TMCnet News

Windows 8 Sync Settings - Security Hole

[February 15, 2013]

Windows 8 Sync Settings - Security Hole

Originally posted on VoIP & Gadgets Blog, here: http://blog.tmcnet.com/blog/tom-keating/microsoft/windows-8-sync-settings---security-hole.asp.

Windows 8 has a cool new feature that lets you login with your cloud-based Microsoft account (@hotmail.com, @live.com, @outlook.com) and it will synchronize your settings between Windows 8 PCs, but with a "security catch". We'll get into that in a moment. First, here's a list of features and settings that you can sync:

Personalize - Colors, background, lock screen, and your account picture
Desktop personalization - Themes, taskbar, high contrast, and more
Passwords - sign-in info for some apps, websites, networks, and HomeGroup
Ease of Access - Settings for Narrator, Magnifier, and more
Language preferences - Keyboards, other input methods, display language, and more
App settings - Certain settings in your apps, but not all
Browser settings - Internet Explorer history and bookmarks/favorites
Other Windows settings - Windows Explorer, mouse settings, and more
Sign-in info - For some apps, websites, networks, and HomeGroup

Looking at this list, you'd probably be just as excited as me. If you have a Windows 8 tablet and a Windows 8 PC, now you can easily view the recent websites you viewed in either due to the "shared" History. That feature has already come in handy for me several times. I also like how I can have a picture of my family, dog, or my favorite picture on the lockscreen of all my devices. I set it one one device and it automatically syncs it to the others. Easy peasy!

But here's the problem. You must use a Microsoft cloud-based account for sync settings to work and you cannot use a local account. Why is this bad Well, suppose Hotmail gets hacked and the hackers gain access to your Microsoft account credentials. Now, not only can they access your email, but they can Remote Desktop to your home PC and access every photo, every video, every confidential financial file - everything. Your entire digital life is laid bare.

Now you could argue that the hackers would have to know your IP address in order to login (via Remote Desktop) using your stolen Microsoft account credentials. Fair enough. But who's to say Microsoft doesn't store the last IP address used when you logged in Let's go a bit deeper. What's to stop a Microsoft employee from logging into your home PC and seeing you have a pirated copy of Microsoft Office along with thousands of pirated movies What's to stop a Microsoft employee from logging into their ex-boyfriend's/ex-girlfriend's PC for nefarious purposes

The only workarounds to this major "potential" security hole are:

Disable Remote Desktop (not feasible for many users, since it's so useful)
Change the Default Port for Remote Desktop from 3389. Though this will only slow a determined hacker or Microsoft employee
Switch to VNC remote desktop sharing program (& disable Remote Desktop)
Switch to a local account (Unfortunately, you lose the benefits of 'synching' across your Windows 8 devices)

Now here is where it gets interesting. I have two Windows 8 PCs joined to a corporate domain, one Windows 8 tablet joined to a corporate domain, and one home Windows 8 PC not part of a domain. For all of my domain-joined Windows 8 PCs (& tablet), I am not required to use a Microsoft hotmail.com/live.com/outlok.com account. I can simply "link" my domain account with my Microsoft account, but continue to use my domain credentials to authenticate / log-in to my PC either locally or via Remote Desktop when remote. Here's a screenshot showing how my domain account can be linked with my Microsoft hotmail account (blurred for privacy):

Continue reading Windows 8 Sync Settings - Security Hole...

Tags: cloud, credentials, hotmail, outlook.com, remote desktop, security hole, settings, sync, windows 8 Related tags: remote desktop, microsoft account, microsoft employee, microsoft hotmail, disable remote, microsoft