From 04a0c355c5d157df65d47254bf7db9b6af08cbf4 Mon Sep 17 00:00:00 2001
From: Guillaume Ross <guillaume@fleetdm.com>
Date: Fri, 10 Jun 2022 12:05:32 -0400
Subject: [PATCH] Add Windows screen lock policy (#6167)

* Adding policy query to check firewall on Mac

This commit closes https://github.com/fleetdm/confidential/issues/1410 once merged.

* Adding policies

This commit closes https://github.com/fleetdm/confidential/issues/1412. Right now there is no way to check the screenlock so instead we check if a profile for screenlock is there.

https://github.com/fleetdm/confidential/issues/1410 also closed by this.

* Update constants.ts

Fixed space

* Resolution text fix for new policies

Fixed copy based on @zhumo's comments!

* Screen lock policy

Adding a policy to check if the inactivity timeout is enabled on Windows and set to 1800 seconds or less (30min)

* Update constants.ts

Fix identation

* Update Windows screen lock policy

Changed wording from "administrator" to "IT administrator" in both files.
---
 .../standard-query-library.yml                      | 13 +++++++++++++
 frontend/utilities/constants.ts                     | 10 ++++++++++
 2 files changed, 23 insertions(+)

diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
index 4233b62a8c..7b3bdf82e8 100644
--- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
+++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
@@ -712,3 +712,16 @@ spec:
   tags: compliance, hardening, built-in
   platform: darwin
   contributors: GuillaumeRoss
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: Screen lock enabled (Windows)
+  query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs' AND CAST(data as INTEGER) <= 1800;
+  description: "Checks if the screen lock is enabled and configured to lock the system within 30 minutes or less."
+  resolution: "Ask your IT administrator to enable the Interactive Logon: Machine inactivity limit setting with a value of 1800 seconds or lower."
+  platforms: Windows
+  tags: compliance, hardening, built-in
+  platform: windows
+  contributors: GuillaumeRoss
+
diff --git a/frontend/utilities/constants.ts b/frontend/utilities/constants.ts
index adb1a9c3b1..ea98ed55cd 100644
--- a/frontend/utilities/constants.ts
+++ b/frontend/utilities/constants.ts
@@ -159,6 +159,16 @@ export const DEFAULT_POLICIES = [
       "Contact your IT administrator to help you enroll your computer in your organization's MDM. If already enrolled, ask your IT administrator to enable the screen lock feature in the profile configuration.",
     platform: "darwin",
   },
+  {
+    key: 15,
+    query:
+      "SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs' AND CAST(data as INTEGER) <= 1800;",
+    name: "Screen lock enabled (Windows)",
+    description: "Checks if the screen lock is enabled and configured to lock the system within 30 minutes or less.",
+    resolution:
+      "Ask your IT administrator to enable the Interactive Logon: Machine inactivity limit setting with a value of 1800 seconds or lower.",
+    platform: "windows",
+  },
 ] as IPolicyNew[];
 
 export const FREQUENCY_DROPDOWN_OPTIONS = [