none
RDS 2019 (but probably other versions as well): locked RDP session logs in after session reconnect

    Question

  • Hi. I'm running into some sort of security issue. Some of our customers actively lock their RDP session so obviously no-one can use it. It seems that when you lock your RDP session, and then get a reconnect to the server, and the RDP client reconnects, it automatically logs you in again, circumventing the lock.

    Easy to abuse too: locked session? Just disconnect the network cable / wifi until the session starts reconnecting, and reconnect the cable and *poof* you are in.

    Now some of this is prevented as we have some customers that have 2FA implemented on the RD Gateways, so when the session reconnects, you'll need to approve the 2FA. But not all customers have that.

    Would there be any way to prevent this? Anyone else can confirm this?

    Tuesday, February 19, 2019 2:57 PM

All replies

  • hi,

    1 "Some of our customers actively lock their RDP session so obviously no-one can use it."
    Do you mean if one problematical user lock his rdp session and other user can not remote access rdsh server?

    2 "It seems that when you lock your RDP session, and then get a reconnect to the server, and the RDP client reconnects, it automatically logs you in again, circumventing the lock."
    if we config screen lock policy for domain user ,will it solve this problem ?
    UserConfig\AdministrativeTemplates\Control Panel\Personalization
     
    1.Enable screen saver
    2.Force specific screen saver (tried adding one & also leaving as blank)
    3.Password protect the screen saver
    4.Screen saver timeout to 60 seconds

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, February 22, 2019 8:46 AM
    Moderator
  • Hi,

    You may Disable Automatic Reconnection on your RD Session Host server(s) to stop this behavior.  You can do this via group policy setting:

    Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Session Host\ Connections\

    Automatic Reconnection     Disabled

    After making sure the group policy setting has been applied (gpupdate /force) to your RDSH servers, please disconnect or log off all sessions.  Once users log back on automatic reconnects will be disabled.

    Thanks.

    -TP

    Friday, February 22, 2019 9:44 AM
    Moderator
  • Hi,

    You may Disable Automatic Reconnection on your RD Session Host server(s) to stop this behavior.  You can do this via group policy setting:

    Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Session Host\ Connections\

    Automatic Reconnection     Disabled

    After making sure the group policy setting has been applied (gpupdate /force) to your RDSH servers, please disconnect or log off all sessions.  Once users log back on automatic reconnects will be disabled.

    Thanks.

    -TP

    Well, that's not a real fix. I guess there should be a mechanism in place, if a user is actually working in his session and it gets disconnected, the reconnect should 'log in'. However, when the session was already locked, it shouldn't unlock. Disabling reconnecting altogether wouldn't be really userfriendly, given that all our users are on WAN. We've got quite stable connections for most of them, but still, reconnects occur over time.

    I actually think this is quite a security breach. Settings screensaver to 60 seconds (what?!) is another workaround, but certainly not a fix. I'll keep on looking.

    Friday, February 22, 2019 10:25 AM
  • Hi,

    That's true, it's a workaround that you can choose or not based on what is a higher priority.  It's not my preference, but like or it not this has been the way it behaves for a long time.

    Have you opened a support case with Microsoft?  It is possible they will consider this a security issue and develop a hotfix to change it.

    There are additional ways you can look at this from a security perspective.  For example, locking a remote session while keeping the local device unlocked isn't good security policy.  Likewise allowing physical access to a client device that is currently powered on with an activate authenticated user local session (whether locked or not, or open remote session or not) by another person is not the best from security perspective.

    Besides opening a support case what you could do is run a program inside of each session and have it lock the session upon reconnect.  Essentially, you can write small program that will listen for the reconnect event and then lock the session.  Downside would be the session would lock every time there is disconnect/reconnect and not just for the ones where session was previously locked.

    -TP

    Friday, February 22, 2019 11:44 AM
    Moderator
  • hi
    I think you can post your idea in this forum , I hope there will be better answer for you.
    Remote Desktop Services customer voice
    https://remotedesktop.uservoice.com/forums/266795-remote-desktop-services

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 28, 2019 3:42 PM
    Moderator
  • Yeah I guess I'll do that. Thanks.
    Thursday, February 28, 2019 3:44 PM
  • Thank you for your support and understanding.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 4, 2019 6:51 AM
    Moderator