?
Solved

How to not allow client machines to save RDP credentials

Posted on 2015-01-20
8
Medium Priority
?
864 Views
Last Modified: 2015-01-28
Hello,

I have a long running dilemma.

I run a Remote Desktop Services environment. The staff all have laptops issued to them and use RDP to connect into their work environment.  Basically the laptops only server as a thin client to connect to the internal office environment.

I would like to force all the users to enter their username and password every time they connect to the office using RDP. This is for security reasons. However, by default RDP always has the "Remember my credentials" check box. Ideally I would prefer to have a setting on the server that will force the user to input their UN/PW regardless of whether they have checked that box. I have found no such solution though.

Alternatively. I have use the following registry entries on each client laptop. The laptops are all home editions of windows so they do not have GPO options. These entries are a pain, because they need to be entered on each client laptop, and cannot be done centrally on the server.

Here are the entries I have used:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"DisablePasswordSaving"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client]
"fEnableUsbNoAckIsochWriteToDevice"=dword:00000050
"fEnableUsbBlockDeviceBySetupClass"=dword:00000001
"fEnableUsbSelectDeviceByInterface"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses]
"1000"="{3376f4ce-ff8d-40a2-a80f-bb4359d1415c}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces]
"1000"="{6bdd1fc6-810f-11d0-bec7-08002be2092f}"


This was not ideal, but at least it worked. I am noticing that with newer 8.1 laptops these entries do not work either. Does anyone have any ideas?

Thanks in advance.
0
Comment
Question by:Corey Haecker
  • 4
  • 3
8 Comments
 
LVL 37

Assisted Solution

by:Kimputer
Kimputer earned 400 total points
ID: 40559903
There's on more key you could try:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]

"PromptForCredsOnClient"=dword:00000001
0
 
LVL 10

Expert Comment

by:TekServer
ID: 40562323
On the server, go into Terminal Services Configuration, right-click on the RDP-TCP connection, go to the Logon Settings tab, and click the "Always prompt for password" check box. I think the users will still be able to save their user names, but this will at least force them to type their passwords each time.

:-)
0
 
LVL 1

Author Comment

by:Corey Haecker
ID: 40564687
Thanks Kimputer, that works!

TekServer - Any idea where this is located on server 2012? A bit of background. Each user has a dedicated VM running. Remote desktop services has all the VMs in a collection, and directs users to their VM based on their login creds.

It would be great if I could change this on the server and not need to set it on each individual client workstation.

Thanks for the assistance
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:TekServer
ID: 40565476
Sorry, most of my clients are small & still running server 2008 or earlier. I did some brief Googling & saw that all of the old RDS tools appear to be combined into the new Remote Desktop Management Server (RDMS), so I'd start there. Apparently Powershell can also be used for more advanced options. I'll keep looking to see if I can find something more specific.
0
 
LVL 10

Accepted Solution

by:
TekServer earned 1600 total points
ID: 40573632
Sorry for the delay in getting back to this.  Apparently the setting to "Always prompt for password" is no longer accessible from the Server 2012 RDMS.  But the good news is you can still access it from Group Policy.  More on that here.

In Server 2008, I found that particular GPO setting at Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Terminal Services -> Terminal Server -> Security.  I would expect that a GPO for Server 2012 wouldn't differ from that too much.  You can apply this setting in Default Domain Controller Policy or create a new GPO.

Hope this helps, let me know if you have any questions or problems.
:-)
0
 
LVL 1

Author Comment

by:Corey Haecker
ID: 40573729
That's great. I will try it and report back.
0
 
LVL 1

Author Comment

by:Corey Haecker
ID: 40574511
Excellent, the Group Policy worked on the RDS server. The only difference is that server 2012 calls Terminal Services - Remote Desktop Services.

Thanks so much. I've been looking for this for a long time.
0
 
LVL 10

Expert Comment

by:TekServer
ID: 40575583
Glad I could help, thanks for the accept.

:-)
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article on how to answer questions, earn points and become an expert.
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question