Microsoft’s Remote Desktop Protocol (RDP) has unveiled an obscure yet pivotal security attribute informally termed as “incognito mode” utilizing its /public command-line parameter.
This feature, officially labeled as public mode, bars the client from retaining confidential session remnants, an advancement with substantial ramifications for cybersecurity, digital forensics, and corporate IT management.
As per Devolutions, public mode triggers when initiating mstsc.exe (Microsoft Terminal Services Client) with the /public directive, deactivating critical data storage mechanisms:
Connection Configuration: Ordinarily harbored in the concealed %USERPROFILE%DocumentsDefault.rdp file, public mode impedes alterations to this setup repository:
Admins can manually modify it through notepad “~DocumentsDefault.rdp”, yet alterations specific to sessions vanish upon disconnection.
Authentication Cache: The Windows Credential Manager typically saves RDP credentials under TERMSRV/ entries. Public mode obstructs both retrieval and storage, necessitating manual authentication on each occasion. Digital forensics experts frequently probe these using:
This directive becomes redundant in public sessions as no fresh credentials persist, peruses the publication.
Persistent Image Cache: RDP enhances efficiency by storing screen fragments in %LOCALAPPDATA%MicrosoftTerminal Server ClientCache.
Public mode deactivates this functionality, however, admins can autonomously deactivate it via BitmapCachePersistEnable:i:0 in RDP files.
Tools like BMC-Tools (GitHub/ANSSI-FR) extract bitmap artifacts from these caches, but public mode renders them ineffectual.
Implications and Countermeasures
Public mode modifies crucial registry transactions pivotal to incident inquiries:
MRU Server List: The ten servers most recently accessed, preserved in HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault, cease updating. Attackers leveraging compromised systems leave no fresh IP/DNS trails.
Username Clues: Registry entries such as HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers<IP>UsernameHint typically disclose account identifiers. Public mode clears this field post-session.
Key Exceptions: TLS trust overrides for improper certificates, typically documented in CertHash values under HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers, are barred.
This eliminates credentials, image caches, and registry records.
Recommendations
Public mode introduces usability compromises:
- Repeated authentication slows down operations.
- Lack of MRU server lists hinders swift reconnections.
- Disabling image caching could impact performance on slow networks.
Cybersecurity specialists propose:
- Pairing /public with Network Level Authentication (NLA) for layered protection.
- Implementing enterprise-class privileged access management (PAM) platforms for Just-In-Time access administration.
- Periodic scrutiny of Default.rdp and Terminal Server Client registry entries.
Given RDP’s attractiveness as a primary target, accounting for 32% of all brute-force attacks in 2024, this feature offers crucial defense against unsophisticated threats.
For IT units, the balancing act continues: strengthening security without impeding productivity. Public mode’s forensic advantages, however, designate it as indispensable for high-risk settings like communal kiosks or external vendor entry points.
With the expansion of remote work, such meticulous controls will delineate the forthcoming phase of endpoint security.
The post Enabling Incognito Mode in RDP to Hide All the Traces appeared first on Cyber Security News.