Secure Workstation Policy

The Secure Workstation Policy can be set on the Secure Workstation object in ConsoleOne^®, and in the registry of each workstation. In ConsoleOne, a separate policy can be set for each NMAS Login Sequence that employs the Secure Workstation post-login method.

When a user logs in with a sequence that includes the Secure Workstation post-login method, the Secure Workstation Service will merge the policy from the Post-Login Method with the local workstation policy. The Secure Workstation Service creates and enforces an effective policy using the most secure settings from each policy. The Secure Workstation Service will enforce the local policy if the Secure Workstation post-login method is not in use.

Access Control Lists (ACL) are set on the registry keys where the local workstation policy is stored. The default ACL gives Administrator and System full control, but gives users read-only access.

A GUI editor is provided for managing the local workstation policy in the registry. You can launch this editor by clicking Start > Programs > Novell > Secure Workstation > Novell Secure Workstation. Below is a summary of each of the policy settings:

• Activate Workstation Access

  The local policy will be used if this box is checked. If this box is not checked, the local policy is ignored.

• Authentication Device Removal

  If this box is checked, the lock action will be taken when an authentication device is removed.

• Inactivity Timeout

  If this box is checked, the lock action will be taken after a user inactivity timeout has been reached.

• Workstation Lock Action

  Specifies which lock action will be taken for the console user, and which lock action will be taken for Windows Terminal Services remote clients.

• Devices to Monitor for Removal

  If the Authentication Device Removal box is checked, this specifies which authentication devices will be monitored.

• Inactivity Timeout Warning

  If this box is checked, Secure Workstation will warn the user before the inactivity timeout is reached. Secure Workstation will display a dialog box with a warning. You can specify an .AVI file containing an animation to be played on the dialog, and a .WAV file containing a sound to be played. You can also specify the number of seconds that the warning should be displayed. This dialog will disappear as soon as user activity is detected.

• Force Termination of Non-Responding Programs when Logging Out of Windows

  If Log Out of the Workstation is specified as the lock action, Secure Workstation will pass the EWX_FORCE flag to ExitWindowsEx. This will speed up the logout process, but will not allow applications to save their data.

• When Closing All Programs, Forcefully Terminate Programs After n Seconds

  When Close all Programs is specified as the lock action, Secure Workstation will post a close message to all windows of running applications. If this box is checked, Secure Workstation will forcefully terminate any applications still running after the timeout value has been reached. Applications that are forcefully terminated will not be able to save their data.

• Programs to Close

  When Close all Programs is specified as the lock action, this allows you to specify which processes should be terminated. If Close Only the Programs Specified in the Program List is checked, then only the programs specified in the program list will be terminated. Otherwise, all programs except those in the list will be terminated.