18
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
The ability to use a revoked password to log in through RDP occurs when a Windows machine thats signed in with a Microsoft or Azure account is configured to enable remote desktop access.
In that case, users can log in over RDP with a dedicated password thats validated against a locally stored credential.
Alternatively, users can log in using the credentials for the online account that was used to sign in to the machine.
A screenshot of an RDP configuration window showing a Microsoft account (for Hotmail) has remote access.
Even after users change their account password, however, it remains valid for RDP logins indefinitely.
In some cases, Wade reported, multiple older passwords will work while newer ones wont.
The result: persistent RDP access that bypasses cloud verification, multifactor authentication, and Conditional Access policies.Wade and another expert in Windows security said that the little-known behavior could prove costly in scenarios where a Microsoft or Azure account has been compromised, for instance when the passwords for them have been publicly leaked.
In such an event, the first course of action is to change the password to prevent an adversary from using it to access sensitive resources.
While the password change prevents the adversary from logging in to the Microsoft or Azure account, the old password will give an adversary access to the users machine through RDP indefinitely.This creates a silent, remote backdoor into any system where the password was ever cached, Wade wrote in his report.
Even if the attacker never had access to that system, Windows will still trust the password.Will Dormann, a senior vulnerability analyst at security firm Analygence, agreed."It doesn't make sense from a security perspective," he wrote in an online interview.
"If I'm a sysadmin, I'd expect that the moment I change the password of an account, then that account's old credentials cannot be used anywhere.
But this is not the case."Credential caching is a problemThe mechanism that makes all of this possible is credential caching on the hard drive of the local machine.
The first time a user logs in using Microsoft or Azure account credentials, RDP will confirm the password's validity online.
Windows then stores the credential in a cryptographically secured format on the local machine.
From then on, Windows will validate any password entered during an RDP login by comparing it against the locally stored credential, with no online lookup.
With that, the revoked password will still give remote access through RDP.
