Terminal Services Security Issue with Cached Credentials

Discussion in 'Windows Networking' started by bryan.rutkowski, Oct 29, 2007.

  1. I have noticed a security issue regarding the Cached Credentials
    (Saved Username and Passwords) in Terminal Services. I had previously
    run Terminal Services and connected to multiple servers entering my
    credentials and saving them so I wouldn't have to enter them again.
    Recently though I have been asked to disable this feature for everyone
    in the company. So I have been testing a solution on my workstation
    to force users to enter their credentials and clear out their old
    saved credentials so they can't use that function anymore.

    I found the following GPO settings which are supposed to force
    entering of credentials.

    -----
    "Always prompt client for password upon connection"

    Specifies whether Terminal Services always prompts the client for a
    password upon connection.

    You can use this setting to enforce a password prompt for users
    logging on to Terminal Services, even if they already provided the
    password in the Remote Desktop Connection client.

    If the status is set to Enabled, users cannot automatically log on to
    Terminal Services by supplying their passwords in the Remote Desktop
    Connection client. They are prompted for a password to log on.
    -----

    I also found this GPO

    -----
    "Do not allow passwords to be saved"

    Controls whether passwords can be saved on this computer from Terminal
    Services clients.

    If you enable this setting the password saving checkbox in Terminal
    Services clients will be disabled and users will no longer be able to
    save passwords. When a user opens an RDP file using the Terminal
    Services client and saves his settings, any password that previously
    existed in the RDP file will be deleted.

    If you disable this setting or leave it not configured, the user will
    be able to save passwords using the Terminal Services client.
    -----

    Now one would think when I enable both of these GPO's I would no
    longer be able to login with saved usernames and passwords in Terminal
    Services.

    The problem is when I open my Terminal Services client (MSTSC) I am
    still able to used cached credentials. I would have to click the link
    to manually delete my saved credentials, otherwise it will keep them,
    even though the GPO says I can't use them. Essentially making the GPO
    settings worthless.

    Does anyone know how to make it so it FORCES users to enter their
    credentials every time, even if they saved them before the GPO was
    set. Or is their a way to delete them remotely?
     
    bryan.rutkowski, Oct 29, 2007
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.