23
3
Are saved Remote Desktop credentials secure (loosely speaking) on the local machine? They aren't stored as clear text anywhere at least, are they?
Edit: I understand the inherent risks of saving passwords. Certainly though there is a spectrum of effectiveness, for instance saving a password through something like CryptProtectData (what Google Chrome uses on Win32) is obviously better than saving a password in clear text.
DuckMaestro
Posted 2011-07-07T18:05:27.847
Reputation: 1 597
19
Older versions of Remote Desktop client store the password in the .rdp file, which can easily be decrypted.
As of Remote Desktop Client v6, credentials are stored using Windows Credentials API. The passwords are securely encrypted using a key tied to your Windows user account (CryptProtectData as described in the SecurityXploded article @StackExchanger linked to), and accessing them requires your Windows password (or the "password recovery" disk). They can be read by any program you run, however, such as NetPass.
Note that if someone has physical access, they can crack the passwords using something like Ophcrack, or install a keylogger.
user1686
Posted 2011-07-07T18:05:27.847
Reputation: 283 655
3
According to securityxploded.com, passwords can be easily recovered from stored credentials for RDP sessions.
Perhaps a better solution is to use a password safe like KeePass for storing credentials in order to automate the RDP log on process.
StackExchanger
Posted 2011-07-07T18:05:27.847
Reputation: 131
1
You're asking the wrong question, IMHO. If someone breaks into your machine somehow, and finds an RDP file that allows him to connect to a remote machine without providing a password, than the damage is already done. Not only that, he could use the remote session to create a new user for himself, or even change the password on the current one.
The solution is to never save passwords within the RDP file and to protect your local machine. Oh, and based on past such experiences with MS software, I wouldn't be totally surprised if it kept the password in either plain text or lightly-hashed somewhere. Witness their treatment of wifi network passwords in Windows 7.
Traveling Tech Guy
Posted 2011-07-07T18:05:27.847
Reputation: 8 743
1If the alternative is to store the password in a key manager, does it make any difference whether it is stored in RDP when someone has local access to the machine? Remembering these passwords is just simply not a reasonable option. – Joel McBeth – 2016-01-26T15:25:47.737
Thanks for the answer and the valid points. I have updated my question to clarify the angle I'm approaching this from. – DuckMaestro – 2011-07-07T19:52:33.947
3Windows 7 does not store any passwords within the RDP file, and hashing them just doesn't make sense (it needs to be decryptable when authenticating). Creating a new user normally requires Administrator rights, changing an existing password -- knowledge of the old one. – user1686 – 2011-10-26T17:45:15.773
Yes basically use best practices for passwords in Windows. Using a password > 14 characters to prevent legacy password storage for example. Passphrases are good options. – Shiv – 2018-10-24T22:11:20.240
2The article "recovers" credentials using CryptUnprotectData, which AFAIK requires the user to be logged in with their password? – user1686 – 2011-10-26T17:48:40.187