|
Thanks for trying to help, but to be clear… There are no stored credentials on the client or the host. I have tried disabling every credential setting I can in GPO Enforce Always prompt for password upon connection in Remote Desktop Session Host settings - Tried this as well. This works for normal credential saving but has no impact on “Use a web account to sign in to the remote computer” logins. If this box is not ticked a password is required and credentials cannot be saved. If it is ticked the authentication goes straight through. Devices are all properly integrated with Azure AD to my knowledge. We cannot view cached credentials in Entrata because we do not have P1 or higher. Auto lock does nothing to stop this access if you mean on the host. If you mean on the client then the issue we are dealing with is a shared machine where the login is to the device, but the RDP credentials have been saved somehow to the machine such that anyone can subsequently RDP if the previous user could authenticate via hardware key 2FA. Reverse Proxy or RDP Gateway we may need to look at but we don’t understand why this is necessary to stop this behaviour that is clearly a security hole. Please read the OP, we do not have conditional access. We need a solution that does not require CA.
image1486×382 89.7 KB Please understand that none of the traditional credential solutions appear to apply to this type of Entrata caching. In attempting to make our access more secure by forcing usb fido2 keys this problem actually makes our system less secure as far as RDP is concerned. A system admin can RDP into a server, require a usb key to authenticate and then a normal user can come along later on the same PC and just click straight through even though the usb key has been removed. No pin, no key, nothing is required on subsequent logins. (责任编辑:) |
