Windows RDP Flaw Allows Access via Revoked Passwords
Administrators should be aware that simply resetting admin passwords after a security breach may not be enough to secure Windows systems using Remote Desktop Protocol (RDP).A newly reported vulnerability allows access even with revoked passwords.
RDP Security Concerns Raised
IT security researcher Daniel Wade alerted Microsoft to the issue, reporting that old access credentials continue to function in RDP, even on new machines. According to Wade, newer passwords might be ignored while older ones remain valid. windows Defender, entra ID, and azure do not provide warnings about this behavior, and there is no straightforward method for users to detect or rectify the problem.
Microsoft Defends “Design Decision”
Microsoft has acknowledged the behavior, classifying it as a “design decision” intended to ensure at least one user account can always log in, irrespective of system age. The company maintains that this does not constitute a security vulnerability and has no plans to implement changes.
RDP enables remote access to Windows machines, allowing users to work as if they were at a local computer. The software transmits the desktop output to the remote machine. When remote access is enabled with a Microsoft or Azure account, users can log in via RDP using a password that is checked against locally stored credentials or against the online account associated with local users.
However, the password for remote access remains valid even after a user changes it. This can lead to situations where older passwords work while more recent ones do not, possibly bypassing cloud verification, multi-factor authentication, and access control policies. Wade described the issue as creating “a silent,distant backdoor in every system on which a password was caught,” emphasizing that “even if attackers have never had access to the system,Windows trusts the password.”
Credential Caching: The Root Cause
The underlying cause is credential caching. When logging in with a microsoft or Azure account, RDP validates the password online.Windows then saves the access data locally in encrypted form. Subsequently,every RDP connection attempt is checked against this locally saved data without an online verification. Consequently, even revoked passwords can grant access via RDP.
Microsoft Updates Documentation
Microsoft has updated it’s online documentation on Windows login scenarios in response to Wade’s report. the documentation now states that “if user run a local log-in, your access data will be verified locally against an intermediate copy before authentication via identity provider on the Internet,” and acknowledges that users can access their local machine with an old password.
Prior Reports and Compatibility Concerns
IT security researcher Will Dormann notes that the issue is not easily discernible for most administrators and is not explicitly documented. It remains unclear how affected RDP users can secure their systems if their Azure or Microsoft accounts have been compromised.
Wade was not the first to report this problem. Microsoft indicated that another IT researcher had raised the issue in 2023. According to Microsoft,”Originally we had considered a code change for this problem,but after further examination of the design documentation,it turned out that code changes could impair compatibility with the functions used by many applications.”
Windows RDP Flaw: Your Questions Answered
What is the RDP Flaw?
The RDP (Remote Desktop Protocol) flaw refers to a security issue in windows systems that allows access via Remote desktop even after a password has been changed or revoked. This means that an attacker could perhaps use an old password to gain access to a system, even if the administrator has taken steps to secure the system by changing the password.
How Does This RDP Vulnerability Work?
The core problem lies in how Windows handles credentials for RDP logins, specifically with Microsoft or Azure accounts. When a user logs in via RDP, the system validates the password online. However, windows then caches the access data locally in an encrypted form. After the initial login, subsequent RDP connection attempts are checked against this locally saved data without requiring online verification. even if the password is later changed or revoked, the old password stored in the cache may still grant access.
Why is This a Security Concern?
This flaw creates a potential backdoor for unauthorized access.Even if an attacker has never had prior access to the system,they could potentially use an old,compromised password to gain entry. This poses serious risks becuase the system might bypass security measures like:
- Cloud Verification
- Multi-factor Authentication
- Access Control Policies
Is This a New Vulnerability?
no, this isn’t a brand-new issue. IT security researcher Daniel Wade brought the issue to Microsoft’s attention, but another IT researcher had already raised the issue in 2023. The recent attention highlights the ongoing concern.
Has Microsoft Acknowledged This Issue?
Yes, Microsoft has acknowledged the behavior, classifying it as a “design decision.” According to Microsoft, this design is intended to ensure that at least one user account can always log in. Microsoft maintains that this design decision does not constitute a security vulnerability.
what is Credential Caching and Why Is It a Problem?
Credential caching is the underlying cause of the RDP flaw. Windows stores user credentials locally after the initial online verification. The problem is that subsequent RDP connection attempts are checked against this cached data without online verification. Therefore, even after a password change or revocation, the cached (old) password might still work.
How Can I Find Out More about This Flaw?
Microsoft has updated its online documentation on Windows login scenarios. You can find more details on the Microsoft Learn website. According to the updated documentation, a user can access their local machine with an old password.
Is There a Way to prevent This RDP Password Issue?
The original content provides no direct workaround in the provided text because microsoft has classified this as a “design decision.” Though, to secure affected Azure or Microsoft accounts, consider these general best practices (though the original document does not provide steps to circumvent this specific issue):
- Enable multi-factor authentication (MFA).
- Regularly review access logs and user accounts.
- monitor for suspicious activity.
- Use strong,unique passwords.
What Are the Potential risks of Microsoft’s Design Choice?
This “design decision” could create an easier point of entry for attackers. It may bypass security measures, like the MFA, allowing access using credentials that have been previously detected or breached.
Summary of the RDP Flaw
Here’s a summary to encapsulate the key aspects
| Aspect | Details |
|---|---|
| Issue | RDP access granted even after password change/revocation. |
| Cause | Credential caching: local storage of verified login data. |
| Implications | Creates potential backdoors, bypasses security measures. |
| Microsoft’s Stance | Acknowledged as a design decision to ensure login access. |
| Recommendation | The provided content doesn’t provide a solution but offers general best practices. |
