|
Posted by bryan.rutkowski on October 31, 2007, 1:00 pm
Please log in for more thread options I thought the same thing, only problem is I went to test that and you
can still edit your password in MSTSC. If you entered the credentials
before the new GPO setting was applied to disable saving passwords you
have that option forever or until you manually delete it within MSTSC
(Hence my problem). So they could just click the edit button and
enter their new password and it saves it... So no luck there. We
have a MS guy here this week and I asked him about this, hopefully he
is able to find an answer. I'll let you know what I hear. I am
surprised this isn't a well known bug/issue, you would think this
would be a pretty big security risk as a hacker could maybe get access
to an admins workstation then get direct access to a DC or other
server.
On Oct 30, 10:09 pm, "Steven L Umbach" <n9...@n0-spam-for-me-
comcast.net> wrote:
> Maybe it is a good time to force everyone to change their passwords. You
> could try starting with a few domain users to see if that solves your issue.
>
> Steve
>
>
>
> >I tried the User Configuration setting as well, no luck, previously
> > entered credentials could still be used. Also setting the requirement
> > on the server doesn't help much as the password is still stored on the
> > workstation. I really need to make sure those passwords are removed
> > from the workstations. I know the policies are working as any new
> > connection settings do not allow me to save credentials, it forces me
> > to enter them each time.
>
> > Bryan
>
> > On Oct 29, 9:28 pm, "Steven L Umbach" <n9...@n0-spam-for-me-
> > comcast.net> wrote:
> >> I noticed that the do not allow passwords to be saved is in computer
> >> configuration and user configuration. You may want to try and enable it
> >> in
> >> both places to see what happens and also run rsop.msc on a computer where
> >> it
> >> does not seem to be working to make sure the user/computer is within the
> >> scope of management of the GPO that you configured. Also you can
> >> configure
> >> to always prompt for password on the TS itself in administrative tools/TS
> >> configuration - connections selecting Microsoft RDP in the right window,
> >> select properties/logon settings - always prompt for password.
>
> >> Steve
>
>
>
> >> >I have noticed a security issue regarding the Cached Credentials
> >> > (Saved Username and Passwords) in Terminal Services. I had previously
> >> > run Terminal Services and connected to multiple servers entering my
> >> > credentials and saving them so I wouldn't have to enter them again.
> >> > Recently though I have been asked to disable this feature for everyone
> >> > in the company. So I have been testing a solution on my workstation
> >> > to force users to enter their credentials and clear out their old
> >> > saved credentials so they can't use that function anymore.
>
> >> > I found the following GPO settings which are supposed to force
> >> > entering of credentials.
>
> >> > -----
> >> > "Always prompt client for password upon connection"
>
> >> > Specifies whether Terminal Services always prompts the client for a
> >> > password upon connection.
>
> >> > You can use this setting to enforce a password prompt for users
> >> > logging on to Terminal Services, even if they already provided the
> >> > password in the Remote Desktop Connection client.
>
> >> > If the status is set to Enabled, users cannot automatically log on to
> >> > Terminal Services by supplying their passwords in the Remote Desktop
> >> > Connection client. They are prompted for a password to log on.
> >> > -----
>
> >> > I also found this GPO
>
> >> > -----
> >> > "Do not allow passwords to be saved"
>
> >> > Controls whether passwords can be saved on this computer from Terminal
> >> > Services clients.
>
> >> > If you enable this setting the password saving checkbox in Terminal
> >> > Services clients will be disabled and users will no longer be able to
> >> > save passwords. When a user opens an RDP file using the Terminal
> >> > Services client and saves his settings, any password that previously
> >> > existed in the RDP file will be deleted.
>
> >> > If you disable this setting or leave it not configured, the user will
> >> > be able to save passwords using the Terminal Services client.
> >> > -----
>
> >> > Now one would think when I enable both of these GPO's I would no
> >> > longer be able to login with saved usernames and passwords in Terminal
> >> > Services.
>
> >> > The problem is when I open my Terminal Services client (MSTSC) I am
> >> > still able to used cached credentials. I would have to click the link
> >> > to manually delete my saved credentials, otherwise it will keep them,
> >> > even though the GPO says I can't use them. Essentially making the GPO
> >> > settings worthless.
>
> >> > Does anyone know how to make it so it FORCES users to enter their
> >> > credentials every time, even if they saved them before the GPO was
> >> > set. Or is their a way to delete them remotely?
| 
XML Sitemap