Security Issue: Microsoft Remote Desktop app (MacOS) automatically logs into remote Windows account

Security Issue: Microsoft Remote Desktop app (MacOS) automatically logs into remote Windows account
1

Upvotes

Upvote

 Aug 16 2023
1 Comments (1 New)
New

Hi, 

I'm using Microsoft Remote Desktop app Version 10.8.4 (2111) for MacOS Monterey (12.6.8) to connect to a remote machine running Windows 10.

I always have to log on with my windows account when connecting to that remote machine, no password or login information is stored in Remote Desktop app.

However, when connection drops for any reason (e.g. my Mac felt into sleep mode during a coffee break), Remote Desktop app is just asking me to "Reconnect" and does not require the password again to logon into windows account. This is even happening if I previously entered the lock screen on remote windows account.

 

How to reproduce?
- Use MacOS Monterey (12.6.8)
- Use Microsoft Remote Desktop app for MacOS in version 10.8.4 (2111) or earlier
- Start Microsoft Remote Desktop app and connect to any remote Windows 10 computer
- Log on to Windows account
- Lock screen of Windows account by pressing Windows+L => Windows is locked
- Put Mac to sleep ( > Sleep)
- Wake Mac after a while and switch to Microsoft Remote Desktop app => app is asking whether to "Reconnect"
- Press "Reconnect"

 

Expected behavior: Microsoft Remote Desktop app is presenting the Lock screen of remote Windows as been left before or asks for authentication again

 

Observed behavior: Microsoft Remote Desktop app automatically logs on to remote Windows account without asking for any password 

Comments
Copper Contributor

I just noticed this issue too. It looks like GPO setting "Always prompt for password upon connection" under "Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security" don't work. 
In addition it's able to "reconnect" even if the inactive timeout was reached and account is logged of on the RDSH. It's creating new session.