Solved

How to not allow client machines to save RDP credentials

Posted on 2015-01-20
8
521 Views
Last Modified: 2015-01-28
Hello,

I have a long running dilemma.

I run a Remote Desktop Services environment. The staff all have laptops issued to them and use RDP to connect into their work environment.  Basically the laptops only server as a thin client to connect to the internal office environment.

I would like to force all the users to enter their username and password every time they connect to the office using RDP. This is for security reasons. However, by default RDP always has the "Remember my credentials" check box. Ideally I would prefer to have a setting on the server that will force the user to input their UN/PW regardless of whether they have checked that box. I have found no such solution though.

Alternatively. I have use the following registry entries on each client laptop. The laptops are all home editions of windows so they do not have GPO options. These entries are a pain, because they need to be entered on each client laptop, and cannot be done centrally on the server.

Here are the entries I have used:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"DisablePasswordSaving"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client]
"fEnableUsbNoAckIsochWriteToDevice"=dword:00000050
"fEnableUsbBlockDeviceBySetupClass"=dword:00000001
"fEnableUsbSelectDeviceByInterface"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses]
"1000"="{3376f4ce-ff8d-40a2-a80f-bb4359d1415c}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces]
"1000"="{6bdd1fc6-810f-11d0-bec7-08002be2092f}"


This was not ideal, but at least it worked. I am noticing that with newer 8.1 laptops these entries do not work either. Does anyone have any ideas?

Thanks in advance.
0
Comment
Question by:StreamlineIM
  • 4
  • 3
8 Comments
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 100 total points
ID: 40559903
There's on more key you could try:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]

"PromptForCredsOnClient"=dword:00000001
0
 
LVL 10

Expert Comment

by:TekServer
ID: 40562323
On the server, go into Terminal Services Configuration, right-click on the RDP-TCP connection, go to the Logon Settings tab, and click the "Always prompt for password" check box. I think the users will still be able to save their user names, but this will at least force them to type their passwords each time.

:-)
0
 
LVL 1

Author Comment

by:StreamlineIM
ID: 40564687
Thanks Kimputer, that works!

TekServer - Any idea where this is located on server 2012? A bit of background. Each user has a dedicated VM running. Remote desktop services has all the VMs in a collection, and directs users to their VM based on their login creds.

It would be great if I could change this on the server and not need to set it on each individual client workstation.

Thanks for the assistance
0
 
LVL 10

Expert Comment

by:TekServer
ID: 40565476
Sorry, most of my clients are small & still running server 2008 or earlier. I did some brief Googling & saw that all of the old RDS tools appear to be combined into the new Remote Desktop Management Server (RDMS), so I'd start there. Apparently Powershell can also be used for more advanced options. I'll keep looking to see if I can find something more specific.
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 10

Accepted Solution

by:
TekServer earned 400 total points
ID: 40573632
Sorry for the delay in getting back to this.  Apparently the setting to "Always prompt for password" is no longer accessible from the Server 2012 RDMS.  But the good news is you can still access it from Group Policy.  More on that here.

In Server 2008, I found that particular GPO setting at Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Terminal Services -> Terminal Server -> Security.  I would expect that a GPO for Server 2012 wouldn't differ from that too much.  You can apply this setting in Default Domain Controller Policy or create a new GPO.

Hope this helps, let me know if you have any questions or problems.
:-)
0
 
LVL 1

Author Comment

by:StreamlineIM
ID: 40573729
That's great. I will try it and report back.
0
 
LVL 1

Author Comment

by:StreamlineIM
ID: 40574511
Excellent, the Group Policy worked on the RDS server. The only difference is that server 2012 calls Terminal Services - Remote Desktop Services.

Thanks so much. I've been looking for this for a long time.
0
 
LVL 10

Expert Comment

by:TekServer
ID: 40575583
Glad I could help, thanks for the accept.

:-)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now