In a revelation that has sparked heated debate among cybersecurity experts, Microsoft has confirmed that its Remote Desktop Protocol (RDP) allows users to log in with passwords that have been revoked by system administrators. While the company insists this behavior is intentional and not a bug, critics argue it creates a persistent backdoor that undermines user security.
Advertisеment
The Issue in Detail
Remote Desktop Protocol (RDP), a proprietary feature of Windows, enables users to remotely access and control a computer as if they were physically present.
However, the researchers found that even after users change their passwords — often as a critical step to resolve an account compromise or password leak — the old credentials remain valid for RDP logins indefinitely. This behavior persists whether the system is online or offline, bypassing cloud verification, multi-factor authentication, and conditional access policies.
Independent security researcher Daniel Wade brought the issue to Microsoft’s attention earlier this month. In his report, Wade provided detailed steps to reproduce the behavior and warned that it violates the fundamental expectation that changing a password invalidates all previous credentials. It’s not just a bug, he said. It’s a breach of trust, because people believe that changing a password will prevent unauthorized access.
Microsoft’s Defense
Microsoft defends this behavior, saying it is a deliberate design choice to ensure that users are never locked out of their systems, even if they are offline for long periods of time. The company argues that storing locally cached credentials allows at least one user account to always have access to the system, while maintaining functionality in scenarios where a network connection is unavailable.
In response to Wade's report, Microsoft updated its documentation to clarify how RDP handles credentials. The update explains that when a user logs in locally, their credentials are first verified against a cached copy on the device before they are authenticated by an identity provider (such as Microsoft or Azure) over the network. If the cached verification is successful, the user is granted access, even if their password has since been changed in the cloud.
However, critics say the explanation is insufficient and difficult for most system administrators to detect. Additionally, Microsoft provides no guidance on how users can block RDP access if their Microsoft or Azure account is compromised. According to Will Dormann, a senior vulnerability analyst at security firm Analygence, this doesn’t make sense from a security perspective. If you’re a system administrator, you’d expect that the moment you change an account’s password, the old credentials can’t be used anywhere, Dormann writes.
Why This Matters
The implications of this behavior are significant, especially in enterprise and hybrid work environments where RDP is widely used. If a Microsoft or Azure account is compromised, changing the password — a standard remediation step — will not prevent attackers from using the old password to gain remote access via RDP. In some cases, several old passwords may still work, while new passwords fail entirely.
Wade argues that this creates a silent, remote backdoor into any system where the password was ever cached. Even if the attacker never had direct access to the system, Windows will continue to trust the cached credentials indefinitely.
A Known Issue
Notably, Microsoft said this behavior was first reported by another researcher in August 2023, nearly two years ago. At the time, the company considered making code changes to address the issue, but ultimately decided against it, citing concerns about breaking compatibility with apps that rely on the current design.
This is an old issue, Microsoft told Wade. It is not eligible for a reward because it does not meet Microsoft's criteria for a security vulnerability. The company has emphasized that the behavior is consistent with its design documentation, though critics argue that this rationale puts convenience above security.
What Users Can Do
While Microsoft has no plans to change this behavior, users concerned about their security can take steps to reduce the risk. One option is to configure RDP to authenticate only with locally stored credentials. However, this approach requires careful management to avoid locking out users.
Additionally, organizations should consider implementing stricter controls on RDP use, such as disabling it when it is not needed or limiting access to trusted IP addresses.
A Persistent Debate
The dispute highlights the tension between usability and security, a challenge Microsoft continues to wrestle with. For now, the company remains steadfast in its stance that such behavior is not a vulnerability. But as cyber threats evolve, critics warn that such design decisions could expose millions of users to unnecessary risks.
As the debate unfolds, one thing is clear: Users must remain vigilant and proactive in protecting their systems, even when relying on tools designed to facilitate remote access.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
