|
Posted by Steven L Umbach on November 1, 2007, 6:33 pm
Please log in for more thread options I am using the built in version for XP Pro SP2 that has all current updates.
Steve
>I tried the setting "Allways prompt client for password upon connect"
> on a server and then tried connecting to it using cached credentials.
> It did as the GPO says and still prompted me for my credentials
> again. So that setting works as intended and I guess I could set that
> on all our servers if need be.
>
> What version of the Terminal Services client are you using? I am
> using the latest I think, 6.0. I know the look and functionality
> changed greatly from the last version to this one, which might be the
> root of some of these problems as I think this TS client is based of
> the Vista client.
>
> Bryan
>
> On Oct 31, 8:23 pm, "Steven L Umbach" <n9...@n0-spam-for-me-
> comcast.net> wrote:
>> OK I did some testing on my end. I found on my test domain that even if I
>> have saved credentials, that I could not use them to logon to the TS if
>> it
>> is configured to always prompt for password as I was prompted for a
>> password. So you may want to try that out on your end and at least that
>> should prevent users from logging onto the TS with cached credentials .
>>
>> Steve
>>
>>
>> > Thanks for the update. When I get some time I will look into it further
>> > and see if I can come up with anything else.As far as admin
>> > workstations,
>> > there should not be that many of them and they need to be secured from
>> > the
>> > general populace, and those that logon to them should know better in my
>> > opinion. But still I understand your want for policy to work as stated.
>> > You may also want to post in one of the Terminal Services newsgroups to
>> > see if anyone there has any ideas.
>>
>> > Steve
>>
>> >>I thought the same thing, only problem is I went to test that and you
>> >> can still edit your password in MSTSC. If you entered the credentials
>> >> before the new GPO setting was applied to disable saving passwords you
>> >> have that option forever or until you manually delete it within MSTSC
>> >> (Hence my problem). So they could just click the edit button and
>> >> enter their new password and it saves it... So no luck there. We
>> >> have a MS guy here this week and I asked him about this, hopefully he
>> >> is able to find an answer. I'll let you know what I hear. I am
>> >> surprised this isn't a well known bug/issue, you would think this
>> >> would be a pretty big security risk as a hacker could maybe get access
>> >> to an admins workstation then get direct access to a DC or other
>> >> server.
>>
>> >> On Oct 30, 10:09 pm, "Steven L Umbach" <n9...@n0-spam-for-me-
>> >> comcast.net> wrote:
>> >>> Maybe it is a good time to force everyone to change their passwords.
>> >>> You
>> >>> could try starting with a few domain users to see if that solves your
>> >>> issue.
>>
>> >>> Steve
>>
>>
>>
>> >>> >I tried the User Configuration setting as well, no luck, previously
>> >>> > entered credentials could still be used. Also setting the
>> >>> > requirement
>> >>> > on the server doesn't help much as the password is still stored on
>> >>> > the
>> >>> > workstation. I really need to make sure those passwords are
>> >>> > removed
>> >>> > from the workstations. I know the policies are working as any new
>> >>> > connection settings do not allow me to save credentials, it forces
>> >>> > me
>> >>> > to enter them each time.
>>
>> >>> > Bryan
>>
>> >>> > On Oct 29, 9:28 pm, "Steven L Umbach" <n9...@n0-spam-for-me-
>> >>> > comcast.net> wrote:
>> >>> >> I noticed that the do not allow passwords to be saved is in
>> >>> >> computer
>> >>> >> configuration and user configuration. You may want to try and
>> >>> >> enable
>> >>> >> it
>> >>> >> in
>> >>> >> both places to see what happens and also run rsop.msc on a
>> >>> >> computer
>> >>> >> where
>> >>> >> it
>> >>> >> does not seem to be working to make sure the user/computer is
>> >>> >> within
>> >>> >> the
>> >>> >> scope of management of the GPO that you configured. Also you can
>> >>> >> configure
>> >>> >> to always prompt for password on the TS itself in administrative
>> >>> >> tools/TS
>> >>> >> configuration - connections selecting Microsoft RDP in the right
>> >>> >> window,
>> >>> >> select properties/logon settings - always prompt for password.
>>
>> >>> >> Steve
>>
>>
>>
>> >>> >> >I have noticed a security issue regarding the Cached Credentials
>> >>> >> > (Saved Username and Passwords) in Terminal Services. I had
>> >>> >> > previously
>> >>> >> > run Terminal Services and connected to multiple servers entering
>> >>> >> > my
>> >>> >> > credentials and saving them so I wouldn't have to enter them
>> >>> >> > again.
>> >>> >> > Recently though I have been asked to disable this feature for
>> >>> >> > everyone
>> >>> >> > in the company. So I have been testing a solution on my
>> >>> >> > workstation
>> >>> >> > to force users to enter their credentials and clear out their
>> >>> >> > old
>> >>> >> > saved credentials so they can't use that function anymore.
>>
>> >>> >> > I found the following GPO settings which are supposed to force
>> >>> >> > entering of credentials.
>>
>> >>> >> > -----
>> >>> >> > "Always prompt client for password upon connection"
>>
>> >>> >> > Specifies whether Terminal Services always prompts the client
>> >>> >> > for a
>> >>> >> > password upon connection.
>>
>> >>> >> > You can use this setting to enforce a password prompt for users
>> >>> >> > logging on to Terminal Services, even if they already provided
>> >>> >> > the
>> >>> >> > password in the Remote Desktop Connection client.
>>
>> >>> >> > If the status is set to Enabled, users cannot automatically log
>> >>> >> > on
>> >>> >> > to
>> >>> >> > Terminal Services by supplying their passwords in the Remote
>> >>> >> > Desktop
>> >>> >> > Connection client. They are prompted for a password to log on.
>> >>> >> > -----
>>
>> >>> >> > I also found this GPO
>>
>> >>> >> > -----
>> >>> >> > "Do not allow passwords to be saved"
>>
>> >>> >> > Controls whether passwords can be saved on this computer from
>> >>> >> > Terminal
>> >>> >> > Services clients.
>>
>> >>> >> > If you enable this setting the password saving checkbox in
>> >>> >> > Terminal
>> >>> >> > Services clients will be disabled and users will no longer be
>> >>> >> > able
>> >>> >> > to
>> >>> >> > save passwords. When a user opens an RDP file using the Terminal
>> >>> >> > Services client and saves his settings, any password that
>> >>> >> > previously
>> >>> >> > existed in the RDP file will be deleted.
>>
>> >>> >> > If you disable this setting or leave it not configured, the user
>> >>> >> > will
>> >>> >> > be able to save passwords using the Terminal Services client.
>> >>> >> > -----
>>
>> >>> >> > Now one would think when I enable both of these GPO's I would no
>> >>> >> > longer be able to login with saved usernames and passwords in
>> >>> >> > Terminal
>> >>> >> > Services.
>>
>> >>> >> > The problem is when I open my Terminal Services client (MSTSC) I
>> >>> >> > am
>> >>> >> > still able to used cached credentials. I would have to click
>> >>> >> > the
>> >>> >> > link
>> >>> >> > to manually delete my saved credentials, otherwise it will keep
>> >>> >> > them,
>> >>> >> > even though the GPO says I can't use them. Essentially making
>> >>> >> > the
>> >>> >> > GPO
>> >>> >> > settings worthless.
>>
>> >>> >> > Does anyone know how to make it so it FORCES users to enter
>> >>> >> > their
>> >>> >> > credentials every time, even if they saved them before the GPO
>> >>> >> > was
>> >>> >> > set. Or is their a way to delete them remotely?
>
| 
XML Sitemap