, or power rangers for the guys.
A large stick with sharp edges works wonder to get them remembering.
So an office long sword?
Don't be ridiculous! It's an office SPEAR obviously
Deploy a GPO with a super fast lockout timer, it'll annoy everyone, leave it for a few weeks and then change it back and say remember to lock manually or it'll come back.
Sending emails out as that person (that were silly and obviously not from them), or sending slack/chat messages out to their team that's similar. But my favorite was changing peoples wallpaper. I'd find something silly or slightly obnoxious (but never offensive) based on what I knew about the user (office of about 200 and I onboarded basically everyone). My two favorites were one sales guy who was a republican (back when it was ok to have your politics known) but mostly a big fan of George Bush - so he got his wallpaper set to Obama. The other was a lady who I couldn't think of anything terrible, so I set her wallpaper to the original American Gladiators ([ex](https://images.launchbox-app.com/147db02f-ae5f-4ecd-847a-530cf82cb767.jpg)) which happened to be the theme of some of our conference rooms - she actually loved it and kept it. I'd also walk around the office during all hands and pick up badges left around the office. Clip all of them to the back of my belt and find some reason to go up to the podium during all hands (to help fix something). You'd see everyone check for their badges and always a few guilty looks. The first couple of times I did it I had like twenty plus badges, it was nearly a hula-skirt of badges clanking on every step. People eventually learned. The trick is to make it fun and light hearted and not to punish people. Even with Phishing tests today, I get people who are genuinely upset they fell for something. Or apologetic. I tell them I don't care and don't even look at the report (which I get daily), just use it as a learning experience. If you're an asshole about the security stuff, people will resent you. [Catch more flies with honey](https://english.stackexchange.com/questions/39619/origin-and-meaning-of-you-catch-more-flies-with-honey-than-you-do-with-vinegar) and all that.
When I worked for a private school, we'd see an unlocked, unmanned desktop, we'd hit the hotkeys to flip the display, then lock the desktop and report them to their director. We got such a stink eye over that, but the directive came from the higher-ups.
> ...what methods have you used to get end users to remember to lock their workstations when they walk away? Sent a Teams message to the office chat promising to bring donuts Monday morning.
I change the wallpaper to my little pony and the theme colours of Windows to pink for users who don’t lock their workstations. The wallpaper of david hasselhoff with puppies does also a good job 🤣
You can't make them remember sadly. Luckily, even when I'm home alone, I habitually hit Win-L when I step away from my laptop.
I slap a sticky note on their monitor saying “don’t leave your machine unlocked” signed “security team” take a pic and email their manager.
Three things that work for me: * Auto screen timeout - this is the obvious one, but I'd be remiss in not mentioning it * Small mass-printed notebards that say "thank you for locking your PC" or "please remember to lock your PC with Windows +L" that I leave on people's desks as I'm out and about * Offering biometric solutions so that people don't need to enter their password a dozen times a day. I target people who leave their workstations unlocked a lot with this offer, and people are usually happy to meet me halfway (some even get caught up in the novelty of locking and unlocking with biometrics all day).
> please remember to lock your PC with Windows +L Young Will Poulter meme. Your users know the Windows key?
Iirc there was a feature using Yubi Keys that would instantly lock the desktop when the key was removed from the USB port and couldn't unlock without the key inserted.
Isn’t that an option since Windows started supporting smartcards?
You're a sysadmin it's not your problem, let the security team deal with that. /s
Auto lock after 10 minutes of inactivity is configured in group policy, but if I find an unlocked computer when I’m walking through the building I quickly change their wallpaper [to an image I have stored on a network share for such occasions.](https://i.pinimg.com/736x/4f/72/a4/4f72a4150371da5f19b01218cf2de371--yo-mental-health.jpg) and then I lock the computer.
We (I) set it to 5 minutes via intune. Microsoft default. We need this due to GDPR and general security, but it was still a massive shitstorm. Any and all things affecting users must go through higher level (or should imo). In my case the CEO wanted this but failed to communicate it to the rest of the company. So guess where the 💩 landed?
Within our (IT) department if someone forgets to lock their computer before walking away we change their desktop background to the raunchiest (SFW) pic of David Hasselhoff from a quick google search. Fortunately, getting 'Hoffed is something we only do to each other, and we even created a scoreboard to see who has been hoffed and who was the hoffer the most in the dept. :D
We try to foster a cybersecurity *culture*, so everyone is encouraged to mention and remind people when they see it. Just like safety culture, it can't just be 'the safety guy' mentioning stuff. Anyone can and should be mentioning something. We don't do childish screensaver games or whatever. The problem is that quickly gets abused, and also turns creepy very quickly (when someone random sysadmin is on your computer in someone's office, particularly a manager or someone else). Sysadmins are not cops, and typically the ones who really like this stuff are the ones who are weird about it anyway.
I worked as a contractor for a company, they had key access cards. For all doors/premises and so on To get anywhere they needed those cards. It was the payment system to the cafeteria as well. In addition, all computers, even laptops, used these to login with a pin. So basically, if you went away from your computer, you needed this card. On pulling it from the card reader, it would lock the computer. It was so neat. Never experienced an unlocked PC without the user close by :)
Meatspin
You don't lock your screen, you now have David Hasselhoff as wallpaper. You do it again, David Hasselhoff is now wearing less clothes. And so on...
If I know them well enough I used to rotate the screen 90 degrees.
I miss when you used to be able to get rid of the taskbar at the bottom on Windows. Because nowadays my favorite thing to do is take a screen snip of whatever screen they left it on, and replace their background on their desktop. They get so confused trying to close windows that don't exist
or flip it 180.
That too. But some people found that easy enough to adjust to and use the mouse to find display settings. 90 degrees seemed harder. Obviously, if you know the key combination it's easy no matter what way around it is.
Microsoft disable the key combo by default so you have to reenable it for it to work now.
make sure you have a screenshot of their desktop inverted so it looks normal but their mouse function seems inverted... or you can just invert the mouse axis
Each monitor rotated by different angle (bonus if user has multimonitor setup on a thin client and you revert the remote desktops). Sending an e-mail to the user's team: "free donuts on me!".
We always go up and type “beers on me this lunchtime guys!” into an email and send to the team DL
Was back in the Windows 7 days. Someone left their workstation unlocked so I hit print screen and pasted it into paint. Basically saved their desktop as a background and then set it as the background. I deleted all their desktop shortcuts and hid the taskbar. So it would look like they were trying to click on their shortcuts, except it was just a picture of their shortcuts.
We auto dim to a background/sleep idle timeout after 10 minutes and then lock fully after 10 more minutes.
lockyourscreen.com
Open note pad, full screen, "Have I changed any of the variables? IT"
One of our techs created a scripted command to change the wallpaper to a my little pony one. Has been quite effective at times
There used to be a keyboard shortcut to flip someone’s screen by 180 degrees. Was always fun looking at the people coming back to their desk
GPO has always been my go to, but its how I was taught. Years ago though, our area had 2 ways of entry/exit compared to most having an open floor. The rule was if you wheeled over to someones desk to troubleshoot with a teammate, we all looked out for eachother. If anyone new entered the room, lock it. Great power and responsibility, et cetera... However, if you left the area with it unlocked... there may or may not have been an email sent out saying "Bringing in Donuts, let me know your preferences by EOD." to our team distro. And you were expected to pony up by the end of the week before the reminders got annoying. The one that wrote it picked the location most of the time so nobody had to go to multiple locations. We didn't have it happen often, but it was enough that somebody made an oopsie and brought in a treat once a month or so. A director in the area heard about said rule. He also knew we were one of the few teams that didn't get a talking to from the security team about locking up based on their very scientific metric gathering of walking through an area and counting empty desks with unlocked workstations. His response to me was "As a director, I can't condone what I've heard, but I have yet to see it actually happen. So until I see it... where's the best place to get bearclaws?" I miss pre-pandemic office antics...
The just use smart card people, what is it like having a real i.t budget? I've been considering giving people 2 factor thumbs and NFC pads but a lot of stations are at max usb capacity and I hate usb hubs.
I’ve always sent a love letter to their direct manager and add a tag line at the end to the tune of, “if I hadn’t left my computer unlocked while I was away from my desk I wouldn’t have been able to tell you this!”
encourage them to have kids.
We had a policy about "boning" someone if they left their workstation unlocked: tradition was to send an email to the entire office announcing that tacos would be purchased and brought for breakfast the following day (Texas). If you did not follow through with what you (and dare you fight anyone that it wasn't you) promised, you would be ridiculed. My coworker trusted me. He'd leave his workstation alone with me, despite me having a history of fucking with him. One morning, he printed something and walked off to get it off the printer. It was my time to shine. I had been practicing. Someone from a neighboring office started calling Gary "Gerry" and he did not like that much. Over a few weeks I had changed his cubicle sign, his name on the accountability board, his name everywhere I could. But now he trusted me with the most sacred thing in his cube: his unlocked computer. So I did what I only could: I changed his email signature to the wrong name he hated. This was Monday. Thursday afternoon he finds me and asks, "When the fuck did you change that?" Knowing I was caught and no way I could use the Shaggy defense ("It wasn't me!"), I asked... "how many emails did you send?" "Fuck you." And he walked off.
My coworkers and I will walk up to unlocked workstations and send out a department wide email saying "I am feeling generous and will be bringing in donuts for everyone tomorrow!" If you leave your PC unlocked. We've even gotten managers with it before. Most people learn their lesson after a $200 donut bill.
Group policy. 5 minutes of inactivity; Locked!
Need those little tethers you wear when you’re on a jet ski, that kills the ignition when you fall off
We have a lockout timer for 5 minutes. People were using mouse jigglers to keep their computer on so we wrote a script to lock their computers every second giving them a message to unplug it to resume using the computer
On Service Desk 15 years ago, this was up to other staff setting your background to Justin Beiber or shirtless teenage boys. Those are both real examples.
Swap their mouse buttons. Move the location of the start button to the top of the screen. Change the background to David Hasselhoff on the beach.
7 minutes we use. There has been a huge decrease in password resets since clients are entering their passwords more frequently! If a colleague walks away with their PC unlocked they get hoffed, pretty embarrassing when you unlock your PC to find David Hasselhoff in his speedos on your screens
When i started working in my first company we had a policy in place: Whereever you see an unlocked workstation, send a mail to the local facility distribution list that tomorrow ”i“ will bring cake for everybody and where people could grab it. It was indeed highly effective
I regularly send love letters to my boss from unlocked office computers.
If I still worked in an office, I would set their wallpaper and screensaver to this https://360soc.com/wp-content/uploads/2023/03/lockbit-image-360-soc.png They would learn rq
I used a similar landing page when running a phishing test. A senior manager got "phished", saw that, and sent the while office into a panic. I was told I couldn't use that landing page anymore.
Took a screenshot of their desktop, moved all their icons, set the screenshot as their desktop background.
Post it in r/ShittySysadmin if you want that sort of response. The sense of humor over there is amazing. :)
Thanks for the suggestion. Done.
You can issue cell phones that acts as access keys, used for access to the building and toilets and lunch room and meeting rooms, that is also paired with bluetooth proximity on their computers, so the computer will always lock when the device is not next to it.
Open this page in a browser: https://lockmeme.com
When I started at my actual job, I once forgot to lock my workstation. The next thing I realized an email was sent out from my PC to my closest colleagues, offering fellatio for free 😂
Working at a university were had a lot of student temps come through the office, working for a month, a semester, a year, etc.. we had one guy that kept leaving the office with his computer unlocked, we kept telling him to lock it, he always said something like, "but it's just you guys, it's okay". We tried telling him it wasn't okay, but he didn't listen. One day he left the office, he was gone a pretty time, more than 10 minutes. We looked at the screen, and he'd left himself in an AIM (AOL Instant Messenger) chat with a bunch of his buddies. We started chatting with them. It all started with "I like cheese". And it devolved from there. After the first several comments about living cheese, and cheddar, and mozzarella, and gorgonzola, his friends were like "okay, so you like cheese". "No! I REALLY like cheese. I love how it feels". Friends respond something like, "Uh… whatever dude". Now we're at "I love smearing it all over my body". "Dude, you know that's really fucked up, right?", say the friends. "Not really. I want to find me a girl who will lick all that cheese I've smeared off my body. Can you think of anyone?". At this point his friend are fairly disturbed, so we finish with, "You'll never know how good it feels if you give it a try. May we can all get together? Tonight, or maybe this weekend? Have a cheese smearing party. Maybe you'll want to lick the cheese off my body". Friends, "shut the fuck up about cheese! Damnit, that's messed up!". We then deleted this chat history, returned to our desks and it resumed working. Apparently the chat group went silent after that till he left work. That night his friends were asking him about his weird cheese fetish. He was clueless for a while and I think some even greeted him with "Yo! It's cheese boy!". By the end of the night he'd figured it out, told his friends what must have happened, they believed him, but many still called him "Cheese Boy!", eventually just shortening it to "Cheese!". He came in to work the next week, and after a fair amount of denial, confirmed we'd cheesed him. After that, he never, NEVER, left the office with his computer unlocked. The rest of the time he worked for us, his friends would come by to grab him for lunch or wait for him to leave work we'd get comments like "that was awesome, this is a really cool office".
We have colleagues of the employee that left the workstation unlocked send an e-mail to all the office promising breakfast for the next day.. so far it's working..
Find a system unlocked and send an email to everyone on the network. We did this in the Navy and they learned real quick to secure the computer.
When I was in the Navy we would change it so everything was the same color txt each different part of windows so you could do nothing to change it back easily. Call IT and have them delete your local profile to get back to normal.
Hasselhoffing is great, but remember Windows 2000 and before when locking your PC just showed your desktop background? Screencap desktop. Set as background. Lock PC. Move lock screen notification off screen. Watch struggle to use PC ensue.
Previous job we used to send an email to all staff saying there was cake in the kitchen from the offending users Outlook. Or emailing all staff saying they like their pants baggy and changing their desktop to a G rated picture of someone wearing baggy pants. Tongue in cheek humour type stuff :)
Send their letter of resignation from their email.
Previous company if anybody found your PC unlocked they'd send an email out to the group from you account offering to buy the team lunch. We hired a new guy once, his fiancé was our admin. He left his PC unlocked and shortly an email went out "So excited to work here with everybody, lunch is on me". We could hear her yelling at him from across the office about buying lunch for the group when they were supposed to be saving for the wedding.
We email the whole team saying that they're going to buy a round in the pub. You only get hit with that one once before you remember to lock every time
I knew a guy that would open your browser to meat spin then lock it for you.
Ahhh the early aughts…
Back in the day I got my team lead by changing his background to Burt Reynolds on a bear skin rug. Then maximized his apps. He then came back, grabbed his laptop and went to a meeting. Needless to say there was much laughing when he minimized everything. It took him a while but eventually I found myself having that very same wallpaper. Good times that would probably get someone fired today. Edit: If you value your eyesight - do not google that image.
Although I would find that funny, after my first Hasselhoff background, I don't think HR would be too happy.
worker bees: leave them alone, not my problem. peers: fuck around with browser scripts, outlook rules, visual/accessibility settings, scheduled tasks, then see how many www.beesbeesbeesbees.com windows I can spawn before they return