A Possible Remote Desktop Security Issue

I use Microsoft’s Remote Desktop Connection tool to connect to remote servers all the time, mainly to conduct administrative tasks. Recently I noticed something that might be considered as a security risk.

It seems that the remote desktop service caches some screen information and when switching from minimized to full screen, the cached screen is briefly displayed (depending on the connection speed, this could last from a split second which is barely noticeable to a full second or two). Even when the remote desktop is locked by the user, you could see briefly what the cached screen contents are. So in theory, some sensitive information could be viewed by an unauthorized user (e.g. take a screen shot right after switching from minimized to full screen) even if the desktop is locked.

What is being cached seems to be quite random however. Sometimes you could see a screen with application launched and displayed just before locking the remote machine, but most of the time the cached information has little correlation with when the application is launched (e.g. the cached screen could be from ten, twenty or even hours ago).

Clearly, this security risk is pretty minor because the chance for some sensitive view (e.g. documents, etc.) being cached is pretty slim and it requires the attacker to have direct access to the desktop from which the remote connection is initiated and of course, the remote desktop has to be already connected but logged out.

Nevertheless, it is always a good practice to close the remote desktop connection whenever possible and never leave the remote desktop open even when the remote machine is locked.

Be Sociable, Share!

Leave a Reply