![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[DEALS] The Premium Learn to Code Certification Bundle (97% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
_Christophe_Coat_Alamy.jpg?#)
 (1).webp?#)
![Apple Considers Delaying Smart Home Hub Until 2026 [Gurman]](https://www.iclarified.com/images/news/96946/96946/96946-640.jpg)
![iPhone 17 Pro Won't Feature Two-Toned Back [Gurman]](https://www.iclarified.com/images/news/96944/96944/96944-640.jpg)
![Tariffs Threaten Apple's $999 iPhone Price Point in the U.S. [Gurman]](https://www.iclarified.com/images/news/96943/96943/96943-640.jpg)
Enabling Incognito Mode in RDP to Hide All the Traces
Microsoft’s Remote Desktop Protocol (RDP) has introduced a lesser-known but critical security feature colloquially referred to as “incognito mode” through its /public command-line parameter. This functionality, formally called public mode, prevents the client from storing sensitive session artifacts—a development with significant implications for cybersecurity, digital forensics, and enterprise IT management. According to Devolutions, public mode […] The post Enabling Incognito Mode in RDP to Hide All the Traces appeared first on Cyber Security News.
Microsoft’s Remote Desktop Protocol (RDP) has introduced a lesser-known but critical security feature colloquially referred to as “incognito mode” through its /public command-line parameter.
This functionality, formally called public mode, prevents the client from storing sensitive session artifacts—a development with significant implications for cybersecurity, digital forensics, and enterprise IT management.
According to Devolutions, public mode activates when launching mstsc.exe (Microsoft Terminal Services Client) with the /public flag, disabling key data retention mechanisms:
Connection Settings: Normally stored in the hidden %USERPROFILE%\Documents\Default.rdp file, public mode blocks updates to this configuration repository:
Administrators can manually edit it via notepad “~\Documents\Default.rdp”, but session-specific changes evaporate post-disconnection.
Credential Caching: The Windows Credential Manager typically stores RDP credentials under TERMSRV/ entries. Public mode disables both retrieval and storage, forcing manual authentication each time. Forensic analysts often query these using:
This command becomes obsolete in public sessions as no new credentials persist, reads the report.
Persistent Bitmap Cache: RDP optimizes performance by caching screen fragments in %LOCALAPPDATA%\Microsoft\Terminal Server Client\Cache.
Public mode deactivates this, though administrators can independently disable it via BitmapCachePersistEnable:i:0 in RDP files.
Forensic tools like BMC-Tools (GitHub/ANSSI-FR) extract bitmap artifacts from these caches, which public mode renders inert.
Implications and Countermeasures
Public mode alters registry interactions critical to incident investigations:
MRU Server List: The 10 most-recently-used servers, stored in HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default, cease updating. Attackers leveraging compromised systems leave no new IP/DNS trails.
Username Hints: Registry keys like HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers Certificate Exceptions: TLS trust overrides for invalid certificates, usually recorded in CertHash values under HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers, are blocked.
This erases credentials, bitmap caches, and registry entries.
Public mode introduces usability trade-offs:
Cybersecurity experts recommend:
As RDP remains a prime target, accounting for 32% of all brute-force attacks in 2024, this feature provides critical mitigation against low-sophistication threats.
For IT teams, the balancing act continues: maximizing security without crippling productivity. Public mode’s forensic advantages, however, make it indispensable for high-risk environments like shared kiosks or third-party vendor access points.
As remote work expands, such granular controls will define the next era of endpoint security.
The post Enabling Incognito Mode in RDP to Hide All the Traces appeared first on Cyber Security News. Recommendations
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
