RDP’s “Incognito Mode” – An Effective Solution for Security

Microsoft Remote Desktop Protocol (RDP) is an essential part of modern IT infrastructure, allowing users to connect to remote computers. However, alongside convenience, security risks also arise. As cyber threats continue to increase, Microsoft has introduced a special security feature in RDP known as “Incognito Mode.” This mode is activated using the /public command, preventing RDP session traces from being stored on the system.

In this article, we will explore how RDP Incognito Mode works, its significance for cybersecurity and digital forensics, and how to use it in practice.

Officially called Public Mode, this feature is enabled by running mstsc.exe (Microsoft Terminal Services Client) with the /public flag. Once activated, no confidential data is stored during the RDP session.

With Public Mode enabled, the following data is erased or not saved:

🔹 Connection settings – The %USERPROFILE%\Documents\Default.rdp file usually stores RDP settings, but Public Mode blocks any modifications to this file.

🔹 Credential caching – Windows Credential Manager typically saves RDP login credentials under TERMSRV/. With Public Mode enabled, the system does not store credentials, requiring users to authenticate every time.

🔹 Bitmap cache – To improve network performance, RDP stores screen fragments in %LOCALAPPDATA%\Microsoft\Terminal Server Client\Cache. Public Mode disables this cache.

🔹 Registry records are wiped – Several critical entries in the Windows Registry related to RDP sessions are not saved when Public Mode is active:

• Recent connections list – The registry key HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default does not store the last 10 connected RDP servers.
• Username hints – The HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\UsernameHint key is completely cleared.
• Certificate exceptions – Trusted certificates for RDP servers are no longer stored in HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers.

Advantages and Disadvantages of Incognito Mode

✅ Advantages:

✔ Protection against forensic analysis – Attackers who gain access via RDP do not leave behind IP addresses or DNS records.
✔ Enhanced security – No credentials, cached data, or registry records are saved.
✔ Ideal for shared or public access – Perfect for kiosks or when third-party contractors require temporary access.

❌ Disadvantages:

✖ Frequent authentication required, increasing login time.
✖ Recent connections list is lost, making quick reconnections difficult.
✖ No bitmap caching, which may cause performance issues in high-latency networks.

Security Best Practices

📌 Enable Network Level Authentication (NLA) – Use Public Mode alongside NLA for additional protection.

📌 Implement Privileged Access Management (PAM) – Advanced access control systems help enforce temporary authentication policies.

📌 Regularly inspect RDP settings and registry entries – IT security teams should frequently audit Default.rdp and related registry keys to detect unauthorized changes.

📌 Monitor RDP activity – Security tools should track suspicious RDP connections and brute-force attempts.

In 2024, 32% of brute-force attacks targeted RDP, proving its significance as a high-risk attack vector. Public Mode is an effective tool for mitigating these threats by preventing forensic tracking, avoiding credential leaks, and ensuring no session traces are left behind.

However, this mode requires a balance between security and convenience. Large enterprises, government agencies, and high-risk environments should adopt Public Mode as a crucial security measure. With the continued rise of remote work, tightening security around RDP access is more important than ever.