I am running a number of Windows VMs and I would like engineers to be able to remote desktop into them without a password. These machines are not on a domain but are managed by chef.
But Why?
All access to the servers is gated through ssh auth principals (currently cygwin SSH, soon to be Win32-OpenSSH). In order to remote desktop you need to ssh -L 3389:localhost:3389 $vm and then connect to your local machine on port 3389. I would really like to keep the password for the Windows machine "hidden".
What else
- All clients are managed by chef and I can make changes to them (add client side certificates, etc)
- Most clients have a yubikey and I'm happy to make this a requirement
- Most clients are Apple laptops but a large number of Windows and Desktop Linux machines are there too
Best Answer
Create your password-less local user account(s). Might as well set "User cannot change password" and "Password never expires" too for best results. Add these accounts to the local group "Remote Desktop Users".
Fire up
secpol.mscand navigate "Local Policies" > "Security Options". Change the setting "Accounts: Limit local account use of blank passwords to console logon only" to "Disabled". Bask in your newly enabled password-less RDP glory. Grin mildly as you feel a sense of accomplishment. Ignore those creeping thoughts deep in the back of your mind that say "Maybe this isn't a great idea."