Credentials are being remembered when they shouldn't be

Discussion in 'Parallels Client for Linux' started by MihailR, Jun 2, 2017.

  1. MihailR

    MihailR Bit Poster

    Messages:
    1
    I'm having somewhat of a security issue with RAS Parallels Client for Linux connecting to RDP servers (haven't tested other OS / protocols).

    The client is storing credentials even when it's asked not to (at least until the application is restarted), i.e. it's happening even when:

    1) "Save Password" checkbox is unchecked in connection's properties. When the "Save Password" option is unchecked - Parallels RAS Client shouldn't allow reconnecting without asking the user to re-enter the password first. Instead, it remembers the credentials until the application is restarted and won't ask for the password for any further reconnects.

    2) "DisablePasswordSaving" GPO policy is set on the server side (the "Do not allow passwords to be saved" setting). When the "DisablePasswordSaving" GPO policy is set - Parallels RAS Client should not remember the credentials whether the checkbox is checked or unchecked but it doesn't respect that setting at all (for example, in mstsc.exe this setting will simply not let the user check the "Save Password" option).

    3) "fPromptForPassword" GPO policy is set on the server side (the "Always Prompt Client for Password Upon Connection" setting). When the "fPromptForPassword" GPO policy is set - Parallels RAS Client should prompt the user to enter the password manually, whether the password is saved or not but it doesn't (for example, in mstsc.exe this setting will require the user type the password whether it was saved or not).

    In the following screenshot note how neither "Auto Logon" nor the "Save Password" options are checked BUT a password in the "Password" field is still stored and it will stay there until the application is restarted allowing anyone to reconnect without knowing the password.

    Screenshot 2017-06-02 14.22.10.png

    I found a somewhat related post from 2016 here where while it's a bit difficult to understand the issue - it sounds like the OP was running into the same problem and ended up scripting RAS Parallels Client to automatically close itself on disconnect which kinda solves the issue (application closed, credentials are no longer remembered / in memory) but I am not really sure what was the approach taken:
    I understand that RDP is a pretty complex protocol and respecting every GPO policy would require a lot of effort but in this case even not storing the credentials during the session when the "Save Password" option is unchecked would help a lot.

    Or is there maybe something I am missing?

    Thanks!
     
    Last edited: Jun 2, 2017
  2. jpc

    jpc Kilo Poster

    Messages:
    151

Share This Page