Table of Contents
- Can Revoked Passwords Still Breach Your Security? Unveiling the Windows RDP Flaw
- What’s Happening?
- Why Is This a Problem?
- Persistent Backdoor
- Lack of Transparency
- No Immediate Fix
- Compatibility Concerns
- How Does the Caching Work?
- Security Implications
- What Can You Do?
- Limit Cached Logins:
- Restrict RDP Access
- Monitor Remote Access
- Educate Users
Can Revoked Passwords Still Breach Your Security? Unveiling the Windows RDP Flaw
Windows Remote Desktop Protocol (RDP) is a widely used feature that allows users to remotely access and control Windows computers. However, a critical security concern has come to light: Windows RDP may allow access using old, revoked passwords stored in a local cache-even after those passwords have been changed or invalidated in the cloud.
What’s Happening?
When you log into a Windows machine via RDP using a Microsoft or Azure account, Windows saves your credentials in an encrypted local cache after the first successful login. If you later change your Microsoft or Azure password (for example, after a suspected compromise), the old password remains valid for RDP access as long as it’s cached locally.
This means that even after a password reset, someone with knowledge of your previous password could still remotely access your computer using RDP. The issue bypasses key security measures such as cloud authentication, Multi-Factor Authentication (MFA), and Conditional Access Policies, leaving systems exposed.
Why Is This a Problem?
Persistent Backdoor
Security researchers describe this as a “silent, remote backdoor” that undermines user trust. Changing your password-a standard security practice-no longer guarantees revoked access.
Lack of Transparency
Microsoft has not clearly communicated this risk to end users. There are no warnings or alerts when old credentials remain active.
No Immediate Fix
Microsoft has acknowledged the issue but considers it a design decision, not a vulnerability. The company claims this ensures users can always access their machines, even after being offline for extended periods.
Compatibility Concerns
Microsoft cites potential compatibility issues with existing applications as a reason for not changing this behavior.
How Does the Caching Work?
After the initial RDP connection, Windows validates credentials against the local cache, not the cloud. This allows old passwords to continue working for RDP logins, even if they have been revoked or changed online. In some cases, multiple old passwords may work, while the newest password may not be recognized immediately.
Security Implications
- Compromised Accounts Remain Vulnerable: If a password has been leaked or compromised, changing it does not fully protect your system from remote access via RDP.
- Bypassing Modern Security: This flaw can bypass MFA and conditional access policies, which are essential for protecting sensitive accounts and data.
- No User Notification: Users are not notified that old passwords remain valid for RDP, increasing the risk of undetected unauthorized access.
What Can You Do?
While Microsoft does not plan to address this issue, there are steps you can take to mitigate the risk:
Limit Cached Logins:
Set the Group Policy “Interactive logon: Number of previous logons to cache (in case domain controller is not available)” to 0. This forces online authentication and prevents the use of cached credentials.
Restrict RDP Access
Limit RDP access to local accounts only, or disable RDP entirely if not needed.
Monitor Remote Access
Regularly review remote login activity and audit user accounts for suspicious access patterns.
Educate Users
Inform users and administrators about this risk so they can take appropriate precautions.
“This creates a silent, remote backdoor into any system where the password was ever cached… Even if the attacker never accessed that system, Windows will still recognize the password as valid.” – Daniel Wade, Security Researcher
Stay vigilant and review your RDP settings to protect your systems from this overlooked security flaw.