Comment 20 for bug 1040221

As a member of the security team, I've been asked to comment on enabling by default. When performing our reviews (which due to the time of the review, were limited to code-only reviews) , we did not realize that this would be enabled by default-- the code is brand new and it seems (tm me anyway) a strange default to have in the default install since it is presumed only a very small fraction of users will use the service (eg, they need an rdp or citrix server to user it). While our preference would be to not enable by default and let the bugs shake out, we will not block on it being turned on by default. We plan to poke at this more as all the pieces land and we gain a better overall picture, but if serious issues are found, we may revisit enabling it by default.