Are saved Remote Desktop credentials secure on the local machine?

windows-7 security remote-desktop passwords
49,008

Solution 1

Older versions of Remote Desktop client store the password in the .rdp file, which can easily be decrypted.

As of Remote Desktop Client v6, credentials are stored using Windows Credentials API. The passwords are securely encrypted using a key tied to your Windows user account (CryptProtectData as described in the SecurityXploded article @StackExchanger linked to), and accessing them requires your Windows password (or the "password recovery" disk). They can be read by any program you run, however, such as NetPass.

Note that if someone has physical access, they can crack the passwords using something like Ophcrack, or install a keylogger.

Solution 2

According to securityxploded.com, passwords can be easily recovered from stored credentials for RDP sessions.

Perhaps a better solution is to use a password safe like KeePass for storing credentials in order to automate the RDP log on process.

Solution 3

You're asking the wrong question, IMHO. If someone breaks into your machine somehow, and finds an RDP file that allows him to connect to a remote machine without providing a password, than the damage is already done. Not only that, he could use the remote session to create a new user for himself, or even change the password on the current one.

The solution is to never save passwords within the RDP file and to protect your local machine. Oh, and based on past such experiences with MS software, I wouldn't be totally surprised if it kept the password in either plain text or lightly-hashed somewhere. Witness their treatment of wifi network passwords in Windows 7.

Share:
49,008

Related videos on Youtube

DuckMaestro
Author by

DuckMaestro

Self-taught programmer. B.Sc. Mathematics at UCLA (2006) and M.Sc. Computer Science at UCSD (2013). My other interests include economics, philosophy, and linguistics.

Updated on September 18, 2022

Comments

  • DuckMaestro
    DuckMaestro over 1 year

    Are saved Remote Desktop credentials secure (loosely speaking) on the local machine? They aren't stored as clear text anywhere at least, are they?

    Edit: I understand the inherent risks of saving passwords. Certainly though there is a spectrum of effectiveness, for instance saving a password through something like CryptProtectData (what Google Chrome uses on Win32) is obviously better than saving a password in clear text.

  • DuckMaestro
    DuckMaestro almost 13 years
    Thanks for the answer and the valid points. I have updated my question to clarify the angle I'm approaching this from.
  • user1686
    user1686 over 12 years
    The article "recovers" credentials using CryptUnprotectData, which AFAIK requires the user to be logged in with their password?
  • Joel McBeth
    Joel McBeth over 8 years
    If the alternative is to store the password in a key manager, does it make any difference whether it is stored in RDP when someone has local access to the machine? Remembering these passwords is just simply not a reasonable option.
  • Shiv
    Shiv over 5 years
    Yes basically use best practices for passwords in Windows. Using a password > 14 characters to prevent legacy password storage for example. Passphrases are good options.
  • Grilse
    Grilse about 3 years
    To find out which Remote Desktop Connection you are using, see superuser.com/questions/118458/rdp-version-number.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Admin Account Keeps Getting Locked Out
How can I reset the password on a Windows 7 VM under VMware 4 on Mac Lion?
Are the losses of resetting a Windows password reversible?
Can't change or set password in Windows 7
Securing Remote Desktop Connections With SSL Certificate From a Trusted Certificate Authority
Can I create a Windows user account without the ability for an interactive user login?
How secure is Remote Desktop Connection?
Locking and Terminating User Sessions via Group Policy settings
Disable Windows 7 screensaver over RDP
What is the Windows 7 command-line to remove all remember passwords in Credential Manager?