Re: Terminal Services Security Issue with Cached Credentials



The MS guy that came out wasn't able to find out why this was
happening either. Granted he didn't come out here to help with this
issue, just tried to look at it as a side issue. But still, I think
this might be a security issue in Windows 2003/XP.

On Nov 1, 5:33 pm, "Steven L Umbach" <n9...@n0-spam-for-me-
comcast.net> wrote:
I am using the built in version for XP Pro SP2 that has all current updates.

Steve

<bryan.rutkow...@xxxxxxxxx> wrote in message

news:1193927564.614175.180050@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I tried the setting "Allways prompt client for password upon connect"
on a server and then tried connecting to it using cached credentials.
It did as the GPO says and still prompted me for my credentials
again. So that setting works as intended and I guess I could set that
on all our servers if need be.

What version of the Terminal Services client are you using? I am
using the latest I think, 6.0. I know the look and functionality
changed greatly from the last version to this one, which might be the
root of some of these problems as I think this TS client is based of
the Vista client.

Bryan

On Oct 31, 8:23 pm, "Steven L Umbach" <n9...@n0-spam-for-me-
comcast.net> wrote:
OK I did some testing on my end. I found on my test domain that even if I
have saved credentials, that I could not use them to logon to the TS if
it
is configured to always prompt for password as I was prompted for a
password. So you may want to try that out on your end and at least that
should prevent users from logging onto the TS with cached credentials .

Steve

"Steven L Umbach" <n9...@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
messagenews:%23nTvWNBHIHA.280@xxxxxxxxxxxxxxxxxxxxxxx

Thanks for the update. When I get some time I will look into it further
and see if I can come up with anything else.As far as admin
workstations,
there should not be that many of them and they need to be secured from
the
general populace, and those that logon to them should know better in my
opinion. But still I understand your want for policy to work as stated.
You may also want to post in one of the Terminal Services newsgroups to
see if anyone there has any ideas.

Steve

<bryan.rutkow...@xxxxxxxxx> wrote in message
news:1193850026.851697.222080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I thought the same thing, only problem is I went to test that and you
can still edit your password in MSTSC. If you entered the credentials
before the new GPO setting was applied to disable saving passwords you
have that option forever or until you manually delete it within MSTSC
(Hence my problem). So they could just click the edit button and
enter their new password and it saves it... So no luck there. We
have a MS guy here this week and I asked him about this, hopefully he
is able to find an answer. I'll let you know what I hear. I am
surprised this isn't a well known bug/issue, you would think this
would be a pretty big security risk as a hacker could maybe get access
to an admins workstation then get direct access to a DC or other
server.

On Oct 30, 10:09 pm, "Steven L Umbach" <n9...@n0-spam-for-me-
comcast.net> wrote:
Maybe it is a good time to force everyone to change their passwords.
You
could try starting with a few domain users to see if that solves your
issue.

Steve

<bryan.rutkow...@xxxxxxxxx> wrote in message

news:1193770757.630027.69130@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I tried the User Configuration setting as well, no luck, previously
entered credentials could still be used. Also setting the
requirement
on the server doesn't help much as the password is still stored on
the
workstation. I really need to make sure those passwords are
removed
from the workstations. I know the policies are working as any new
connection settings do not allow me to save credentials, it forces
me
to enter them each time.

Bryan

On Oct 29, 9:28 pm, "Steven L Umbach" <n9...@n0-spam-for-me-
comcast.net> wrote:
I noticed that the do not allow passwords to be saved is in
computer
configuration and user configuration. You may want to try and
enable
it
in
both places to see what happens and also run rsop.msc on a
computer
where
it
does not seem to be working to make sure the user/computer is
within
the
scope of management of the GPO that you configured. Also you can
configure
to always prompt for password on the TS itself in administrative
tools/TS
configuration - connections selecting Microsoft RDP in the right
window,
select properties/logon settings - always prompt for password.

Steve

<bryan.rutkow...@xxxxxxxxx> wrote in message

news:1193676782.720415.219620@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I have noticed a security issue regarding the Cached Credentials
(Saved Username and Passwords) in Terminal Services. I had
previously
run Terminal Services and connected to multiple servers entering
my
credentials and saving them so I wouldn't have to enter them
again.
Recently though I have been asked to disable this feature for
everyone
in the company. So I have been testing a solution on my
workstation
to force users to enter their credentials and clear out their
old
saved credentials so they can't use that function anymore.

I found the following GPO settings which are supposed to force
entering of credentials.

-----
"Always prompt client for password upon connection"

Specifies whether Terminal Services always prompts the client
for a
password upon connection.

You can use this setting to enforce a password prompt for users
logging on to Terminal Services, even if they already provided
the
password in the Remote Desktop Connection client.

If the status is set to Enabled, users cannot automatically log
on
to
Terminal Services by supplying their passwords in the Remote
Desktop
Connection client. They are prompted for a password to log on.
-----

I also found this GPO

-----
"Do not allow passwords to be saved"

Controls whether passwords can be saved on this computer from
Terminal
Services clients.

If you enable this setting the password saving checkbox in
Terminal
Services clients will be disabled and users will no longer be
able
to
save passwords. When a user opens an RDP file using the Terminal
Services client and saves his settings, any password that
previously
existed in the RDP file will be deleted.

If you disable this setting or leave it not configured, the user
will
be able to save passwords using the Terminal Services client.
-----

Now one would think when I enable both of these GPO's I would no
longer be able to login with saved usernames and passwords in
Terminal
Services.

The problem is when I open my Terminal Services client (MSTSC) I
am
still able to used cached credentials. I would have to click
the
link
to manually delete my saved credentials, otherwise it will keep
them,
even though the GPO says I can't use them. Essentially making
the
GPO
settings worthless.

Does anyone know how to make it so it FORCES users to enter
their
credentials every time, even if they saved them before the GPO
was
set. Or is their a way to delete them remotely?


.



Relevant Pages

  • Re: Terminal Services Security Issue with Cached Credentials
    ... on a server and then tried connecting to it using cached credentials. ... What version of the Terminal Services client are you using? ... "Always prompt client for password upon connection" ...
    (microsoft.public.windows.server.security)
  • Re: Terminal Services Security Issue with Cached Credentials
    ... to post in one of the Terminal Services newsgroups to see if anyone there ... entered credentials could still be used. ... "Always prompt client for password upon connection" ... Services clients will be disabled and users will no longer be able ...
    (microsoft.public.windows.server.security)
  • Re: Terminal Session Information on Console
    ... Server 2000 Terminal Services for review the rdp information connection ... connection that is started with a rdp client. ... console session, a disconnected session, a listener. ...
    (microsoft.public.windows.terminal_services)
  • Re: Terminal Services Security Issue with Cached Credentials
    ... I tried the setting "Allways prompt client for password upon connect" ... on a server and then tried connecting to it using cached credentials. ... What version of the Terminal Services client are you using? ... "Always prompt client for password upon connection" ...
    (microsoft.public.windows.server.security)
  • Re: Keyboard Madness in TS Environment
    ... all users on that client, I would stop troubleshooting the issue ... out multimedia keyboard to a USB keyboard. ... session from the terminal services manager. ... once I ended my connection, ...
    (microsoft.public.windows.terminal_services)