Windows RDP has a major security problem, and Microsoft has refused to do anything about it

Over the years, Windows devices have faced a myriad of challenges, a reality not surprising given the legacy code embedded within the operating system. A notable incident from the past involved Windows XP machines crashing when exposed to Janet Jackson’s Rhythm Nation. Today, a new concern has emerged, one that poses a significant security risk, yet Microsoft appears unperturbed by the implications.

Windows RDP isn’t as secure as you would think

Windows Remote Desktop Protocol (RDP) is a proprietary Microsoft technology that facilitates remote connections to Windows systems. While it serves as an invaluable tool for IT administrators managing tenant accounts, it also harbors potential dangers if exploited by malicious entities.

Security researcher Daniel Wade recently uncovered a troubling vulnerability within Windows RDP. This flaw allows previously revoked credentials to remain functional under specific circumstances. In essence, even after resetting a password for Windows RDP, users may still connect to the host PC using their old credentials.

This issue arises when a Windows PC, linked to a Microsoft or Azure account, is set up to utilize RDP. Authenticated users can access the PC remotely using passwords validated against locally stored credentials or through their Microsoft/Azure account. However, Wade’s findings indicate that even after a password reset for the online account, the old password can still grant access, presenting a serious security loophole.

Vulnerability analyst Will Dormann expressed his concerns succinctly:

“It doesn’t make sense from a security perspective. If I’m a sysadmin, I’d expect that the moment I change the password of an account, then that account’s old credentials cannot be used anywhere. But this is not the case.”

Wade further noted that Microsoft Defender, Azure, and Entra ID do not flag this behavior, and there are no clear indicators when such activity occurs. Additionally, Microsoft’s documentation on the matter lacks clarity.

Microsoft: It’s a feature, not a bug

In response to Wade’s findings, Microsoft’s Security Response Center (MSRC) acknowledged the behavior but refrained from labeling it as a bug or vulnerability. The company asserts that this design is intentional, ensuring that “at least one user account always has the ability to log in no matter how long a system has been offline.” They did update their official documentation to include a cautionary note:

Caution When a user performs a local logon, their credentials are verified locally against a cached copy before being authenticated with an identity provider over the network. If the cache verification is successful, the user gains access to the desktop even if the device is offline. However, if the user changes their password in the cloud, the cached verifier is not updated, which means that they can still access their local machine using their old password.

Interestingly, Microsoft has been aware of this issue since at least August 2023. Upon receiving reports of the supposed bug, the company reviewed its design and documentation but ultimately decided against code modifications, citing potential compatibility issues. As a result, it seems unlikely that the tech giant will address this “vulnerability,” despite the reasonable expectation that changing a password would render old credentials obsolete.