After being tasked to set up a screen saver password or a lock screen for inactivity on servers that are not joined to a domain, I decided to post this so it’s easier to find when others are searching for this.
To be PCI compliant, this is a requirement for any servers that are in-scope for your payment system.
For Microsoft Windows 2008 and 2012, it is easy to do but you have to set all three settings below for it to become active. This will enable a screen saver policy that locks your screen after a set time of inactivity. For PCI controlled servers, this is a requirement and must be less than 15 minutes.
This is easily done if the computer is part of an Active Directory domain but not as easily done if they are members of a workgroup.
How to Set the Screen Saver Lock Screen
The procedure is to open MMC snapin and add the Local Computer Policy snapin. To do this, click on the Windows button, and then simply type in MMC. For Windows 2012, select MMC snapin (mmc.exe) and not the Embedded Lockdown Manager.
Then navigate to User Configuration >> Administrative Templates >> Control Panel >> Personalization (as seen in the graphic I’ve attached).
Set the following settings:
Enable Screensaver: Enabled
Password protect the screen saver: Enabled
Screen saver timeout: Enabled with a value of 600
No need to reboot. Just log out and back in and the setting will be applied. Then wait 10 minutes to verify that your screen locks.
Here is a graphic of what needs to be set:
How to set a local policy to activate the lock screen on servers.
For PCI compliance, a requirement is to have RDP port 3389 connect with TLSv1.1 or TLSv1.2 and have the certificate have the same name as the server. Most servers issue self signed certificates which is not acceptable with PCI compliance.
To fix this, you have to re-issue new certificates from a trusted CA. You should use an internal CA within your company to avoid the cost of purchasing and maintaining certificates for RDP services.
How to issue and import a certificate:
Issue a certificate from your Root CA. You can go through the process I’ve outlined to create a certificate using OpenSSL
Import the certificate to the store using MMC and add the Certificates snapin
Move the Root and Intermediate to the correct store
Get the SHA1 thumbprint off of the certificate by opening up the certificate, go to the “Details” tab and scroll down to below the Thumbprint algorythm and selecting the “Thumbprint”
highlight the thumbprint
copy the thumbprint into a Command Shell and remove the spaces and the hidden character at the beginning.
Put the thumbprint in this command and run it on the server
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<EnterSHA1ThumbprintHere>"
Restart Remote Desktop Services Note: this will disconnect you from your RDP session.
Log back in and you should not be prompted.
Retest by scanning your computer with Nessus or another approved scanning software.
I was recently asked asked to find all the users in Active Directory where their account was inactive.
There is a PowerShell commandlet called Search-ADAccount that you can use to find if the account is inactive by using the parameter -AccountInactive.
This is kind of crude but works well. I couldn’t figure out how to get the headers into the csv so I simply did a write-output for the first section.
# Ed Rockwell
# Free to use
# Version 1.0
$time = 90 # Days since last login
$users = Search-ADAccount -AccountInactive -UsersOnly -TimeSpan $time # Get all users within that timeframe with AccountInactive Property greater than $time
$path = "C:\Powershell\AccountInactive" # Where to write file
new-item $path\users.csv -Force
# Set the header of csv (Change this if you add to the write-output below)
write-output "$("SamAccountName"),$("Enabled"),$("PasswordExpired"),$("LastLogonDate"),$("OU Location")" | add-content -path $path"\users.csv"
# Find users
foreach ($user in $users)
If ($user.DistinguishedName -notmatch 'OU=Disabled Users' -and $user.DistinguishedName -notmatch 'OU=Service Accounts' -and $user.DistinguishedName -notmatch 'CN=Microsoft Exchange System Objects')
$DN = $user.distinguishedname -split ','
$container = $DN
write-output "$($user.SamAccountName),$($user.Enabled),$($user.PasswordExpired),$($user.LastLogonDate),$($container)" | add-content -path $path"\users.csv"