Remote Desktop Connection Manager v2.90
- Article
- 01/27/2022
- 18 minutes to read
- 3 contributors
Is this page helpful?
Yes No
Any additional feedback?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.
Submit
Thank you.
In this article
By Julian Burger
Published: January 27, 2022
Run now from Sysinternals Live.
Microsoft discontinues RDCMan app following security bug
Microsoft recommends using the Windows in-box remote desktop client [MSTSC] instead.
Written by Catalin Cimpanu, Contributor
Catalin Cimpanu Contributor
Catalin Cimpanu was a security reporter for ZDNet between Sep 2018 and Feb 2021.
Full BioPosted in Zero Day on March 13, 2020 | Topic: Microsoft
Microsoft has discontinued this week its Remote Desktop Connection Manager [RDCMan] application following the discovery of a security flaw.
As its name suggests, the app allows users to connect remotely to other Windows computers via RDP [Remote Desktop Protocol].
The app, which was developed by the former Windows Live Experience team for their internal use, has been available for download from the Microsoft website since the late 2000s.
RDCMan was always a standalone tool, not included with Windows OS versions, yet, it gained a lot of traction with system administrators in the late 2000s and early 2010s, when there weren't that many tools of its kind available online for free.
RDCMan
Microsoft kept the tool up to date across the years, even reaching v2.7 in 2014, the time of its last update.
However, RDCMan was never a fully-featured solution for remote management, and Microsoft rolled out alternative tools across the years.
This includes adding a built-in remote management tool [MSTSC] in the Windows OS itself and releasing an official Remote Desktop app on the Windows Store.
MSTSC
As Microsoft rolled out new tools, the company knew RDCMan's ending was coming. In a support document published last year, Microsoft told users to migrate to these two newer solutions.
Microsoft said that both of the newer tools support more features, and receive security updates on a regular basis.
However, today, there are still a lot of users who are still using RDCMan, primarily because the app has better features for managing multiple connections at once, a feature that's often used in enterprise environments.
But this week, with the release of the March 2020 Patch, RDMan's official demise came to be. Microsoft said it received a report about a new bug in RDCMan that could allow an attacker to retrieve data from an RDCMan user's computer.
"To exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file," Microsoft said in a security advisory for CVE-2020-0765.
Instead of fixing the bug, Microsoft decided to retire RDCMan, seeing no reason to revive an app that received its last update almost six years ago.
Users who continue using the app should be aware not to open any RDCMan connection configuration [RDG] files they receive unsolicited or from unknown sources.
Microsoft credited UK security researcher Ethan Sterling with finding and reporting the CVE-2020-0765 bug in RDCMan.
UPDATE on February 16, 2021: In a tweet, almost a year after RDCMan was discontinued, Mark Russinovich, co-creator of the SysInternals package, announced that RDCMan would be supported part of the SysInternals package going forward.
About Remote Desktop Connection Manager
RDCMan used to be a popular tool to collect, categorize and use multiple remote desktop connections in Microsoft-oriented networks. It was available as a free download until March 2020 when a critical vulnerability [CVE-2020-0765] was found in the program. The version we used back then [version 2.7] dated back to 2014.
About the 2020 vulnerability in RDCMan
An information disclosure vulnerability exists in the Remote Desktop Connection Manager [RDCMan] application when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity [XXE] declaration.
To exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file.
On March 12, 2020, Microsoft didn’t recommended uninstalling Remote Desktop Connection Manager [RDCMan], but many admins removed it from their management boxes and resorted to alternatives like mRemoteNG, RD Tabs, RDM and even purely paid solutions like RoyalTS.
Their way of thinking was that by uninstalling RDCMan, an attacker could no longer trick them into use RDCMan using files with the *.rdg extension.
Microsoft Discontinues Remote Desktop Connection Manager [RDCMan] + Invitation to Try Remote Desktop Manager [RDM]
Derick St-HilaireApril 2, 2020
In March, Microsoft announced that it was discontinuing Remote Desktop Connection Manager [RDCMan] due to a major security flaw [CVE-2020-0765]. Here is the bulletin:
An information disclosure vulnerability exists in the Remote Desktop Connection Manager [RDCMan] application when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity [XXE] declaration. To exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file.
Here’s what ZDNet said about Microsoft’s response to the problem: “Instead of fixing the bug, Microsoft decided to retire RDCMan, seeing no reason to revive an app that received its last update almost six years ago.”
2 Replies
· · ·
Datil
OP
Apr 6, 2020 at 14:07 UTC
I've used remote desktop connection manager for years. Guess I'll be giving Devolutions product a try.
1
· · ·
Thai Pepper
OP
Apr 6, 2020 at 14:12 UTC
Brand Representative for Devolutions
Hichrisf7,
Don't hesitate if you have any questions or need more information! It would be our pleasure to help!
chrisf7
Datil
1
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
Installation of RDCMan
Installation of RDCMan
There are days when I look down at my taskbar and see way too many open connections to servers and I can’t remember what’s what. In our small IT shop, my staff and I wear many hats, and we all have varying needs to jump on different servers to accomplish a necessary task. It can be a challenge to keep track of our 15 physical servers and our 40 – 45 virtual servers, particularly when it comes to connecting to multiple servers that house related servers. For example, is it the server named SQL04 or is it the server named SQL08 that houses the SharePoint database? As you move into larger environments, it gets even worse as the number of servers grows exponentially.
Microsoft’s Remote Desktop Connection Manager [RDCMan] makes our administrative task of keeping track of remote desktop connections much easier. RDCMan aggregates Windows server remote desktop connections so administrators can connect to server with a point and a click rather than hunting around for a connection. Here are configuration tips for getting the most out of RDCMan.
Note: My default is Windows 7, but if you intend to use RDCMan with Windows XP, you may need to install version 6 or higher of the Remote Desktop Connection client software. I also included a link to RDCMan 7 for Windows Vista below.
This TechRepublic gallery is also available as a Servers and Storage blog post.
Installation
Installation is a breeze; you just double-click it and then click Next a couple of times.