Interactive logon: Machine inactivity limit Explained

 

Interactive logon: Machine inactivity limit is among the 9 Interactive logon security settings. If a user hasn’t been active on their Windows session for a while and surpasses the set limit, this setting typically determines how long the user can remain inactive before being automatically logged out of their session on the machine.

 

request CIS demo

 

How long is the interactive logon Machine inactivity time?

 

The recommended state for this setting is: 900 or fewer second(s), but not 0.

 

If the inactivity limit is set too high, it could increase the risk of unauthorized access to the system if a user walks away from their computer without logging out. Setting a high inactivity limit (e.g., several hours) increases the potential time window for someone to gain unauthorized access before the screen saver activates and locks the device.

 

If the inactivity limit is set too low, it may inconvenience users who need to step away momentarily, potentially leading to decreased productivity.

 

Even with an inactivity limit, if the user doesn’t have password protection enabled for their screensaver or session lock, accessing the system becomes easier after the automatic lock triggers.

 

Disable Interactive logon machine inactivity limit

 

If the setting is disabled (value set to 0), the computer will never lock automatically after inactivity, leaving it vulnerable to anyone who walks by.

 

Below is a table outlining the actual and effective default values for this policy:

 

Server type or GPO Default value
Default Domain Policy Not defined
Default Domain Controller Policy Not defined
Stand-Alone Server Default Settings Disabled
DC Effective Default Settings Disabled
Member Server Effective Default Settings Disabled
Client Computer Effective Default Settings Disabled

 

 

To locate go to: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

 

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options (While creating and linking group policy on server)

 

Windows 10 most critical vulnerabilities in 2022

 

Vulnerability in the setting

 

When Interactive logon Machine inactivity limit is not configured correctly, it has many potential vulnerabilities such as:

 

Keyboard/mouse activity simulation: Malicious software or physical devices can mimic user activity, tricking the system into believing someone is actively using it and preventing automatic locking.

 

Exploiting local vulnerabilities: Attackers may exploit weaknesses in the system to gain privileged access, bypassing the lock screen entirely regardless of the set inactivity limit.

 

Shoulder surfing: Attackers observe users entering passwords and gain access when users step away without locking their computers.

 

Deception: Attackers trick users into disclosing passwords or clicking on malicious links, granting unauthorized access.

 

The countermeasure for vulnerabilities is to set the time for elapsed user-input inactivity time by using the security policy setting Interactive logon: Machine inactivity limit based on the device’s usage and location requirements.

 

Group policy setting interactive logon machine inactivity

Since this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be configured locally on computers that have this policy setting. However, it can be configured and distributed via Group Policy to any computer running the Windows operating system that supports Group Policy.

 

What is the best practice for machine inactivity limits?

 

Establish the duration for idle user input based on the specific usage and location demands of the device. For instance, in a public setting, consider configuring the device to automatically lock after a brief period of inactivity to stop unauthorized access. However, in environments where the device is utilized by trusted individuals, like in a restricted manufacturing zone, automatic locking may hinder productivity.

 

If this setting is improperly configured or not enforced consistently across all machines in a network, it could create inconsistencies in security practices and increase the overall risk of unauthorized access or data breaches.

 

Automatic configuration hardening ensures consistent enforcement of the policy across all devices, eliminating the risk of individual users leaving it disabled or setting insecurely high limits.

 

server hardening datasheet

You might be interested