Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to not allow client machines to save RDP credentials

Posted on 2015-01-20
8
Medium Priority
?
805 Views
Last Modified: 2015-01-28
Hello,

I have a long running dilemma.

I run a Remote Desktop Services environment. The staff all have laptops issued to them and use RDP to connect into their work environment.  Basically the laptops only server as a thin client to connect to the internal office environment.

I would like to force all the users to enter their username and password every time they connect to the office using RDP. This is for security reasons. However, by default RDP always has the "Remember my credentials" check box. Ideally I would prefer to have a setting on the server that will force the user to input their UN/PW regardless of whether they have checked that box. I have found no such solution though.

Alternatively. I have use the following registry entries on each client laptop. The laptops are all home editions of windows so they do not have GPO options. These entries are a pain, because they need to be entered on each client laptop, and cannot be done centrally on the server.

Here are the entries I have used:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"DisablePasswordSaving"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client]
"fEnableUsbNoAckIsochWriteToDevice"=dword:00000050
"fEnableUsbBlockDeviceBySetupClass"=dword:00000001
"fEnableUsbSelectDeviceByInterface"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses]
"1000"="{3376f4ce-ff8d-40a2-a80f-bb4359d1415c}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces]
"1000"="{6bdd1fc6-810f-11d0-bec7-08002be2092f}"


This was not ideal, but at least it worked. I am noticing that with newer 8.1 laptops these entries do not work either. Does anyone have any ideas?

Thanks in advance.
0
Comment
Question by:Corey Haecker
  • 4
  • 3
8 Comments
 
LVL 37

Assisted Solution

by:Kimputer
Kimputer earned 400 total points
ID: 40559903
There's on more key you could try:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]

"PromptForCredsOnClient"=dword:00000001
0
 
LVL 10

Expert Comment

by:TekServer
ID: 40562323
On the server, go into Terminal Services Configuration, right-click on the RDP-TCP connection, go to the Logon Settings tab, and click the "Always prompt for password" check box. I think the users will still be able to save their user names, but this will at least force them to type their passwords each time.

:-)
0
 
LVL 1

Author Comment

by:Corey Haecker
ID: 40564687
Thanks Kimputer, that works!

TekServer - Any idea where this is located on server 2012? A bit of background. Each user has a dedicated VM running. Remote desktop services has all the VMs in a collection, and directs users to their VM based on their login creds.

It would be great if I could change this on the server and not need to set it on each individual client workstation.

Thanks for the assistance
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 10

Expert Comment

by:TekServer
ID: 40565476
Sorry, most of my clients are small & still running server 2008 or earlier. I did some brief Googling & saw that all of the old RDS tools appear to be combined into the new Remote Desktop Management Server (RDMS), so I'd start there. Apparently Powershell can also be used for more advanced options. I'll keep looking to see if I can find something more specific.
0
 
LVL 10

Accepted Solution

by:
TekServer earned 1600 total points
ID: 40573632
Sorry for the delay in getting back to this.  Apparently the setting to "Always prompt for password" is no longer accessible from the Server 2012 RDMS.  But the good news is you can still access it from Group Policy.  More on that here.

In Server 2008, I found that particular GPO setting at Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Terminal Services -> Terminal Server -> Security.  I would expect that a GPO for Server 2012 wouldn't differ from that too much.  You can apply this setting in Default Domain Controller Policy or create a new GPO.

Hope this helps, let me know if you have any questions or problems.
:-)
0
 
LVL 1

Author Comment

by:Corey Haecker
ID: 40573729
That's great. I will try it and report back.
0
 
LVL 1

Author Comment

by:Corey Haecker
ID: 40574511
Excellent, the Group Policy worked on the RDS server. The only difference is that server 2012 calls Terminal Services - Remote Desktop Services.

Thanks so much. I've been looking for this for a long time.
0
 
LVL 10

Expert Comment

by:TekServer
ID: 40575583
Glad I could help, thanks for the accept.

:-)
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question