Information
This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions.
The recommended state for this setting is: Enabled: 1 minute
This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated.
In addition, session timeouts that are misconfigured or set for a long period of time can leave the system open to an attacker hijacking the session.
Solution
To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: 1 minute
Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for disconnected sessions
Impact:
Disconnected Remote Desktop sessions are deleted from the server after 1 minute. Note that disconnected session time limits do not apply to console sessions.