Log off those idle users!
You adopted Windows NT because it's supposed to be a secure operating system (OS). You use access control lists (ACLs) to secure most objects on your NT network, and you prevent users from accessing NT workstations without a password. You implemented Service Pack 3's (SP3's) cool passfilt.dll, which forces users to choose complex, difficult-to-crack passwords. (For more information about passfilt.dll, see R. Franklin Smith, "Protect Your Passwords," October 1998.) Running NT on desktops throughout your enterprise seems like a great way to keep your network secure, right?
Your network might not be as secure as you think it is. Many networks let users stay logged on indefinitely. If you walk around many corporations, you'll see NT desktops that users have logged on to and walked away from. Unattended desktops weren't a problem when networks ran off mainframes because mainframes automatically log off users after a certain period of inactivity. How can you perform such an automatic logoff in NT?
You can use WinExit to secure inactive workstations. This screen saver program ships in Microsoft Windows NT Server 4.0 Resource Kit. WinExit consists of one file, winexit.scr, which you can find in the resource kit directory.
WinExit Options
Right-click winexit.scr and you'll see the options Install, Test, and Configure. Select Install. A Display Properties dialog box will appear. The Display Properties dialog box shows the Screen Saver tab from the standard Control Panel Display applet; the Screen Saver dropdown menu will have the Logoff Screen Saver option selected.
You can change the value in the Wait spin box to select how long you want your network's computers to wait from the time users become inactive until WinExit starts the logoff process. The default Wait value is 15 minutes.
After the Wait period expires, WinExit starts. The utility displays an Auto Logoff in progress dialog box that warns users that WinExit is going to log them off. Users can click Cancel or press any key to stop the logoff process. The dialog box counts down for a period of time (30 seconds by default). When the period expires, WinExit logs off the user.
To change the length of time the Auto Logoff in progress dialog box counts down, click Settings on the Screen Saver tab. You can configure three settings in the WinExit Setup Dialog box that appears: Force logoff, Time to logoff, and Logoff Message. You configure the logoff countdown period in the Time to logoff section's Countdown text box. The text box's value is the length of the logoff countdown in seconds. WinExit accepts values from 0 to 999. If you set the value to 0, the computer will wait for the period you specify in the Wait spin box, then log off users without giving them a chance to avert the logoff.
The Logoff Message text box lets you customize the Auto Logoff in progress dialog box. Double-click the WinExit icon to see the Auto Logoff in progress dialog box; the message you enter in the Logoff Message text box replaces the default message Use Setup to change the text in this line. You can leave the Logoff Message text box empty or enter a message such as The network is going to log you off because your machine is inactive or To maximize network throughput, the network automatically logs off inactive sessions.
The WinExit Setup Dialog box's Force application termination check box lets WinExit terminate users' applications without saving their data. When users log off NT workstations, they receive messages from applications that have open, unsaved files. These dialog boxes question whether users want to save unsaved data. The default WinExit logoff process waits for users to respond to applications' dialog boxes before logging the users off. However, users who aren't at their desk can't choose to save or reject changes to documents.
If you don't select the Force application termination check box, WinExit won't log off users who have unsaved data. If you select the check box, WinExit won't wait for users to respond to applications' logoff dialog boxes, and users will lose unsaved data. Whether you need to select the Force application termination check box depends on your company's policies and whether all your users diligently run their software's automatic save options.
Regardless of whether you choose to terminate programs that have unsaved data, you can use WinExit to make your network more secure. Make WinExit your next system policy.