COMMAND

    screen saver

SYSTEMS AFFECTED

    Windows 2000 SP0 and SP1

PROBLEM

    John  Allberg  found  following.   A  user  who know that his/hers
    workstation  is  locked  when  the  smart  card  is  removed,  can
    unknowingly leave his/her workstation unlocked and unsecure.

    When the following conditions is fulfilled, the workstation is not
    locked or logged off, despite the policy:
    - the  policy  "Smart  Card  Removal  Behaviour"  (Group  Policy->
      Security->) is set to "Lock Workstation" or "Force Logoff"
    - the screensaver kicks in without "password protected" checked
    - the smart card is removed

    Some  may  be  arguing   that  not  having  a   password-protected
    screensaver and  relying on  users removing  their smart  cards is
    unsafe, since the user may not care to remove the smart card.   We
    are trying to assure this by using the same card to operate  doors
    in our building.  Since we can't get through the doors without the
    smart card and  we can't ID  ourself to for  example a guard  (the
    smart  card  is  our  visual  ID-card),  we  are in quite a bit of
    trouble.  That way  a user may forget  his/her smart card once  or
    twice, but then the lesson is learned.

SOLUTION

    Make sure "password protected" is checked.  This can be done via a
    group  policy,   found  under   User  Settings->    Administrative
    Templates-> Control Panel-> Display.  Microsoft has been informed,
    tracking number msrc 628sc.