You mean that the Windows version actually bases its authentication on something more robust than the source IP, a low port number, and who you claim to be and that it doesn't send potentially sensitive traffic over the wire in the clear?

Update: And as for being part of the OS, this and some other googling seem to indicate that it's not a part of the stock install and only available as part of the Services for UNIX add-on (Vista and on at least). If you've got to install something, then again it's better to install something that's not a gaping hole than the gaping hole that's on the second install CD.

Update: And this isn't just run-of-the-mill anti-Windows bigotry, it's that any installation of any of the ancient r-programs is an invitation to fail.

(Not that the sheer Wintendo-try in that they don't ship anything better by default isn't just icing on the cake, mind you. :)

You mean that the Windows version actually bases its authentication on something more robust than the source IP, a low port number, and who you claim to be and that it doesn't send potentially sensitive traffic over the wire in the clear?

Yes. From the docs:

TCP/IP Remote Utilities

The tools described in this appendix allow a network administrator to manage network computers from a distance. Many are similar to UNIX utilities. In This Appendix:

• Finger
• Ftp
• Rcp
• Rexec
• Rsh
• Telnet
• Tftp

Note: All passwords used by Windows networking services are encrypted. However, the Ftp, and Rexec connectivity tools all rely on cleartext password authentication by the remote computer. Cleartext passwords are not encrypted before being sent over the network. This enables another user equipped with a network analyzer on the same network to steal a user's remote account password. For this reason, choose different passwords from those used for Windows 2000–based computers or domains when connecting to non-Microsoft remote computers with the Ftp, Rexec, or Telnet tools. Note that the protocols themselves prohibit encryption; cleartext passwords are not a standard that Microsoft encourages.

---

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

"Too many [] have been sedated by an oppressive environment of political correctness and risk aversion."

Erm . . .

However, the Ftp, and Rexec connectivity tools all rely on cleartext password authentication by the remote computer. Cleartext passwords are not encrypted before being sent over the network. This enables another user equipped with a network analyzer on the same network to steal a user's remote account password.

And reading what I presume to be the rshsvc docs says that it depends on the same "if it looks like the right host come on in" access checks that the original forms provide. Once you let one user in passwordless through a .rhosts you've put a screen door that anyone that can spoof traffic can open.

It's a network hygiene thing; 99.9% of the time it may be find that you leave your car unlocked because you park in a private deck, but by refusing to take a trivial step (getting in the habit of locking your car; installing something that's not an open vulnerability waiting to happen) you've only got yourself to blame that one time when a miscreant makes it past the other layers.

Live dangerously if you like, just be careful cavalierly advising others to do the same without letting them know there's risks involved. That's all.

The cake is a lie.
The cake is a lie.
The cake is a lie.