Are saved Remote Desktop credentials secure (loosely speaking) on the local machine? They aren't stored as clear text anywhere at least, are they?
Edit: I understand the inherent risks of saving passwords. Certainly though there is a spectrum of effectiveness, for instance saving a password through something like CryptProtectData (what Google Chrome uses on Win32) is obviously better than saving a password in clear text.
Older versions of Remote Desktop client store the password in the .rdp file, which can easily be decrypted.
As of Remote Desktop Client v6, credentials are stored using Windows Credentials API. The passwords are securely encrypted using a key tied to your Windows user account (CryptProtectData as described in the SecurityXploded article @StackExchanger linked to), and accessing them requires your Windows password (or the "password recovery" disk). They can be read by any program you run, however, such as NetPass.
Note that if someone has physical access, they can crack the passwords using something like Ophcrack, or install a keylogger.
According to securityxploded.com, passwords can be easily recovered from stored credentials for RDP sessions.
Perhaps a better solution is to use a password safe like KeePass for storing credentials in order to automate the RDP log on process.
You're asking the wrong question, IMHO. If someone breaks into your machine somehow, and finds an RDP file that allows him to connect to a remote machine without providing a password, than the damage is already done. Not only that, he could use the remote session to create a new user for himself, or even change the password on the current one.
The solution is to never save passwords within the RDP file and to protect your local machine. Oh, and based on past such experiences with MS software, I wouldn't be totally surprised if it kept the password in either plain text or lightly-hashed somewhere. Witness their treatment of wifi network passwords in Windows 7.
