Do not allow passwords to be savedID: oval:org.secpod.oval:def:40314 | Date: (C)2017-04-25 (M)2023-05-09 |
Class: COMPLIANCE | Family: windows |
This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server.
Vulnerability:
An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts.
Counter Measure:
Enable this setting.
Potential Impact:
If you enable this policy setting, the password saving checkbox is disabled for Terminal Services clients and users will not be able to save passwords.
Fix:
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Do not allow passwords to be saved
(2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DisablePasswordSaving
Platform: |
Microsoft Windows Server 2016 |