In a recent development, IT professionals have been exploring ways to enhance privacy and security when using Remote Desktop Protocol (RDP) connections.
One method gaining attention is the use of “public mode” in the RDP client, which is akin to incognito mode in web browsers.
This feature is particularly useful on shared or public computers where users want to prevent the storage of sensitive information such as credentials, session details, and cached images.
Understanding RDP Public Mode
The RDP public mode is activated using the /public command-line option in MSTSC, the Microsoft Remote Desktop client.
This mode prevents several key features from storing data locally.
For instance, it disables the caching of credentials, meaning users will be prompted for credentials each time they connect, even if they have previously saved them.
Additionally, public mode prevents the modification of connection settings in the Default.rdp file, which typically stores these settings for future use.
According to the researchers, this file can be manually edited using Notepad by accessing it through the command line.
Furthermore, public mode disables the persistent bitmap cache, a feature that stores bitmap fragments from previous sessions to improve performance.
While this cache can be a valuable source of forensic information, it can also cause visual glitches if corrupted.
The cache files are stored under %LOCALAPPDATA%\Microsoft\Terminal Server Client\Cache and can be analyzed using tools like BMC-Tools.
For forensic analysts, the traces left behind by RDP connections are crucial for investigating malicious activities.
However, when public mode is enabled, these traces are significantly reduced.
This includes not updating the list of most recently used servers, which is stored in the registry, and preventing the storage of server username hints and certificate exceptions.
These features are typically stored in the registry and can reveal information about connected servers and user credentials.
Cleaning Up RDP Artifacts
For users who have not previously used public mode and wish to reset their RDP client to a clean state, a PowerShell script can be employed to remove saved credentials, persistent bitmap cache files, and relevant registry entries.
This involves deleting cached credentials using cmdkey, removing cache files, and deleting specific registry keys related to RDP connections.
Enabling RDP public mode offers a way to maintain privacy and reduce the footprint of RDP connections, making it a valuable tool for both security-conscious users and forensic analysts looking to minimize data traces.
%20connections.){kind=link}