This policy setting allows you to manage whether or not screen savers run. If the Screen Saver setting is disabled screen savers do not run and the screen saver section of the Screen Saver tab in Display in Control Panel is disabled. If this setting is enabled a screen saver will run if the following two conditions are met: first, that a valid screen saver is specified on the client via the Screen Saver Executable Name group policy setting or Control Panel on the client. Second, the screensaver timeout is set to a value greater than zero via the Screen Saver Timeout group policy setting or Control Panel on the client. Vulnerability: If a user forgets to lock their computer when they walk away it is possible that a passerby will hijack it. Counter Measure: Configure this policy setting to Enabled so that when the other screen saver settings are implemented the risk of a user's desktop session being hijacked by a passerby is reduced. Potential Impact: The screen saver will automatically activate when the computer has been unattended for the amount of time specified by the Screen Saver timeout setting. The impact should be minimal since the screen saver is enabled by default. Fix: (1) GPO: User ConfigurationAdministrative TemplatesControl PanelPersonalizationEnable screen saver (2) REG: HKEY_USERSSoftwarePoliciesMicrosoftWindowsControl PanelDesktop!ScreenSaveActive

[enable/disable]

(1) GPO: User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver (2) REG: HKEY_USERS\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaveActive