14

This is for a Windows 7 Ultimate system, which is not a member of a domain.

When I log into the system locally, I am required to either manually enter my user ID or authenticate with biometrics. The system does not display my username on the Welcome screen at boot-up, or when the session is locked.

In order for this to work, I've made the following configurations in secpol.msc, under Security Settings\Local Policies\Security Options:

  • Interactive logon: Display user information when the session is locked
    • Do not display user information.
  • Interactive logon: Do not display last username
    • Enabled
  • Interactive logon: Do not require CTRL+ALT+DEL
    • Disabled

This works wonderfully for logons at the console. However, RDP sessions still display the regular "Welcome" screen with all users listed.

How can I configure the system so that the remote login screen does not leak user account details?

AviD
  • 72,138
  • 22
  • 136
  • 218
Iszi
  • 26,997
  • 18
  • 98
  • 163

2 Answers2

12

When you say "Welcome" screen with all users listed. Is that so, or is it one named user and then "Other user"?

If it is one named user and "Other user" then the named user is actually coming from the RDP client and is not being exposed. Depending on which client you are connecting with, but at least the Win XP client will save last connected user on the client side (even if the Allow me to save credentials is not ticked). My current Win 7 and Win 2008 RDP clients will authenticate before connecting (so you never see the login screen at all).

If my observation fits, you can prove it by entering a non-account on the client side without password, and it will still be displayed.

pflodin
  • 396
  • 2
  • 3
  • 1
    Turns out this is exactly the case. I tested remote access from a system I hadn't used yet, and only got the "Other User" option. – Iszi Jun 20 '11 at 15:10
4

As it was already answered before the username is coming from client side of previous RDP connection.
So it does not reveal anything from unknown remote desktop system itself
Update:
but permits to compromise remote systems to which a client had already previously RD-connected by hacking a client computer.

RDP sessions are invoked by underlying (in an icon, shortcut, menu or through command line) mstsc command and in order to prevent recording/revealing username attempts on client side there is "/public" parameter, so one should invoke remote desktop (terminal session) by command (from command line, cmd or Run):

  • mstsc /public

Update:
For any cleaning I personally usually use CCleaner:

enter image description here

The same, I beleive, is possible to do with inbuilt into any Windows cleanup utillity. In Windows XP (should be the same in Winfows 7, just start typing 'clean' and it will show up) it is launched from command line by the command:

  • cleanmgr

then choose your system disk (mine is D, for example), and after a few minutes of scanning it will show:

enter image description here

BTW, Windows cleanup showed for me 20 407 KB of Temporary Remote Desktop Files, while CCleaner showed:

CLEANING COMPLETE - (1.728 secs)

60,0 MB removed.

Secure file deletion enabled - Simple Overwrite (1 pass)

Details of files deleted

------------------------------------------------------------------------------------------ > Windows - Remote Desktop 61 406 KB 2 files

  • D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\bcache22.bmc 20 470 KB
  • D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\bcache24.bmc
    40 936 KB

from which one can see the path to RDP cahes (in Windows XP SP3, should be helpful to find in any Windowses, I guess).

  • Oh, I like this. Now the question becomes, how do I clear a pre-existing cache of usernames? – Iszi May 01 '12 at 13:47
  • I would use CCleaner on Windows XP but it requires an install (Under Cleaner, Applications tab, the last entry is "Remote Desktop"). If to speak specifically about Windows 7 and without installing anything (I do not have now access to Windows 7), one just start typing 'clean', and there will appear something like cleanup utility, inside which there are options for disk and system cleanup, the latter with similar options to cleanup RDP caches as well as passwords, etc. (from the memory, as I do not currently have access to Windows 7) – Gennady Vanin Геннадий Ванин May 01 '12 at 15:36
  • I updated my answer, was instructive to find that Temporary Remote Desktop (Terminal Server Client cache) are dozens-hundred MBs! I am frequently cleaning up but did not notice the sizes of info cached and stored (if not to use /public parameter)! – Gennady Vanin Геннадий Ванин May 01 '12 at 16:18
  • Tried the `cleanmgr` on my PC (XP SP3) and didn't find the Remote Desktop cache. Looked in that path you gave though, and found a 20 MB `.bmc` file. Thanks for the info! – Iszi May 01 '12 at 17:11
  • Installed vanilla server 2016 on vps and within 5 minutes saw random audit failures for my user names coming from several different countries... yikes Microsoft... – jjxtra Apr 20 '22 at 00:05