I'm curious about a situation I've encountered with Remote Desktop Services (RDS). We have a setup involving Server 2025 with an RDS Gateway/Load balancer and multiple session hosts. A user logs in using a .RDP file, but they've set it up not to save credentials. When this user locks their RDS session while taking a break, if another user approaches the shared PC and minimizes the RDS session, they can double-click the .RDP file on the desktop and access the first user's session without needing to enter any password. This seems a bit strange to me. Is this a design flaw, or is it working as intended?
1 Answer
Yeah, I've noticed something similar with RDS remote apps too! When you close an app, the session often stays active in the background until the idle timeout kicks in. So if someone launches the app again while the session is just minimized, they can get right back in without a password. Definitely feels like a security risk, especially in a shared setting.
Absolutely, and it could lead to serious security breaches if someone casually walks in during lunch and uses another person's session. Not good!