Yesterday, we touched upon the topic of Windows devices having issues over the past few decades, which isn't entirely surprising considering that the operating system's software contains ancient pieces of code. A prominent example of this is when Windows XP PCs used to crash if Janet Jackson's Rhythm Nation was being played in their vicinity. Now, another problem has been reported, which actually poses a dire security risk, yet Microsoft has refused to do anything in response.

Windows RDP isn't as secure as you would think

You're probably familiar with Windows Remote Desktop Protocol (RDP). It's the proprietary Microsoft protocol that can be used to remotely connect to and access Windows machines. Perhaps its most popular use-case involves IT admins in an organization connecting to tenant accounts to resolve their issues. It's a very useful protocol, but if it's exploited by a malicious actor, it's understandably dangerous.

Now, security researcher Daniel Wade (thanks, Ars Technica) has discovered a particularly serious vulnerability in Windows RDP. Apparently, the protocol allows revoked credentials to still function in certain cases. This essentially means that even if the password for Windows RDP is reset to something else, you'll still be able to remotely connect to the host PC using the old credentials.

This happens when a Windows PC signed in to a Microsoft or Azure account is configured to use RDP. Authenticated users can remotely access this PC using dedicated passwords which are validated against locally stored credentials, or through the Microsoft/Azure account. However, even if the password for this online account is reset, Wade discovered that the old password could still be used, which is a major vulnerability.

Another vulnerability analyst, Will Dormann, noted that:

It doesn't make sense from a security perspective. If I'm a sysadmin, I'd expect that the moment I change the password of an account, then that account's old credentials cannot be used anywhere. But this is not the case.

Wade further highlighted that Defender, Azure, and Entra ID don't flag this behavior. Additionally, there are no clear indicators whenever this activity does happen, and Microsoft's documentation on the topic is fairly sparse too.

Microsoft: It's a feature, not a bug

In response to the report from Wade, Microsoft's Security Response Center (MSRC) acknowledged the behavior, but failed to classify it as a bug or a vulnerability. It claims that this design is intentional, and it ensures that "at least one user account always has the ability to log in no matter how long a system has been offline." That said, the company did update its official documentation here, mentioning that:

Caution

When a user performs a local logon, their credentials are verified locally against a cached copy before being authenticated with an identity provider over the network. If the cache verification is successful, the user gains access to the desktop even if the device is offline. However, if the user changes their password in the cloud, the cached verifier is not updated, which means that they can still access their local machine using their old password.

It's also rather interesting to note that Microsoft has been aware of the issue since at least August 2023. However, when it received reports of this supposed bug back then, it reviewed the design and documentation of its implementation, and ended up deciding that code modifications would cause compatibility issues, so the juice is not worth the squeeze. All in all, it's unlikely that the Redmond firm will patch this "vulnerability", even though you would think that changing your password to a service would mean that it can't be used for the same access again.