Hiding user account names from unauthenticated RDP sessions

Question

This is for a Windows 7 Ultimate system, which is not a member of a domain.

When I log into the system locally, I am required to either manually enter my user ID or authenticate with biometrics. The system does not display my username on the Welcome screen at boot-up, or when the session is locked.

In order for this to work, I've made the following configurations in secpol.msc, under Security Settings\Local Policies\Security Options:

• Interactive logon: Display user information when the session is locked
  • Do not display user information.
• Interactive logon: Do not display last username
  • Enabled
• Interactive logon: Do not require CTRL+ALT+DEL
  • Disabled

This works wonderfully for logons at the console. However, RDP sessions still display the regular "Welcome" screen with all users listed.

How can I configure the system so that the remote login screen does not leak user account details?

Answer 1

When you say "Welcome" screen with all users listed. Is that so, or is it one named user and then "Other user"?

If it is one named user and "Other user" then the named user is actually coming from the RDP client and is not being exposed. Depending on which client you are connecting with, but at least the Win XP client will save last connected user on the client side (even if the Allow me to save credentials is not ticked). My current Win 7 and Win 2008 RDP clients will authenticate before connecting (so you never see the login screen at all).

If my observation fits, you can prove it by entering a non-account on the client side without password, and it will still be displayed.

Answer 2

As it was already answered before the username is coming from client side of previous RDP connection.
So it does not reveal anything from unknown remote desktop system itself
Update:
but permits to compromise remote systems to which a client had already previously RD-connected by hacking a client computer.

RDP sessions are invoked by underlying (in an icon, shortcut, menu or through command line) mstsc command and in order to prevent recording/revealing username attempts on client side there is "/public" parameter, so one should invoke remote desktop (terminal session) by command (from command line, cmd or Run):

• mstsc /public

Update:
For any cleaning I personally usually use CCleaner:

The same, I beleive, is possible to do with inbuilt into any Windows cleanup utillity. In Windows XP (should be the same in Winfows 7, just start typing 'clean' and it will show up) it is launched from command line by the command:

• cleanmgr

then choose your system disk (mine is D, for example), and after a few minutes of scanning it will show:

BTW, Windows cleanup showed for me 20 407 KB of Temporary Remote Desktop Files, while CCleaner showed:

CLEANING COMPLETE - (1.728 secs)

60,0 MB removed.

Secure file deletion enabled - Simple Overwrite (1 pass)

Details of files deleted

------------------------------------------------------------------------------------------ > Windows - Remote Desktop 61 406 KB 2 files

• D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\bcache22.bmc 20 470 KB
• D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\bcache24.bmc
  40 936 KB

from which one can see the path to RDP cahes (in Windows XP SP3, should be helpful to find in any Windowses, I guess).