News Microsoft has no plans to fix Windows RDP bug that lets you log in with old passwords

Toggle sidebar Toggle sidebar
The only situation where I might kind-of, sorta, grudgingly like this feature is if someone hacked into my account and changed the password to lock me out, but this really doesn't fix that issue. With this system, they're still in, and you probably won't have a clue about it. You're much better off having 2FA and adding in an account recovery process with that. Maybe have your regular password and 2FA for regular log-in, and your different, extra secure 2FA for account recovery.
This is a huge problem. It needs to be fixed.
 
Sounds like Microsoft forgot about the concept of password reset disks. Shouldn't be hard to do a modern implementation of that and fix that at the same time if they were so concerned about not locking people out of accounts permanently.
 
It doesn't seem to be a big deal to consumer computers. Remote access is very easy to turn off at the PC or block at your router's firewall or both. This isn't going to work if the service isn't running or the port is blocked.
 
  • Like
Reactions: TJ Hooker
This is shocking to me that they won't fix it, as i use Remote Desktop alot from my Windows 11 Pro Desktop to update the family Windows 10 Pro Desktop downstairs, as saves me having to get up and go down to check if its done or not.

Perhaps though i should turn it off, and go back to manually going down to update that system at times

Been using Remote Desktop since first got a Windows Pro Edition when clean installed Windows 8 since got a Free upgrade to Pro since previously had Media Center pack with Windows 7 back then.
 
This is an edge-case, and only works when the network-connected computer you are remoting into with RDP has enough network access for you to... remote into it, but not enough to reach the authentication server (e.g. Azure, for Microsoft accounts) to check the account credentials used are still valid.

For the vast majority of cases, if a device is online enough for you to RDP into it, it is online enough for that device to check the live password rather than relying on the cached credential.

If you're doing RDP at scale (i.e. hosting your own authentication solution) use the GPO to disable credential caching ('Credential Delegation') as you should be anyway to avoid SSO descync issues.
 
  • Like
Reactions: jg.millirem and AtrociKitty
I can see both sides of the argument. But honestly, it should be an opt in option to allow defunct passwords to work through RDP rather than a 'feature'. If you have a fired employee you have tried to lock out of your systems but they retained some electronics, maybe even stole some hardware on their way out, if you do not lock all of those devices out of your network, it leaves computers vulnerable to attack.
 
Nothing surprises me when it comes to Microsoft. Remove Azure and Microsoft is still pretty much Steve Ballmer's version of it all be it, a little less angry (ironically Ballmer started the push for Azure, but Nadella gets the credit for it).
 
This is a brain dead, nothing accusation, perpetrated by a nobody that wanted to get their name (and their nobody "security consulting" company's name) in the headlines. This is indeed NOT a bug. This is absolutely a common, well-known, well understood, and well documented feature that does not in reality present a security risk. Furthermore, if you happen to be administrating an environment with incredibly niche requirements, this feature can be easily disabled through the use of a common, well-known, well understood, and well documented policy setting.
 
  • Like
Reactions: jg.millirem and Rabohinf
Admin said:
Microsoft RDP allows users to log into machines using older, invalid passwords that have since been changed.

Microsoft has no plans to fix Windows RDP bug that lets you log in with old passwords : Read more
Click to expand...
This is absolute FUD! For one how is an offline computer supposed to know the password has changed? Also this only applies to AD accounts and you have always been able to disable this by setting "Interactive logon: Number of previous logons to cache" to 0, https://learn.microsoft.com/en-us/p...he-in-case-domain-controller-is-not-available
 
  • Like
Reactions: jg.millirem and Rabohinf
So did i over react disabling Remote Access on my Windows 11 Pro Desktop? was about to disable on the Windows 10 Pro Desktop, but i haven't quite yet.

Mostly just used so i don't have to get up to keep checking that older system if its done with its monthly updates all the way down the stairs, and also to update Store apps, MS Edge, and MS Office 365 when needed
 
edzieba said:
This is an edge-case, and only works when the network-connected computer you are remoting into with RDP has enough network access for you to... remote into it, but not enough to reach the authentication server (e.g. Azure, for Microsoft accounts) to check the account credentials used are still valid.

For the vast majority of cases, if a device is online enough for you to RDP into it, it is online enough for that device to check the live password rather than relying on the cached credential.

If you're doing RDP at scale (i.e. hosting your own authentication solution) use the GPO to disable credential caching ('Credential Delegation') as you should be anyway to avoid SSO descync issues.
Click to expand...
Good analysis.
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom