I have been tasked by our security group to find out if, when remote controlling an endpoint, any cached/hashed credentials from the user who remoted in remain once the session has ended. For instance, if a technician remotes into a workstation, once that remote session has ended, would there be any trace of that technician's credentials remaining on the workstation? The concern is that if a workstation were to be compromised and has potentially elevated credentials from the remote technician stored somewhere on the machine, those credentials can be harvested and then used to gain further access.
I created a support ticket but was told our maintenance was out of date so they couldn't help. That's a different issue I'll have to address obviously.