Windows log-in possible via RDP with revoked passwords

After an attack or if compromised access data is known, admins revoke passwords and have them reset so that malicious actors cannot log in with compromised data. If remote desktop protocol (RDP) access is enabled, this does not help: the old passwords remain valid.

Arstechnica reports on this unexpected behavior. IT security researcher Daniel Wade reported this behavior to the Microsoft Security Response Center (MSRC). According to him, old credentials continue to work in RDP, even on brand new machines. Newer passwords can be ignored while older ones still work. Neither Windows Defender nor Entra ID or Azure provide warnings. There is no clear way for users to detect and correct this problem. Microsoft does not directly document this scenario.

Microsoft: "Design decision" does not meet the definition of "vulnerability"

According to Microsoft, this is a "design decision that ensures that at least one user account is able to log in, no matter how long the system has been offline". Therefore, this behavior does not meet the definition of a vulnerability. Microsoft has no plans to change this.

RDP is used to log on to (Windows) machines remotely in order to work on them in the same way as on a local computer. To do this, the software redirects the desktop output to the remote machine. If a computer with a Microsoft or Azure account has remote access enabled, users can log in with a password via RDP. This is checked against locally stored access data. Alternatively, they can log in with the online account with which local users have logged in to the PC.

However, the password remains valid for remote access, even if users have changed it. As a result, in some cases older passwords may work and newer ones may not. The end result is persistent RDP access that bypasses cloud verification, multi-factor authentication and access control policies. Wade puts it drastically in his report: "This creates a silent, remote backdoor into any system where a password has been cached. Even if attackers never had access to the system, Windows trusts the password."

Cause of the "credential caching" problem

The cause is the caching of access data (credential caching). When logging in with a Microsoft or Azure account for the first time, RDP validates the password online. Windows then stores the access data cryptographically secured locally on the PC or notebook. From then on, Windows checks every password entered for an RDP session against the locally stored access data, without online validation. Therefore, even revoked passwords allow access via RDP.

Microsoft has responded to Wade's security message by updating the online documentation on Windows login scenarios. "When users perform a local login, their credentials are verified locally against a cached copy before authentication via identity providers on the network. If the verification via the cache is successful, users are granted access even if the machine is offline. If users change their password in the cloud, the local cache is not updated, which means that they can still access their local machine with the old password," the company now writes there.

According to IT security researcher Will Dormann, the update is not easy enough for most admins to recognize and is also not sufficiently explicit. There was a lack of information on how those affected can secure RDP if their Azure or Microsoft account is compromised. Wade was apparently not the first to report the problem. Microsoft told him that another IT researcher had already knocked on 2023's door: "We had originally considered a code change for this issue, but after further review of the design documentation, it became apparent that code changes could impact compatibility with features used by many applications."

(dmk)