Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.
Check
If the following registry value does not exist or is not configured as specified, this is a finding:
Value Type: REG_SZ Value: 1 (Lock Workstation) or 2 (Force Logoff)
This can be left not configured or set to "No action" on workstations with the following conditions. This must be documented with the ISSO. -The setting cannot be configured due to mission needs, or because it interferes with applications. -Policy must be in place that users manually lock workstations when leaving them unattended. -The screen saver is properly configured to lock as required.
Fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff".