How does Microsoft Remote Desktop Manager encrypt passwords?

When storing connection passwords, MS RDP provides the ability to store the password as either clear text or to encrypt it.

Thr resulting node in the file looks like

<logonCredentials inherit="None">
   <userName>USER</userName>
   <domain>DOMAIN</domain>
   <password storeAsClearText="False">AQAdERjHoAwE/Cl+sBAAAA(...)zh</password>
</logonCredentials>

I'm wondering how secure is that encryption, and if the file can be shared among coworkers without someone being able to easily guess the password.

I'm guessing "not much" but I couldn't find exactly how that encrypted chain is generated.

Any idea? Thanks!

Luk

Posted 2012-08-02T14:30:15.237

Reputation: 897

1Define "easily guess", I would guess it would be specific to the machine, that would be the most secure way to do something like this. Of course given enough time one can brute force pretty much anything, depends on how good the password is, and of course what exactly is used. I did a google search....It seems the general advice is to encrypt the configuration file itself. I suggest you do that. – Ramhound – 2012-08-02T15:43:32.387

What is the point of protecting the password if your users can connect anyway ? – Shadok – 2012-08-02T16:17:10.607

@Ramhound I wish you had submited your comment as an answer, I would have upvoted. – Luk – 2012-08-03T06:38:44.497

Answers

I don't know how the RemoteDesktopManager does it, but I assume it would be the same as how it stores it in a .RDP file.

CryptProtectData which (with the settings they used for RDP) only allows the string to be decrpyted on the same machine as the one that encrypted it due to the fact that it uses the unique ID of the the windows install as part of the encryption processes (the CRYPTPROTECT_LOCAL_MACHINE flag). So yes a attacker could decrypt your password, but they could only do it on the machine that stored the password, they can not do a "offline" attack.

Note this is all for .RDP files. I have no way of knowing if Remote Desktop Manager does the same thing.

Scott Chamberlain

Posted 2012-08-02T14:30:15.237

Reputation: 28 923

1after playing around with the file a bit, it seems that the encryption is dependent on the computer. You guess is probably right (and that also means that the file cannot be shared if passwords are not in clear text) – Luk – 2012-08-06T12:13:47.647

In fact, RDP from RDPMan distinguishes only way to store hash: first stores it in hexadecimal notation, and the second performs Base64 encoding. So after Base64 decoding using utility RDP Password Hasher obtain the original password. But it can crank out only by working on behalf of the user who created the password.

Alexey Kramnyuk

Posted 2012-08-02T14:30:15.237

Reputation: 11

-2

MS RDP is prone to "man-in-the-middle" attacks and also from Worms. Therefore transport layer encryption may be added to mitigate this.

Here is a list of all commercial RDP software. Although the encryption is shown as proprietary and not explicitly listed.

Read here for further explanation http://blogs.msdn.com/b/rds/archive/2008/07/21/configuring-terminal-servers-for-server-authentication-to-prevent-man-in-the-middle-attacks.aspx

Read here for security updates to MS Servers that apply to transport and application layer encryption of RDP encryption and authentication. http://technet.microsoft.com/en-us/library/dd582586.aspx

and more info: http://social.technet.microsoft.com/forums/en-US/winserverTS/thread/8b9a13a4-6d0a-496d-b331-b1fbe9ebcb28/ Note that .ica scripts for Citrix RDP initialization includes an entry to delete the .ica script file which contains host domain upon login. This is an added security feature. "RemoveICAFile=yes"

The .rdp script files are similar in format to ica scripts but may exclude this line entry. Perhaps "RemoveRDPile=yes" may work ??

People sometimes save this script to ease logging in but the contents may reveal too much about the user hash and domain name to allow password guessing. Often 3 strike lockouts prevent this so security is enhanced.

Tony Stewart Sunnyskyguy EE75

Posted 2012-08-02T14:30:15.237

Reputation: 1 582

This is not entirely true. Any improperly secured connection could fall victim to a MITM attack. – Burgi – 2016-07-21T08:32:39.047

This recent report invalidates your opinion and supports mine from 2012 http://plugins.openvas.org/nasl.php?oid=902658 PLease correct it.

– Tony Stewart Sunnyskyguy EE75 – 2016-07-22T19:53:35.253