We did not do that type of audit against the GPO's of the server but we write a template that audits the screen saver objects.
These three Registry keys are were a local user account will pull its values for screen saver:
So we added them as parts to our templates and then created the following values:
Registry Value HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut Must Exist AND ((Data Type = REG_SZ) AND (Integer Value <= 900))
Registry Value HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveActive Must Exist AND ((Data Type = REG_SZ) AND (Integer Value = 1))
Registry Value HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure Must Exist AND ((Data Type = REG_SZ) AND (Integer Value = 1))
Will that work? I'm not totally sure this type of audit makes sense to do with BladeLogic as these settings are user based rather than machine based. Auditing registry keys for user based policy settings on a machine will not give relevant information, as the effective policy is dependent on what user is logged into that machine. The settings have to be verified in the GPO policies set on the Domain Controller.
These registry settings are user based for any user that logs in. So if a user has not logged into the server the default settings will be pulled from this location. So if user A logs in and created its own Screen saver timeout. They will always get there custom screen saver timeout. But any new user will pull what the server has in its default location, which is located here. So if user B has never logged into the server before it will get screen saver settings from this location.
Valid point. So it does help in those circumstances, but the security team (or ops config team or whomever) needs to be aware that the user can change this setting without further GP customization. Thus, a BL audit or compliance job that reports screen savers come on after 5 minutes (by looking at those registry values) need to understand that it might not necessarily be the case throughout the audited environment.
You are correct in your statements. But atleast an auditor will have evidence that any new user that logs into the server will automatically get the default settings that the server will provide.