On a client, connecting to an 2012R2 RDS server through rdweb, I have a serious security problem.
The user logs in to the session, getting prompted for credentials.
The user logs the session using ctrl+alt+end.
Then he goes for coffee.
Another employee walks by, and clicks the session Collection. He gets no prompt for password, but connects to the other session, and at the same time magicly unlocks the locked session without knowing the password?!