Independent researchers have discovered, or should we say rediscovered, a major security vulnerability in Microsoft's Remote Desktop Protocol (RDP). Previously known as Terminal Services, RDP appears to be designed to always validate a previously used password for remote connections to a Windows machine, even when that password has been revoked by a system administrator or compromised in a security breach. //
The flaw violates universally acknowledged operational security (opsec) practices – and then some. When a password is changed, it should no longer provide access to a remote system. "People trust that changing their password will cut off unauthorized access," Wade said. //
According to Microsoft, the behavior is a design decision meant to "ensure that at least one user account always has the ability to log in no matter how long a system has been offline."
The company had already been warned about this backdoor by other researchers in August 2023, making the new analysis ineligible for a bounty award. Redmond engineers reportedly attempted to modify the code to eliminate the backdoor but abandoned the effort, as the changes could break compatibility with a Windows feature that many applications still rely on. //
brucek brucekMay 2, 2025, 3:30 PM
And on the flip side, RDP doesn't recognize a valid Microsoft Account password that is not cached on the local machine. This can easily happen on a new install where you've only logged in using methods other than the password (PIN, windows hello, etc.) This is a great way to lose an hour wondering why you can't log in because it's so easy to think the problem must be some other configuration problem with setting up RDP or elsewhere in the system. //
FireStormOOOMay 2, 2025, 9:05 PM
This is cached credentials working the same way it had for decades, and it's been configurable by GPO for almost as long. The administrator chooses how long the server will remember stale credentials if it can't reach a domain controller immediately to check. No, the defaults don't make sense for a server that expects 100% availability of your authentication infrastructure.
