Detections
Analytics

18.9.63.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'

Information

This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

 The recommended state for this setting is: Enabled.

 Rationale:

 Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password.




 Impact:

 Users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They will be prompted for a password to log on.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

 Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Always prompt for password upon connection

 Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

 Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates.

 Default Value:

 Disabled. (Remote Desktop Services allows users to automatically log on if they enter a password in the Remote Desktop Connection client.)

 Additional Information:

 Microsoft Windows Server 2016 Security Technical Implementation Guide:

 Version 2, Release 2, Benchmark Date: May 04, 2021



 Vul ID: V-224946

 Rule ID: SV-224946r569186_rule
 STIG ID: WN16-CC-000390
 Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3476

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|9.2

Plugin: Windows

Control ID: 3615ff1f2cdbefa65bb1f88f9edbcff2ac31661093f3f21a13b3e7946cdee2cc