Windows 8 has a cool new feature that lets you login with your cloud-based Microsoft account (@hotmail.com, @live.com, @outlook.com) and it will synchronize your settings between Windows 8 PCs, but with a "security catch". We'll get into that in a moment. First, here's a list of features and settings that you can sync:
- Personalize - Colors, background, lock screen, and your account picture
- Desktop personalization - Themes, taskbar, high contrast, and more
- Passwords - sign-in info for some apps, websites, networks, and HomeGroup
- Ease of Access - Settings for Narrator, Magnifier, and more
- Language preferences - Keyboards, other input methods, display language, and more
- App settings - Certain settings in your apps, but not all
- Browser settings - Internet Explorer history and bookmarks/favorites
- Other Windows settings - Windows Explorer, mouse settings, and more
- Sign-in info - For some apps, websites, networks, and HomeGroup
But here's the problem. You must use a Microsoft cloud-based account for sync settings to work and you cannot use a local account. Why is this bad? Well, suppose Hotmail gets hacked and the hackers gain access to your Microsoft account credentials. Now, not only can they access your email, but they can Remote Desktop to your home PC and access every photo, every video, every confidential financial file - everything. Your entire digital life is laid bare.
Now you could argue that the hackers would have to know your IP address in order to login (via Remote Desktop) using your stolen Microsoft account credentials. Fair enough. But who's to say Microsoft doesn't store the last IP address used when you logged in? Let's go a bit deeper. What's to stop a Microsoft employee from logging into your home PC and seeing you have a pirated copy of Microsoft Office along with thousands of pirated movies? What's to stop a Microsoft employee from logging into their ex-boyfriend's/ex-girlfriend's PC for nefarious purposes?
The only workarounds to this major "potential" security hole are:
- Disable Remote Desktop (not feasible for many users, since it's so useful)
- Change the Default Port for Remote Desktop from 3389. Though this will only slow a determined hacker or Microsoft employee
- Switch to VNC remote desktop sharing program (& disable Remote Desktop)
- Switch to a local account (Unfortunately, you lose the benefits of 'synching' across your Windows 8 devices)
However, for my home PC, I am required to use a Microsoft account. Why is that? Why can't I just link a local account to my Microsoft account and continue to enjoy sync capabilities? I'm no conspiracist but forcing Windows 8 users to use a cloud-based account gives the FBI, CIA, and NSA an easy backdoor into your PC. All they have to do is issue a warrant to Microsoft and boom they have your credentials to remote desktop into your computer.
I certainly have nothing to hide, and law enforcement has other means of gaining access to your PC - like taking it. However, it really bothers me that Microsoft is forcing me to give them the keys to the kingdom - the keys to my entire digital life.
Obviously, Microsoft knew corporate IT managers would never allow users' personal hotmail accounts to be the authentication method into a corporate domain since that bypassed corporate security procedures such as aged passwords, password complexity, disabled AD accounts, etc., which is why they allow "linking" your corporate account with a Microsoft account. My question is why is Microsoft forcing non-domain Windows 8 users to use Microsoft cloud-based credentials and not allowing the linking of a local account? Perhaps there is a logical reason from a feature standpoint, but I'm just not seeing it.