Windows 8 Sync Settings - Security Hole

Tom Keating : VoIP & Gadgets Blog
Tom Keating
| VoIP & Gadgets blog - Latest news in VoIP & gadgets, wireless, mobile phones, reviews, & opinions

Windows 8 Sync Settings - Security Hole

Windows 8 has a cool new feature that lets you login with your cloud-based Microsoft account (,, and it will synchronize your settings between Windows 8 PCs, but with a "security catch". We'll get into that in a moment. First, here's a list of features and settings that you can sync:
  • Personalize - Colors, background, lock screen, and your account picture
  • Desktop personalization - Themes, taskbar, high contrast, and more
  • Passwords - sign-in info for some apps, websites, networks, and HomeGroup
  • Ease of Access - Settings for Narrator, Magnifier, and more
  • Language preferences - Keyboards, other input methods, display language, and more
  • App settings - Certain settings in your apps, but not all
  • Browser settings - Internet Explorer history and bookmarks/favorites
  • Other Windows settings - Windows Explorer, mouse settings, and more
  • Sign-in info - For some apps, websites, networks, and HomeGroup
Looking at this list, you'd probably be just as excited as me. If you have a Windows 8 tablet and a Windows 8 PC, now you can easily view the recent websites you viewed in either due to the  "shared" History. That feature has already come in handy for me several times. I also like how I can have a picture of my family, dog, or my favorite picture on the lockscreen of all my devices. I set it one one device and it automatically syncs it to the others. Easy peasy!

But here's the problem. You must use a Microsoft cloud-based account for sync settings to work and you cannot use a local account. Why is this bad? Well, suppose Hotmail gets hacked and the hackers gain access to your Microsoft account credentials. Now, not only can they access your email, but they can Remote Desktop to your home PC and access every photo, every video, every confidential financial file - everything. Your entire digital life is laid bare.

Now you could argue that the hackers would have to know your IP address in order to login (via Remote Desktop) using your stolen Microsoft account credentials. Fair enough. But who's to say Microsoft doesn't store the last IP address used when you logged in? Let's go a bit deeper. What's to stop a Microsoft employee from logging into your home PC and seeing you have a pirated copy of Microsoft Office along with thousands of pirated movies? What's to stop a Microsoft employee from logging into their ex-boyfriend's/ex-girlfriend's PC for nefarious purposes?

The only workarounds to this major "potential" security hole are:
  • Disable Remote Desktop (not feasible for many users, since it's so useful)
  • Change the Default Port for Remote Desktop from 3389. Though this will only slow a determined hacker or Microsoft employee
  • Switch to VNC remote desktop sharing program (& disable Remote Desktop)
  • Switch to a local account (Unfortunately, you lose the benefits of 'synching' across your Windows 8 devices) smiley-cry
Now here is where it gets interesting. I have two Windows 8 PCs joined to a corporate domain, one Windows 8 tablet joined to a corporate domain, and one home Windows 8 PC not part of a domain. For all of my domain-joined Windows 8 PCs (& tablet), I am not required to use a Microsoft account. I can simply "link" my domain account with my Microsoft account, but continue to use my domain credentials to authenticate / log-in to my PC either locally or via Remote Desktop when remote. Here's a screenshot showing how my domain account can be linked with my Microsoft hotmail account (blurred for privacy): windows-8-pc-settings.jpg
However, for my home PC, I am required to use a Microsoft account. Why is that? Why can't I just link a local account to my Microsoft account and continue to enjoy sync capabilities? I'm no conspiracist but forcing Windows 8 users to use a cloud-based account gives the FBI, CIA, and NSA an easy backdoor into your PC. All they have to do is issue a warrant to Microsoft and boom they have your credentials to remote desktop into your computer.

I certainly have nothing to hide, and law enforcement has other means of gaining access to your PC - like taking it. However, it really bothers me that Microsoft is forcing me to give them the keys to the kingdom - the keys to my entire digital life.

Obviously, Microsoft knew corporate IT managers would never allow users' personal hotmail accounts to be the authentication method into a corporate domain since that bypassed corporate security procedures such as aged passwords, password complexity, disabled AD accounts, etc., which is why they allow "linking" your corporate account with a Microsoft account. My question is why is Microsoft forcing non-domain Windows 8 users to use Microsoft cloud-based credentials and not allowing the linking of a local account? Perhaps there is a logical reason from a feature standpoint, but I'm just not seeing it.

Related Articles to 'Windows 8 Sync Settings - Security Hole'
Featured Events