The Remote Desktop Protocol (RDP) is a widely used tool for remote access, but it often leaves behind traces of user activity, which can be a concern for privacy and security.
Recently, the use of the “/public” command-line option in MSTSC, the RDP client, has gained attention for its ability to activate a “public mode,” similar to incognito mode in web browsers.
This feature is particularly useful on shared or public computers where users want to prevent the storage of credentials, session details, and cached images.
Understanding RDP Public Mode
When the public mode is enabled, MSTSC prevents several key features from storing data locally.
For instance, connection settings are not saved to the hidden Default.rdp file, which is typically used to store such information.
Additionally, credential caching is disabled, meaning that users will be prompted for credentials each time they connect, even if they have previously connected to the same server.
This is crucial for maintaining privacy, as saved credentials can be listed using commands like cmdkey /list | ? { $_ -Match "TERMSRV/" } and can be a security risk if accessed by unauthorized parties.
Another significant aspect affected by public mode is the persistent bitmap cache.
According to the Devolution Blog Report, this cache stores bitmap fragments from previous sessions to improve performance by reusing cached images instead of resending them.
However, public mode disables this feature, which can be beneficial for privacy but may slightly impact performance.
The cache files, such as bcache24.bmc and Cache0000.bin, are stored under %LOCALAPPDATA%\Microsoft\Terminal Server Client\Cache, and while they can provide valuable forensic information, they are not a reliable method for reconstructing past sessions.
Impact on Forensic Analysis and Security
For forensic analysts, the traces left behind by RDP can be invaluable in investigating malicious activities.
However, with public mode enabled, these traces are significantly reduced.
Features like the most recently used (MRU) server list, server username hints, and server certificate exceptions are all disabled, preventing them from being stored in the registry.
This makes it more challenging for forensic analysts to track user activity but enhances privacy and security for legitimate users.
In terms of security, public mode also disables the “Don’t ask me again for connections to this computer” checkbox, which is often used to bypass certificate warnings.
This ensures that users are always prompted to verify server authenticity, reducing the risk of connecting to untrusted servers.
Overall, activating public mode in RDP provides a robust way to maintain privacy and security on shared computers by minimizing the data left behind after each session.
While it may slightly impact performance due to the lack of cached images, the benefits in terms of security and privacy make it a valuable tool for users concerned about leaving digital footprints.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
 is a widely used tool for remote access, but it often leaves behind traces of user activity.){kind=link}