Over on Reddit, someone asked me about whether or not locking a computer could be considered secure, and I figured rather than just posting a comment to him that he will read once and forget, I would post it here too, for anyone that needs some basic information.
>> is a windows log off lock screen secure?
Yes and No.
First off: The Yes. If a computer is locked, I do not have any* way of getting into the current session from the local computer, at least without an administrator password. If its logged off, its slightly more questionable. Its possible that I can go in as a regular user and use some sort of privilege escalation exploit to get admin rights, but as far as I know there are not any of those active in a fully patched version of Windows.
But there are some pretty big No's there. Most importantly, if I want to get into a computer and I have physical access to it, you're screwed. Shut it down, toss in a CD/bootable thumb drive, and I can easily reset any local user password (that doesn't apply to a domain password, but I can still create a local administrator account if needed). Boot it back up and I can log in fine as an administrator. While there are a few things you can do about (most importantly encrypting your hard drive with something like Truecrypt (or Bitlocker, but I believe there are some attacks that render that somewhat breakable. If I remember correctly, there is an attack that can break Bitlocker in under half an hour bruteforcing)), but generally what they say is true: If you have physical access, any security measure is out the door. If I had physical access, and really wanted to get into a computer, I could just reach behind it and plug in a keylogger, then come back in a few days after I know a user has logged in successfully, and then I have valid credentials.
Beyond that, if its a networked computer (which I would guess 99% of all computers are, now-a-days), there are a whole host of other ways I could get in, even if it is locked. For example, if I have credentials with administrative rights on the computer (either a domain Admin account, any domain account with local admin rights, or even just a local administrator username and password), I can use PSExec to get into the computer. Something like "psexec \ipaddress -u administrator -p P455w0rd cmd" will give me a command prompt running on a remote computer, from which I can do most things I would want to do. I would like to point out though: This is an feature, not a bug. Without this, things like domains would be nearly un-usable. There has to be a way to start a process on a remote computer by supplying valid credentials, otherwise anytime an update of any sort was needed each computer would have to be physically touched.
There is also the risk of all sorts of remote exploits that could be used against the computer. Again, I'm not aware of any remote execution exploits that can be used against a patched version of Windows, but they are not terribly uncommon, although they tend to get patch very quickly. On the other hand, running any sort of network application greatly increases the risk of these kinds of attacks. Running things like a torrent client or web server opens you up to any exploits that may exist in that application, and if its something popular and you aren't regularly updating it, I wouldn't be surprised at all if there is an existing exploit for it.
So, to answer your question: Yes and No. If I am sitting at your keyboard, I can't get into whatever you had running on the computer, but I can definitely get into it after rebooting. And more importantly, if I'm sitting there I can just throw a physical keylogger on your machine and walk away. On the other hand, if I can get to it from the network, and have existing credentials, I can get into what you were doing, but I might not have those credentials.
* This isn't entirely true. There is some recent stuff that if I freeze (we're talking literally lowering the temperature) your RAM, upon reboot it can still have the data pulled off of it. However, we're not talking about something I can do in a cubical with no one noticing, and not something your average person would be able to pull off. That's the kind of stuff the government uses in high-end raids and stuff, where losing the active session can be the difference between having a case and having nothing at all.