Windows RDP lets you log in using revoked passwords. Microsoft is OK with that. do sex sex to

IT'S A FEATURE, NOT A BUG Windows RDP lets you log in using revoked passwords. Microsoft is OK with that. Researchers say the behavior amounts to a persistent backdoor. Dan Goodin – Apr 30, 2025 2:36 pm | 37 The logo Microsoft displays for its Remote Desktop app. Credit: Microsoft The logo Microsoft displays for its Remote Desktop app. Credit: Microsoft Text settings Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Minimize to nav From the department of head scratches comes this counterintuitive news: Microsoft says it has no plans to change a remote login protocol in Windows that allows people to log in to machines using passwords that have been revoked. Password changes are among the first steps people should take in the event that a password has been leaked or an account has been compromised. People expect that once they've taken this step, none of the devices that relied on the password can be accessed. Not just a bug The Remote Desktop Protocol—the proprietary mechanism built into Windows for allowing a remote user to log in to and control a machine as if they were directly in front of it—however, will in many cases continue trusting a password even after a user has changed it. Microsoft says the behavior is a design decision to ensure users never get locked out. Independent security researcher Daniel Wade reported the behavior earlier this month to the Microsoft Security Response Center. In the report, he provided step-by-step instructions for reproducing the behavior. He went on to warn that the design defies nearly universal expectations that once a password has been changed, it can no longer give access to any devices or accounts associated with it. “This Isn’t Just a Bug. It’s a Trust Breakdown,” Wade wrote in his report. “People trust that changing their password will cut off unauthorized access.” He continued: It’s the first thing anyone does after suspecting compromise. And yet: Old credentials continue working for RDP—even from brand-new machines. Defender, Entra ID, and Azure don’t raise any flags. There is no clear way for end-users to detect or fix the issue. No Microsoft documentation or guidance addresses this scenario directly. Even newer passwords may be ignored while older ones continue to function. The result? Millions of users—at home, in small businesses, or hybrid work setups—are unknowingly at risk. In response, Microsoft said the behavior is a “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.” As such, Microsoft said the behavior doesn’t meet the definition of a security vulnerability, and company engineers have no plans to change it. The ability to use a revoked password to log in through RDP occurs when a Windows machine that’s signed in with a Microsoft or Azure account is configured to enable remote desktop access. In that case, users can log in over RDP with a dedicated password that’s validated against a locally stored credential. Alternatively, users can log in using the credentials for the online account that was used to sign in to the machine. A screenshot of an RDP configuration window showing a Microsoft account (for Hotmail) has remote access. Even after users change their account password, however, it remains valid for RDP logins indefinitely. In some cases, Wade reported, multiple older passwords will work while newer ones won’t. The result: persistent RDP access that bypasses cloud verification, multifactor authentication, and Conditional Access policies. Wade and another expert in Windows security said that the little-known behavior could prove costly in scenarios where a Microsoft or Azure account has been compromised, for instance when the passwords for them have been publicly leaked. In such an event, the first course of action is to change the password to prevent an adversary from using it to access sensitive resources. While the password change prevents the adversary from logging in to the Microsoft or Azure account, the old password will give an adversary access to the user’s machine through RDP indefinitely. “This creates a silent, remote backdoor into any system where the password was ever cached,” Wade wrote in his report. “Even if the attacker never had access to that system, Windows will still trust the password.” Will Dormann, a senior vulnerability analyst at security firm Analygence, agreed. "It doesn't make sense from a security perspective," he wrote in an online interview. "If I'm a sysadmin, I'd expect that the moment I change the password of an account, then that account's old credentials cannot be used anywhere. But this is not the case." Credential caching is a problem The mechanism that makes all of this possible is credential caching on the hard drive of the local machine. The first time a user logs in using Microsoft or Azure account credentials, RDP will confirm the password's validity online. Windows then stores the credential in a cryptographically secured format on the local machine. From then on, Windows will validate any password entered during an RDP login by comparing it against the locally stored credential, with no online lookup. With that, the revoked password will still give remote access through RDP. In its response to Wade’s report, Microsoft said it had updated online documentation here to make users better informed about the behavior. The update adds the following sentences: Caution When a user performs a local logon, their credentials are verified locally against a cached copy before being authenticated with an identity provider over the network. If the cache verification is successful, the user gains access to the desktop even if the device is offline. However, if the user changes their password in the cloud, the cached verifier is not updated, which means that they can still access their local machine using their old password. Dormann said the update isn't easy for most admins to spot and isn't explicit enough. The update also fails to advise users what steps they should take to lock down RDP in the event their Microsoft or Azure account is compromised. Dormann said the only course of action is to configure RDP to authenticate against locally stored credentials only. A spokesperson for Microsoft said the company would "be in touch if Microsoft has anything to share." They never followed up. Microsoft told Wade that he wasn't the first person to report the behavior as a security vulnerability, indicating that company security engineers have been aware of the behavior for nearly two years. "We have determined that this is an issue that has already been reported to us by another researcher in August 2023, so this case is not eligible for a bounty award," company employees told Wade. "We originally looked at a code change for this issue, but after further review of design documentation, changes to code could break compatibility with functionality used by many applications." Dan Goodin Senior Security Editor Dan Goodin Senior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 37 Comments