18.9.65.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'

Information

This policy setting helps prevent Remote Desktop clients from saving passwords on a computer.

The recommended state for this setting is: Enabled

Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server.

An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Do not allow passwords to be saved

Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

Impact:

The password saving checkbox will be disabled for Remote Desktop clients and users will not be able to save passwords.

See Also

https://workbench.cisecurity.org/benchmarks/14289