In recent discussions surrounding the security of Windows devices, a significant vulnerability has emerged regarding the Windows Remote Desktop Protocol (RDP). This protocol, widely utilized for remote access to Windows machines, has been found to allow old credentials to remain functional even after a password reset. Security researcher Daniel Wade has brought this issue to light, revealing that in certain scenarios, users can still connect to their systems using previously revoked credentials.
Windows RDP Isn’t as Secure as You Would Think
The RDP is a proprietary Microsoft protocol that facilitates remote connections, primarily used by IT administrators to manage tenant accounts. While its utility is undeniable, the potential for exploitation by malicious actors raises serious concerns. Wade’s findings indicate that when a Windows PC linked to a Microsoft or Azure account is configured for RDP, the old password can still grant access even after a reset. This occurs because the authentication process relies on locally stored credentials, which do not update in real-time with changes made online.
Wade’s research highlights a critical gap in security measures, as noted by fellow analyst Will Dormann, who expressed disbelief that old credentials could still be valid post-password change. He stated,
“It doesn’t make sense from a security perspective. If I’m a sysadmin, I’d expect that the moment I change the password of an account, then that account’s old credentials cannot be used anywhere. But this is not the case.”
Moreover, Wade pointed out that Microsoft’s security solutions, including Defender and Azure, do not flag this behavior, leaving users unaware of the potential risks. The documentation provided by Microsoft on this matter is also notably sparse, further complicating the issue.
Microsoft: It’s a Feature, Not a Bug
In response to Wade’s findings, Microsoft’s Security Response Center (MSRC) acknowledged the behavior but refrained from labeling it as a bug or vulnerability. The company asserts that this design is intentional, ensuring that at least one user account retains the ability to log in, regardless of how long the system has been offline. Microsoft has updated its documentation to clarify that when a user logs in locally, their credentials are verified against a cached copy before being authenticated with an identity provider over the network. If the cached verification succeeds, access is granted even if the device is offline. However, if a password is changed in the cloud, the cached verifier remains unchanged, allowing continued access with the old password.
Interestingly, Microsoft has been aware of this issue since at least August 2023. Upon receiving reports, the company reviewed the design and documentation but ultimately decided against making code modifications, citing potential compatibility issues. As a result, it appears unlikely that a patch will be forthcoming for this “vulnerability,” despite the expectation that changing a password would render old credentials obsolete.
