Solved

How to not allow client machines to save RDP credentials

Posted on 2015-01-20
8
652 Views
Last Modified: 2015-01-28
Hello,

I have a long running dilemma.

I run a Remote Desktop Services environment. The staff all have laptops issued to them and use RDP to connect into their work environment.  Basically the laptops only server as a thin client to connect to the internal office environment.

I would like to force all the users to enter their username and password every time they connect to the office using RDP. This is for security reasons. However, by default RDP always has the "Remember my credentials" check box. Ideally I would prefer to have a setting on the server that will force the user to input their UN/PW regardless of whether they have checked that box. I have found no such solution though.

Alternatively. I have use the following registry entries on each client laptop. The laptops are all home editions of windows so they do not have GPO options. These entries are a pain, because they need to be entered on each client laptop, and cannot be done centrally on the server.

Here are the entries I have used:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"DisablePasswordSaving"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client]
"fEnableUsbNoAckIsochWriteToDevice"=dword:00000050
"fEnableUsbBlockDeviceBySetupClass"=dword:00000001
"fEnableUsbSelectDeviceByInterface"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses]
"1000"="{3376f4ce-ff8d-40a2-a80f-bb4359d1415c}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces]
"1000"="{6bdd1fc6-810f-11d0-bec7-08002be2092f}"


This was not ideal, but at least it worked. I am noticing that with newer 8.1 laptops these entries do not work either. Does anyone have any ideas?

Thanks in advance.
0
Comment
Question by:Corey Haecker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 100 total points
ID: 40559903
There's on more key you could try:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]

"PromptForCredsOnClient"=dword:00000001
0
 
LVL 10

Expert Comment

by:TekServer
ID: 40562323
On the server, go into Terminal Services Configuration, right-click on the RDP-TCP connection, go to the Logon Settings tab, and click the "Always prompt for password" check box. I think the users will still be able to save their user names, but this will at least force them to type their passwords each time.

:-)
0
 
LVL 1

Author Comment

by:Corey Haecker
ID: 40564687
Thanks Kimputer, that works!

TekServer - Any idea where this is located on server 2012? A bit of background. Each user has a dedicated VM running. Remote desktop services has all the VMs in a collection, and directs users to their VM based on their login creds.

It would be great if I could change this on the server and not need to set it on each individual client workstation.

Thanks for the assistance
0
Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

 
LVL 10

Expert Comment

by:TekServer
ID: 40565476
Sorry, most of my clients are small & still running server 2008 or earlier. I did some brief Googling & saw that all of the old RDS tools appear to be combined into the new Remote Desktop Management Server (RDMS), so I'd start there. Apparently Powershell can also be used for more advanced options. I'll keep looking to see if I can find something more specific.
0
 
LVL 10

Accepted Solution

by:
TekServer earned 400 total points
ID: 40573632
Sorry for the delay in getting back to this.  Apparently the setting to "Always prompt for password" is no longer accessible from the Server 2012 RDMS.  But the good news is you can still access it from Group Policy.  More on that here.

In Server 2008, I found that particular GPO setting at Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Terminal Services -> Terminal Server -> Security.  I would expect that a GPO for Server 2012 wouldn't differ from that too much.  You can apply this setting in Default Domain Controller Policy or create a new GPO.

Hope this helps, let me know if you have any questions or problems.
:-)
0
 
LVL 1

Author Comment

by:Corey Haecker
ID: 40573729
That's great. I will try it and report back.
0
 
LVL 1

Author Comment

by:Corey Haecker
ID: 40574511
Excellent, the Group Policy worked on the RDS server. The only difference is that server 2012 calls Terminal Services - Remote Desktop Services.

Thanks so much. I've been looking for this for a long time.
0
 
LVL 10

Expert Comment

by:TekServer
ID: 40575583
Glad I could help, thanks for the accept.

:-)
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question