Windows Remote Desktop Protocol contains a login backdoor Microsoft refuses to fix

[yannus]

There were multiple editions of Windows NT 4.0 and the release of RDP was not associated with the first editions of NT. The author only claimed that it came out during the NT 4.0 era, not that NT was released in 1998. It was its own operating system named Windows NT 4.0 Terminal Server Edition, and that came out in 1998: https://en.wikipedia.org/wiki/Remote_Desktop_Services

I get your point but the way it's said is still wrong. The text says "an early 32-bit operating system released in 1998." Not RDP was released in 1998.

 

[Au Contraire]

"According to Microsoft, the behavior is a design decision meant to "ensure that at least one user account always has the ability to log in no matter how long a system has been offline.""

The GOD Machine (Graphic Omniscient Device) used a similar design flaw in a 1972 book "When HARLIE Was One", author David Gerrold. If you haven't read it, you should.

Then we had the Terminator movies beginning in 1984, followed by 2008's "Terminator: The Sarah Connor Chronicles", where SkyNet came into being. Funny, that; I distinctly remember the name "SkyNet" being used in the early '80s when the Chaos Computer Club had its' first meeting.

It's strange but not unexpected that this deliberately-designed-into-Windows tool is still unpatched. Just think, every Windows machine everywhere is just a node on a huge network.

Who does that benefit?

 

[jam4t]

If it breaks backward compat then why not allow the customer to choose that with a newer version of RDP. This way the user can choose to use either the old non-secure way or the new secure way. They understand what will happen if a machine loses sync access with the new way and for them it might be a better solution. This is far better than keeping a single method available to everyone that is insecure.

Also on my Windows 10 machine I can turn off the RDP service using Settings->System->Remote Desktop Access->Enable Remote Desktop->Off, which is obviously only a solution for machine that dont require RDP, but if you dont RDP to your own machine, then better to disable.

 

[Ben Myers]

While I do understand your comment here, this is not a good article to make this comment on. RDP is leaps and bounds ahead of any alternative solution in terms of it just generally working no matter how good or bad a network connection may be.

Linux users still relying on xorg and x11 is like driving a Ford Model T on the autobahn and wondering why people aren't taking them seriously. Couple that with the fact that xrdp is unstable on non-ideal network connections and you have even more reason to appreciate just how good RDP truly is.

Yes, but. There are free secure alternatives to provide remote acess.

 

[Ben Myers]

What a shocker. Microsoft being lazy about security and not following established standards of operating procedure. Incompetent gomers.

Insecure RDP does follow a pattern, doesn't it? Hey, app and OS security is hard and unglamorous work. It's much more fun for Microsoft to develop ever-changing user interfaces with every Windows release, just to keep us on our toes and let us know who is in charge.

 

[Ben Myers]

Just remember MS stands for Marketing Stuff not More Security.
They have always and will always be an insecure OS/ecosystem. They are great at marketing... That's all they are. Reroll software every few years by moving menu items around and changing the numbers on the version. Marketing 101.
I don't understand how people would think a monopoly would provide good security.

So we are all screwed until there is a paradigm shift to lure people away from Windows.

 

[LimyG]

Glad I've never used it. Have it blocked at Group Policy level and firewall and settings. Same goes for Remote Assistance. Even Peer sharing I block at Group Policy level as well as settings.

Never did trust MS Remote. Many patches are for Remote - something I noticed years ago which was why I effectively got rid of it.

But this I didn't know about. It's almost so bad that it's hard to believe. Seriously WTF is wrong with you M.S.?

 

[LimyG]

If it breaks backward compat then why not allow the customer to choose that with a newer version of RDP. This way the user can choose to use either the old non-secure way or the new secure way. They understand what will happen if a machine loses sync access with the new way and for them it might be a better solution. This is far better than keeping a single method available to everyone that is insecure.

Also on my Windows 10 machine I can turn off the RDP service using Settings->System->Remote Desktop Access->Enable Remote Desktop->Off, which is obviously only a solution for machine that dont require RDP, but if you dont RDP to your own machine, then better to disable.

I mean't to quote your post in mine above. Just to say to be really sure (or paranoid, but this is MS) Disabling it in settings as you have done should certainly be enough. But I don't trust anything this company does, so switching it off in Group Policy leaves the whole section in the control panel showing the same as you with it disabled W10, except it's greyed out and cannot be changed.