Re: Terminal Services Security Issue with Cached Credentials

Maybe it is a good time to force everyone to change their passwords. You
could try starting with a few domain users to see if that solves your issue.

Steve


<bryan.rutkowski@xxxxxxxxx> wrote in message
news:1193770757.630027.69130@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I tried the User Configuration setting as well, no luck, previously
entered credentials could still be used. Also setting the requirement
on the server doesn't help much as the password is still stored on the
workstation. I really need to make sure those passwords are removed
from the workstations. I know the policies are working as any new
connection settings do not allow me to save credentials, it forces me
to enter them each time.

Bryan

On Oct 29, 9:28 pm, "Steven L Umbach" <n9...@n0-spam-for-me-
comcast.net> wrote:
I noticed that the do not allow passwords to be saved is in computer
configuration and user configuration. You may want to try and enable it
in
both places to see what happens and also run rsop.msc on a computer where
it
does not seem to be working to make sure the user/computer is within the
scope of management of the GPO that you configured. Also you can
configure
to always prompt for password on the TS itself in administrative tools/TS
configuration - connections selecting Microsoft RDP in the right window,
select properties/logon settings - always prompt for password.

Steve

<bryan.rutkow...@xxxxxxxxx> wrote in message

news:1193676782.720415.219620@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I have noticed a security issue regarding the Cached Credentials
(Saved Username and Passwords) in Terminal Services. I had previously
run Terminal Services and connected to multiple servers entering my
credentials and saving them so I wouldn't have to enter them again.
Recently though I have been asked to disable this feature for everyone
in the company. So I have been testing a solution on my workstation
to force users to enter their credentials and clear out their old
saved credentials so they can't use that function anymore.

I found the following GPO settings which are supposed to force
entering of credentials.

-----
"Always prompt client for password upon connection"

Specifies whether Terminal Services always prompts the client for a
password upon connection.

You can use this setting to enforce a password prompt for users
logging on to Terminal Services, even if they already provided the
password in the Remote Desktop Connection client.

If the status is set to Enabled, users cannot automatically log on to
Terminal Services by supplying their passwords in the Remote Desktop
Connection client. They are prompted for a password to log on.
-----

I also found this GPO

-----
"Do not allow passwords to be saved"

Controls whether passwords can be saved on this computer from Terminal
Services clients.

If you enable this setting the password saving checkbox in Terminal
Services clients will be disabled and users will no longer be able to
save passwords. When a user opens an RDP file using the Terminal
Services client and saves his settings, any password that previously
existed in the RDP file will be deleted.

If you disable this setting or leave it not configured, the user will
be able to save passwords using the Terminal Services client.
-----

Now one would think when I enable both of these GPO's I would no
longer be able to login with saved usernames and passwords in Terminal
Services.

The problem is when I open my Terminal Services client (MSTSC) I am
still able to used cached credentials. I would have to click the link
to manually delete my saved credentials, otherwise it will keep them,
even though the GPO says I can't use them. Essentially making the GPO
settings worthless.

Does anyone know how to make it so it FORCES users to enter their
credentials every time, even if they saved them before the GPO was
set. Or is their a way to delete them remotely?




.

Relevant Pages

  • RE: Remote Web Access Credentials stored where?
    ... > site with another User credentials in your client computer. ... The client in question is not yet joined to the SBS domain. ... Under Advanced is a Manage Passwords button which opens ... I can login as any SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: Kerberos error on Windows XP Pro SP2 connecting to a domain resource
    ... Disclaimer: This posting is provided "AS IS" with no warranties, ... DisableDomainCreds to 1 to stop store domain credentials. ... change local passwords on the client. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem Adding a Network Password
    ... Install MCE 2004 and then install MCE 2005 as an upgrade. ... asked to provide credentials every time you try to access ... Passwords dialog box? ... "How To Manage Stored User Names and Passwords on a ...
    (microsoft.public.windowsxp.security_admin)
  • .Net Remoting and Stored Usernames and Passwords
    ... entries in "stored usernames and passwords" (which is ... potential nightmare for software developers using .Net Remoting. ... security credentials that were stored and the password had expired. ...
    (microsoft.public.dotnet.framework.remoting)
  • .Net Remoting and Stored Usernames and Passwords
    ... entries in "stored usernames and passwords" (which is ... potential nightmare for software developers using .Net Remoting. ... security credentials that were stored and the password had expired. ...
    (microsoft.public.dotnet.framework.remoting)