USB device to lock computer when stepping away from PC?
Posted by Tivum@reddit | sysadmin | View on Reddit | 36 comments
I'm looking for a device to auto-lock our front desk security podium workstations down when the officers aren't standing there for x amount of seconds. I was looking at this device: https://www.esecurityproducts.com/ProxMat_p/rdr-pm2436-00.htm
However, for almost $400 for what's more or less just a switch is kind-of crazy to me.
Any ideas?
HankMardukasNY@reddit
I would look into utilizing either Dynamic lock or Presence sensing
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock
https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/sensors-presence-sensing
Tivum@reddit (OP)
We don’t allow Bluetooth via GPO from our CISO and I don’t think presence sensing would work since they’re external monitors and keyboards with the actual PC locked in a cabinet.
Adam_The_Impaler@reddit
Perhaps an external camera could be routed from the cabinet PC to the tops of the monitors? That is assuming your policy allows external cameras connected via USB.
Tivum@reddit (OP)
That’s another big no no from our security team. :((
Adam_The_Impaler@reddit
If your organization has an exception/exemption policy, might be worth requesting one ¯_(ツ)_/¯. If you guys are that locked down, I'm assuming you'd need to request permission to whitelist that USB device you listed anyways, right?
Tivum@reddit (OP)
Yes but a simple USB switch would be a hell of a lot easier to be approved rather than a camera. We work in a very secure high-stakes environment, they’re super anal about physical security and digital.
AppIdentityGuy@reddit
So basically Security want a solution but every potential solution has been declined as a security risk in and of itself? I think your best option is the PIV/Passkey route with the GPO configured so that removal of the card locks the machine. You will need a longer USB cable to reach the PC in the cabinet.
Platocalist@reddit
This. And have the passkey tethered to the operator.
AppIdentityGuy@reddit
Something like a Yubikey....
Adam_The_Impaler@reddit
Ah okay gotcha. Makes sense. In that case, I'd just go with the thing you picked out (or something similar) as your options seem pretty limited. Only other option I can think of is a very short timeout period for inactivity, which has its own issues, but if you use set up biometrics for Windows Hello (maybe using external an external fingerprint reader) then signing back in can be very quick.
malikto44@reddit
You can do this with YubiKeys and GPOs. If the YubiKey is removed, the screen locks.
corree@reddit
Teach them how to lock the computer
Tivum@reddit (OP)
That’s hard to do when there’s an incident and they need to take off in a hurry.
corree@reddit
If you’re incapable of teaching someone how to press Win + L on a front desk computer, your next best option is setting the timer to one minute of inactivity. I doubt they’ll do well with tiny USBs considering how many illegal guns in the US are formerly PD’s.
Otherwise if the simple solutions aren’t valid enough for a police station (?) where officers don’t care about their own policies (gotta love Americans and their ingenious protectors), you could go and over-engineer a solution by having a locally ran AI agent watch the camera and set off an alarm or some shit if FrontDesk-Computer01’s human hasn’t returned back to it within 5 seconds.
Or you could just go and waste 100s of taxpayer dollars on some stupid shit for stupid people. It’s probably the most patriotic thing you can do + it will be quickly overshadowed by bigger wastes of money 🤷♀️
Tivum@reddit (OP)
You’re out of your mind lol, no clue how this turned political. It’s also not a police station, it’s a very secure installation, think military type security. I can’t really disclose much else.
They need to be able to access the pc when standing on a mat, and the PC auto-lock when they have to step away in a hurry, or if forced off physically.
Mindless-Lemon7730@reddit
Why do they need to be on a mat for the function to work? I think you aren’t getting down to the root of it and are trying to over engineer a fix so that’s it’s stupid proof but the idea you’re bringing isn’t that great either. You wanna save money but still have somewhat the same thing? How out a Bluetooth single button that can be configured to do anything a keyboard can do. Like windows + L keep it by the door or have the person keep it in their pocket and if they need to run for their lives they can press the button
Bluetooth configurable button for windows
corree@reddit
Dawg if you’re in a place with security clearances running around not caring about locking their computers… just say fuck it and spend the $400. I doubt the accountants will even notice the balance with all the money that’s being thrown around.
If you really want to save the money for whatever reason, I doubt it would be that difficult to figure out how to DIY and save $400 dollars without setting off an electrical fire
Tivum@reddit (OP)
Budget is budget, it’s beyond my control. But thanks for your input.
Jwblant@reddit
Have your security team train your security team on security best practices and to lock the workstation then they walk away.
Seriously. WINDOWS+L. Some keyboards even have a lock hot key.
Tivum@reddit (OP)
They do know how to lock their computers and they do well at it when they can, we’re looking for a solution for when they’re standing on a mat at this workstation, they are able to access the PC, if they step off, or forced off by physical contact, the PC needs to lock immediately.
Mindless-Lemon7730@reddit
You’re overthinking it. The only time I can expect someone not to be physically able lock their computer with windows + L is if it’s a life or death situation. All other scenarios the user just doesn’t care enough to lock it, that’s a culture issue. It does not even take a second it’s instantaneous, even faster if one key is programmed to do the Lock Screen function.
CSlv@reddit
60s idle timer?
fdkrew@reddit
Windows key + L problem solved.
-maphias-@reddit
Came here to suggest this. Don’t over engineer a solution. Just train the user better habits
technomancing_monkey@reddit
it requires they actually press it. Experienced sysadmins forget to press it from time to time.
Does your company use ID cards that are CAC compliant?
You could use CAC Readers to unlock the workstation and lock it when the card is removed.
CAC = Common Access Card
Waste_Monk@reddit
Smartcard based logon with the "screen lock when card is removed" policy enabled, a yubikey or other contactless card, and a card reader inserted into the seat cushion of the chairs.
They keep the contactless smartcard in their back pocket, so when they sit down it unlocks and when they stand up it locks.
(This is a joke, obviously. But a more conventional PIV smartcard deployment with removal policy would work and as a bonus provide MFA for your users. Worth considering!)
OptimalCynic@reddit
Given that you're talking about keeping the smartcard in their pants, I would have avoided using that particular acronym here
How Catholic!
AdeptFelix@reddit
If they worked for the DoD, we'd be talking about their CAC's (Common Access Card). You insert and remove your CAC for PIV.
peoplepersonmanguy@reddit
Look up Predator, I doubt your company would let you deploy something like that though.
981flacht6@reddit
You found the Shark Tank product you wanted it seems.
the_cumbermuncher@reddit
Remember working for a company that rolled out Eizo monitors across the office like 10 years ago.Presence sensors built into the monitors would put the display into standby if you left your desk, lock the computer after a minute.
Expensive though. Other suggested options would be cheaper to roll out!
ScruffyAlex@reddit
Use the option to lock when the PIV card is removed, and use the same card system for door controls, and there's a free candy bounty in the HR department for anyone who turns in an 'abandoned' card.
dirtyredog@reddit
Keyboard is USB...Ctrl Akt del space
Grouchy_Tennis9195@reddit
$400 for a good security solution will ultimately be cheaper and safer in the long run
robvas@reddit
Windows have hot corners?
DeliBoy@reddit
I used to have Dynamic Lock set up with my personal phone and company laptop, but at the time (2017ish), it was not real dependable.
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock
https://www.zdnet.com/article/how-to-automatically-lock-your-windows-pc-with-dynamic-lock/