Prevent RDP Credentials from being saved

Ja Che
Ja Che used Ask the Experts™
on
Hello, we have a centralized SQL database that the company runs off of. Employees use Access as the front end and connect remotely (if offsite) using RDP. My main concern is that users are storing credentials, which can cause obvious security issues.

1.

Is there a way to prevent credentials from saving in RDP? Users access from home, iPhones, iPads, and other non-company machines, is there any way to stop credential saving in this scenario?

2.

We utilize OpenVPN for client/workstation connectivity. Only a few users currently have access. How could I use this as a gateway to prevent the credential saving scenario if users are remote?
Thank you in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013
Commented:
You can block the saving of RDP credentials using group policy, but it would only be effective on computers that are members of the domain and on which you can apply group policy.  If that is some help you would want to set the "Do not allow passwords to be saved" option under the following GPO:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.

I don't believe on unmanaged computers you can prevent it as they can create their own connection client.
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Yes, that's possible.
Apply a policy to the server where the following setting is enabled: "Always prompt for password upon connection" in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.
The server will now refuse connection attempts with saved credentials and always prompt.
Rich RumbleSecurity Samurai
Top Expert 2006
Commented:
Correct and Correct. Unmanaged clients you cannot control this on, but you may consider making it a provision in your contract or policies that these people are signing or agreeing too.
https://technet.microsoft.com/en-us/library/jj852185%28v=ws.11%29.aspx
-rich
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
There is absolutely no need to control that on the client side.
The policy I described above is applied to the server, and once applied, the server will now refuse RDP logons with saved credentials from any client, managed or not.
The server will ignore any password sent with the connection attempt, and a password prompt will always pop up, even when an utterly unmanaged Linux client tries it.

Author

Commented:
Great, Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial