Interactive logon: Machine inactivity limit Explained
Interactive logon: Machine inactivity limit is among the 9 Interactive logon security settings. If a user hasn’t been active on their Windows session for a while and surpasses the set limit, this setting typically controls the duration of inactivity allowed before the user is automatically logged out of their session on a machine.
How long is the interactive logon Machine inactivity time?
The recommended state for this setting is: 900 or fewer second(s), but not 0.
If the inactivity limit is set too high, it could increase the risk of unauthorized access to the system if a user walks away from their computer without logging out. Setting a high inactivity limit (e.g., several hours) increases the potential time window for someone to gain unauthorized access before the screen saver activates and locks the device.
If the inactivity limit is set too low, it may inconvenience users who need to step away momentarily, potentially leading to decreased productivity.
Even with an inactivity limit, if the user doesn’t have password protection enabled for their screensaver or session lock, accessing the system becomes easier after the automatic lock triggers.
Disable Interactive logon machine inactivity
If the setting is disabled (value set to 0), the computer will never lock automatically after inactivity, leaving it vulnerable to anyone who walks by.
Below is a table outlining the actual and effective default values for this policy:
| Server type or GPO | Default value |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Disabled |
| DC Effective Default Settings | Disabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
To locate go to: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options (While creating and linking group policy on server)
Vulnerability in the setting
When Interactive logon Machine inactivity limit is not configured correctly, it has many potential vulnerabilities such as:
Keyboard/mouse activity simulation: Malicious software or physical devices can mimic user activity, tricking the system into believing someone is actively using it and preventing automatic locking.
Exploiting local vulnerabilities: Attackers may exploit weaknesses in the system to gain privileged access, bypassing the lock screen entirely regardless of the set inactivity limit.
Shoulder surfing: Attackers observe users entering passwords and gain access when users step away without locking their computers.
Deception: Attackers trick users into disclosing passwords or clicking on malicious links, granting unauthorized access.
The countermeasure for vulnerabilities is to set the time for elapsed user-input inactivity time by using the security policy setting Interactive logon: Machine inactivity limit based on the device’s usage and location requirements.
Group Policy Setting
Since this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be configured locally on computers that have this policy setting. However, it can be configured and distributed via Group Policy to any computer running the Windows operating system that supports Group Policy.
What is the best practice for machine inactivity limits?
Establish the duration for idle user input based on the specific usage and location demands of the device. For instance, in a public setting, consider configuring the device to automatically lock after a brief period of inactivity to stop unauthorized access. However, in environments where the device is utilized by trusted individuals, like in a restricted manufacturing zone, automatic locking may hinder productivity.
If this setting is improperly configured or not enforced consistently across all machines in a network, it could create inconsistencies in security practices and increase the overall risk of unauthorized access or data breaches.
Automatic configuration hardening ensures consistent enforcement of the policy across all devices, eliminating the risk of individual users leaving it disabled or setting insecurely high limits.
