We have some off-the-shelf OCR software that we'll be using to automate processing of certain customer forms that come to us via fax at all hours of the day. The OCR process needs to run 24 x 7, but the software we have doesn't have an option to install as a service, and as a result a user needs to be logged in to "watch" a folder or queue for items to process.
I've always been pretty religious about logging out of our Windows servers when not directly administering them, but running the OCR software's folder watch feature will require that I instead leave the server it's installed on logged in and locked at all times. I'm aware from a security standpoint that this will disclose the account name to anyone who has physical access to the server (as it fills in the logged in user's name when you go to unlock), and I'll take some commensurate steps to further secure physical access, but I'm wondering if anyone has any other words of caution or wisdom about the risks (specifically w/r/t security, as performance isn't likely to be an issue in this instance) of running a Windows Server (2003 in this case) always logged in on our LAN.
You can avoid showing the login name of the locked user by setting Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked. The vulnerability here is that showing the names allows people either looking at the console or RDPing to the console to see usernames. You shold also restrict remote access to only those users allowed to login to the server.
Throw it in a VM. That way the process can run in the background, and users' fingers won't be able to fiddle with bits they shouldn't.
Everybody who has direct physical access to a Server is able to compromise it. And in this case he doesn't even have to know any user name at all.
So locking a Server/PC is as secure as leaving it "logged-off".