CyberSecurity news
FlagThis
@arstechnica.com
//
Microsoft is facing scrutiny over a design choice in its Remote Desktop Protocol (RDP) that allows users to log in with old, expired passwords. Security researcher Daniel Wade discovered that Windows RDP accepts previously used passwords, even after they have been changed or revoked. This means that if an attacker or unauthorized user once had access to a system and the password was cached, that old password remains valid for RDP login indefinitely, creating a potential "silent, remote backdoor." Microsoft has acknowledged this behavior, stating it's an intentional design decision to ensure at least one account can always log in, even if the system has been offline for an extended period.
Security experts are raising concerns about the security implications of this feature. David Shipley, head of Beauceron Security, suggests CISOs should reconsider using RDP, calling it a "really risky move." The vulnerability bypasses cloud verification, multifactor authentication (MFA), and Conditional Access policies, leaving systems vulnerable even if protective measures are in place. Analyst Will Dormann emphasizes that administrators expect revoked credentials to be unusable across the board, but this is not the case with RDP.
The discovery comes as Microsoft is actively pushing for a passwordless future. The company has already started defaulting new accounts to passwordless methods using passkeys, aiming to improve security and reduce phishing risks. Existing users can also switch to passwordless options in their account settings. However, the RDP flaw presents a contradictory security risk, as it undermines the trust users place in password changes and creates an avenue for unauthorized access via outdated credentials. Microsoft has stated it currently has no plans to change this behavior in RDP.
ImgSrc: www.csoonline.c
References :
Security experts are raising concerns about the security implications of this feature. David Shipley, head of Beauceron Security, suggests CISOs should reconsider using RDP, calling it a "really risky move." The vulnerability bypasses cloud verification, multifactor authentication (MFA), and Conditional Access policies, leaving systems vulnerable even if protective measures are in place. Analyst Will Dormann emphasizes that administrators expect revoked credentials to be unusable across the board, but this is not the case with RDP.
The discovery comes as Microsoft is actively pushing for a passwordless future. The company has already started defaulting new accounts to passwordless methods using passkeys, aiming to improve security and reduce phishing risks. Existing users can also switch to passwordless options in their account settings. However, the RDP flaw presents a contradictory security risk, as it undermines the trust users place in password changes and creates an avenue for unauthorized access via outdated credentials. Microsoft has stated it currently has no plans to change this behavior in RDP.
ImgSrc: www.csoonline.c
Share:
References :
- cybersecuritynews.com: Windows RDP Bug Allows Login With Expired Passwords – Microsoft Confirms No Fix
- www.csoonline.com: CISOs should re-consider using Microsoft RDP due to password flaw, says expert
- Davey Winder: Windows Warning — Microsoft Confirms Old Login Passwords Can Still Be Used
- www.techradar.com: Microsoft RDP apparently lets you log in with expired passwords - and it apparently doesn't have plans to fix the issue