3.11.36.3.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'

Information

This policy setting helps prevent Remote Desktop clients from saving passwords on a computer.

The recommended state for this setting is: Enabled

Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server.

An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled

Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Do not allow passwords to be saved

Impact:

The password saving checkbox will be disabled for Remote Desktop clients and users will not be able to save passwords.

See Also

https://workbench.cisecurity.org/benchmarks/16853

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(13)

Plugin: Windows

Control ID: 8467c25151fc8da57094f208580871bc2b121acddc97b9c8c8558fdd4fa64aee