RDP Security (Windows CE 5.0)
Remote Desktop Protocol (RDP) in Windows CE no longer saves passwords on the device by default. (This behavior is different than RDP on a Windows-based desktop OS, which saves the passwords in protected user profiles.) Not saving passwords on the device prevents unauthorized user access by anyone who breaks the password protection. By making the appropriate changes in %_WINCEROOT%\Public\Rdp\Oak\Uit\cetsc, an OS developer can change this default behavior so that the password is saved to the device
The BBarShowPinBtn registry setting was added to prevent spoofing of the client UI at public kiosks. By default, BBarShowPinBtn is set to zero (0); therefore, the pin button is not displayed, the connection bar remains on top, and all server output appears below the connection bar. This behavior differs in Windows CE 5.0 from earlier versions in which the pin button was displayed by default. An OS designer can change the default value to allow the user to unpin the connection bar from the UI.
RDP Security Best Practices
Carefully choose which files to expose in an RDP session
Use the file storage redirection and filtered file storage redirection, and carefully choose which files to expose in an RDP session. By default, the filter exposes external file storage devices, such as USB and compact flash devices. For more information, see Filtered File Storage Redirection.
Warn the user when a script is about to be executed, or disable the alternate shell
RDP connection file and registry properties may pose a security threat if they are used to run an unauthorized script. Because the RDP client does not warn the user before it starts to run a script, the user may not recognize an attack until it has been executed.
To minimize security threat, do one of the following:
- Disable AlternateShell in your OS design.
- Add a dialog box that displays a warning when a script is about to be executed. For example, "RDP client is attempting to run a script on target device. Do you want to allow it? (Y/N)."
Default Registry Settings
You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.
For information on RDP registry settings, see RDP Registry Settings.
See Also
RDP Application Development | RDP Best Practices | Enhancing the Security of a Device
Send Feedback on this topic to the authors