dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
365
share rss forum feed


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

[WIN7] Can I delete the Group "Remote Desktop Users"?

Click for full size
I'm never gonna use RD so can I delete that group?
Will it mess something else up?

thanks


jay608
Going Nucking Futs

join:2007-01-22
Chicago, IL

Re: [WIN7] Can I delete the Group "Remote Desktop Users&quo

In theory it won't mess anything up, but I would leave it as it is a built in group.


b_p_smith

join:2002-02-13
Merrickville, ON

It buys you absolutely nothing to delete the group. But if you decide some day down the road that maybe you *want* to use RDP (I use it all the time myself), you're opening yourself to a world of hurt trying to restore all the stuff you deleted/tweaked.
I know many a user messing around in group policy that made it so they couldn't log onto their machine anymore. Some things are best left untouched if you don't know what you're doing.

Brad.
--
Xplornet WiMAX -} Buffalo WZR-HP-G300NH running DD-WRT -} about 13 machines running everything you can think of.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

reply to Cartel

Depends what you mean by 'delete'. That group has a well-known identifier, so in a sense it exists regardless of any database entry; it's like trying to delete the number 555.

(Or: you can delete my phone number from the phone directory, but I've still got the phone, and anyone who knows the number can call it).

If you want to try and delete the database entry, then go ahead, but it's just the same as having no members in the group.

The risk is you'll probably never be able to put it back, since there's no way to say 'create this with id 555'. (I suppose it's possible the UI will recognize the name and automagically assign the right number, but I wouldn't bet on it).

Non-existence of the Remote Desktop Users group doesn't preclude connections that authenticate as members of Administrators. Or in fact, as anyone that has RDS-logon privilege. It is not membership of the group Remote Desktop Users that permits you to log on via remote desktop, it is the privilege "allowed to log on through Remote Desktop Services" and that just happens to be assigned to the group Remote Desktop Services. Groups are simply a convenient way to handle privileges (as well as handle object protections). I could equally well make "dave" have the privilege directly.

In short, I think it's pointless to go around deleting random entries.

If you must emasculate Remote Desktop Users, a less destructive way would be to remove "allowed to log on through Remote Desktop Services" privilege from the group Remote Desktop Users. That is trivially reversible should you change your mind. Though I still think it is pointless.


psloss
Premium
join:2002-02-24
Lebanon, KS
reply to Cartel

Click for full size
Click for full size
Here's what happens if one asks the lusrmgr GUI to do it. (As a bonus I tried to delete the Administrators group, too.) First thought here was "Meaning of Life: Part Five" -- especially if one really wants to delete a built-in group -- but this is one of the many uses for VMs.


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

Thanks for the replies.
I guess I will leave it.
I will never use RD but it may need to be there I guess if a security setting wants to deny RD and cant find that group, it may bugger up my GP I guess.


psloss
Premium
join:2002-02-24
Lebanon, KS

said by Cartel:

Thanks for the replies.
I guess I will leave it.
I will never use RD but it may need to be there I guess if a security setting wants to deny RD and cant find that group, it may bugger up my GP I guess.


As b_p_smith and dave wrote, deleting a built-in operating system group account doesn't secure RDP -- it's well past the point of diminishing returns. If this is with security in mind, is this machine serving as a standalone server? Is this deployed in a hosting environment? If so, then RDP is a primary route of infection, since it's often used for maintenance.

If this is a home machine behind a consumer wifi router attached to a 'mega' consumer Internet service provider, FWIW there are enough obstacles for RDP to overcome in a typical home network that it's not a primary route of infection. In a post-infection situation, an attacker that wants remote control is likely to bring-their-own remote control (VNC, TeamViewer, LogMeIn, etc.).