locked
Live Mesh Remote Desktop vs. Windows RDC - Potential Security Issue RRS feed

  • General discussion

  • Just checked to see if Live Mesh Remote Desktop will successfully connect to an account with a null password (it will).

    I believe the design spec for Windows RDC prohibits connections to an account without a password.

    So, if this is by design I suppose here is the rationale:

    • Windows RDC requires an open port 3389 (and I think you have to specify which non-admin accounts are allowed to connect...admin accounts are permitted by default?) on the target machine.  Allowing RDC for an account without a password is just letting the user get in trouble (i.e. anyone with RDC client software could connect to the machine, and voila, you're logged on).
    • With Live Mesh RDC, you're only allowing connections from other machines in your mesh so connections to your machine aren't as "wide open"
    • Win RDC connects to an account on a machine...Live Mesh RDC appears to connect to a machine in the mesh

    I still think the Live Mesh RDC behavior should be changed to the Win RDC spec.  Here is the problematic scenario:

    Machine 1 Accounts                           Machine 2 Accounts
    Bob (password)                                  Bob (password)
    Alice (null password)                           Alice (null password)
    Carol (null password)                          Jane (null password)

    Let's say Bob installs mesh and adds both machines to his mesh.  He's now enabled Jane and Carol to log into each other's accounts on different machines.  In the case of users on the same machine, you can argue that a user with a null password has chosen to let anyone with physical access to their machine log in, but in this scenario Bob has essentially opened acounts for logins from other machines on the mesh (e.g. Carol and Jane might not even know each other).

    Thoughts?

    David

    Monday, July 14, 2008 3:01 AM

All replies

  • Howdy David,

    I have mixed thoughts about this scenario.

    1. I agree that specifications accross the board needs to be consistent and should be implemented as such. Generally speaking, users (and some admins for that matter) are only just becoming comfortable with the security around such areas as remote access, so why deviate from such specifications?

    2. How much longer do we need to keep protecting people that are just as dumb as a bag of hammers? Alice, Jane and Carol deserve to have their identities stolen and a monster truck purchased in their names.... I do believe that we (the industry and MSFT) all need to stop cuddling people around security. There should be no option on any OS that allows an account to be created without a strong password assigned. Its the people who winge about remembering such passwords that are the one who get hacked (on their Win 95,98 & 2000 machines) and then winge about not having been protected by someone else. Time for them to get a zimmer frame and to take up rug making.

    Well you asked for some thoughts ;-)

    I am just off to log a defect on connect about RDC remaining enabled after Mesh is disabled!

     

    Cheers

     


    Expression MVP

    Learn Expression Blend at learnexpressionstudio.com

    my blog : http://x-coders.com/blogs/sneaky/default.aspx

    Tuesday, July 15, 2008 9:10 AM