INSUBCONTINENT EXCLUSIVE:
is configured to enable remote desktop access
Alternatively, users can log in using the credentials for the online account that was used to sign in to the machine.
A screenshot of
an RDP configuration window showing a Microsoft account (for Hotmail) has remote access.
Even after users change their account
password, however, it remains valid for RDP logins indefinitely
The result: persistent RDP access that bypasses cloud verification, multifactor authentication, and Conditional Access policies.Wade and
another expert in Windows security said that the little-known behavior could prove costly in scenarios where a Microsoft or Azure account
has been compromised, for instance when the passwords for them have been publicly leaked
In such an event, the first course of action is to change the password to prevent an adversary from using it to access sensitive resources
While the password change prevents the adversary from logging in to the Microsoft or Azure account, the old password will give an adversary
at security firm Analygence, agreed."It doesn't make sense from a security perspective," he wrote in an online interview
"If I'm a sysadmin, I'd expect that the moment I change the password of an account, then that account's old credentials cannot be used
But this is not the case."Credential caching is a problemThe mechanism that makes all of this possible is credential caching on the hard
drive of the local machine
The first time a user logs in using Microsoft or Azure account credentials, RDP will confirm the password's validity online
Windows then stores the credential in a cryptographically secured format on the local machine
From then on, Windows will validate any password entered during an RDP login by comparing it against the locally stored credential, with no
With that, the revoked password will still give remote access through RDP.
