Prevent RDP Credentials from being saved

Hello, we have a centralized SQL database that the company runs off of. Employees use Access as the front end and connect remotely (if offsite) using RDP. My main concern is that users are storing credentials, which can cause obvious security issues.

1.

Is there a way to prevent credentials from saving in RDP? Users access from home, iPhones, iPads, and other non-company machines, is there any way to stop credential saving in this scenario?

2.

We utilize OpenVPN for client/workstation connectivity. Only a few users currently have access. How could I use this as a gateway to prevent the credential saving scenario if users are remote?
Thank you in advance.
Ja CheAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
You can block the saving of RDP credentials using group policy, but it would only be effective on computers that are members of the domain and on which you can apply group policy.  If that is some help you would want to set the "Do not allow passwords to be saved" option under the following GPO:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.

I don't believe on unmanaged computers you can prevent it as they can create their own connection client.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
oBdACommented:
Yes, that's possible.
Apply a policy to the server where the following setting is enabled: "Always prompt for password upon connection" in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.
The server will now refuse connection attempts with saved credentials and always prompt.
Rich RumbleSecurity SamuraiCommented:
Correct and Correct. Unmanaged clients you cannot control this on, but you may consider making it a provision in your contract or policies that these people are signing or agreeing too.
https://technet.microsoft.com/en-us/library/jj852185%28v=ws.11%29.aspx
-rich
oBdACommented:
There is absolutely no need to control that on the client side.
The policy I described above is applied to the server, and once applied, the server will now refuse RDP logons with saved credentials from any client, managed or not.
The server will ignore any password sent with the connection attempt, and a password prompt will always pop up, even when an utterly unmanaged Linux client tries it.
Ja CheAuthor Commented:
Great, Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.