Microsoft Confirms: Old Windows Passwords Can Still Grant RDP Access – And It’s Intentional
In a shocking revelation that has security experts raising eyebrows, Microsoft has confirmed that in certain scenarios, old, revoked Windows passwords can still be used to log in via Remote Desktop Protocol (RDP). Even more surprising? Microsoft considers this behavior a feature, not a bug, and has no current plans to change it.
This seemingly unbelievable situation arises when a Windows machine signed in with a Microsoft or Azure account is configured for remote desktop access. Users can log in using a dedicated password validated against locally stored credentials, or via their online account credentials. The issue lies in the fact that even after the user changes their account password, the old password remains valid for RDP logins indefinitely, effectively bypassing cloud verification, multifactor authentication, and Conditional Access policies.
Security researcher Daniel Wade discovered this vulnerability and reported it to Microsoft. He found that these old credentials worked even from new machines, with no red flags raised by Microsoft’s security protections. He describes this as creating a "silent, remote backdoor" into any system where the password was ever cached.
Will Dormann, a senior vulnerability analyst at security firm Analygence, concurred, stating: "It doesn't make sense from a security perspective. If I'm a sysadmin, I'd expect that the moment I change the password of an account, then that account's old credentials cannot be used anywhere. But this is not the case."
The root cause of this security lapse is credential caching. When a user logs in via RDP using their Microsoft or Azure account for the first time, Windows confirms the password's validity online and then stores the credential locally in a cryptographically secured format. Subsequent RDP logins validate against this locally stored credential, bypassing any online check. This means a revoked password can still grant remote access.
Microsoft's response to Wade was that this behavior is a "design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline." The company has updated its documentation to reflect this behavior, stating that if a user changes their password in the cloud, the cached verifier is not updated, allowing access with the old password.
This explanation has done little to quell the concerns of security experts, who see this as a significant risk. In scenarios where a Microsoft or Azure account has been compromised, changing the password to prevent further access is a standard response. However, this vulnerability means that the old password can still be used to gain RDP access to the user’s machine, making it a major security risk.
Microsoft has reportedly known about this issue since at least August 2023 but decided against code modifications due to potential compatibility issues. While intended to ensure offline access, this “feature” opens a significant backdoor that attackers can exploit.
What do you think about Microsoft's stance on this issue? Is it a reasonable trade-off for offline access, or a dangerous security vulnerability? Share your thoughts in the comments below!
