{"id":3022,"date":"2025-05-02T00:16:47","date_gmt":"2025-05-02T00:16:47","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3022"},"modified":"2025-05-02T00:16:47","modified_gmt":"2025-05-02T00:16:47","slug":"cisos-should-re-consider-using-microsoft-rdp-due-to-password-flaw-says-expert","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3022","title":{"rendered":"CISOs should re-consider using Microsoft RDP due to password flaw, says expert"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>CISOs allowing remote access to Windows machines through Remote Desktop Protocol (RDP) should re-think their strategy after the discovery that changed or revoked passwords can still work, says an expert.<\/p>\n<p>\u201cI was unpleasantly surprised\u201d to hear about the vulnerability, David Shipley, head of Canadian security awareness training firm Beauceron Security, said in an interview.<\/p>\n<p>\u201cI would have expected that revoking credentials meant revoking credentials.\u201d<\/p>\n<p>\u201cRDP to people\u2019s desktops is a really risky move to begin with, that will likely end in tears in many cases,\u201d he said. \u201cBut to make it extra risky by saying once one has successfully logged in and authenticated, a cached version of the credential has been saved and it will work forever is \u2018Yiii, hah!\u2019 for attackers, I guess.\u201d<\/p>\n<p>CISOs \u201cshould really be reconsidering Remote Desktop Access and using Microsoft tooling,\u201d he said, \u201cand\/or calling their [Microsoft] rep up and saying, \u2018This is not OK.\u2019\u201d<\/p>\n<p>Shipley was responding <a href=\"https:\/\/arstechnica.com\/security\/2025\/04\/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that\/\" target=\"_blank\" rel=\"noopener\">to a report in Ars Technica<\/a> that Microsoft was recently warned by security researcher Daniel Wade that a flaw in Windows Remote Desktop Protocol (RDP) allows previously changed passwords to still be used to log into an account, allowing a threat actor with stolen credentials to remotely access a computer.<\/p>\n<p>Even after a user changes their account password, the old password will still work for an RDP login. In some cases, the story says, Wade discovered that multiple older passwords will work while newer ones won\u2019t.<\/p>\n<p>The reason: Windows or Azure store the first RDP login credential on a local machine. After that Windows validates RDP logins against that credential.<\/p>\n<p>This means that an attacker could have persistent RDP access to a Windows machine that bypasses cloud verification, multifactor authentication, and Conditional Access policies.<\/p>\n<p>According to the news story, Microsoft said the behavior is \u201ca design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.\u201d As such, Microsoft said the behavior doesn\u2019t meet the definition of a security vulnerability, and company engineers have no plans to change it.<\/p>\n<p>Windows admins are often not aware of credential caching, said Johannes Ullrich, dean of research at the SANS Institute. \u201cThe feature is supposed to make it less likely for an admin to be logged out of their system. To prevent this, RDP will cache the last set of credentials used, in case the server is not able to connect back to the authentication server (which these days is often in the cloud). An administrator changing credentials in the cloud may find that the old credentials will still work as a result.\u201d\u00a0<\/p>\n<p>To exploit this, Ullrich added, an attacker must first learn the old credentials, and they must use them before the administrator uses their new credentials. \u201cSecuring RDP is, however, a critical task, and not easy, even without this problem. Administrators must find ways to offer strong authentication and they must isolate RDP endpoints as much as possible,\u201d he said.<\/p>\n<p>Shipley is baffled. \u201cIt\u2019s a great example of, for all of our talk of zero trust \u2026 when it comes to the most important area to apply \u2014 continuous validation \u2014 apparently this magically doesn\u2019t fit.\u201d<\/p>\n<p>\u201cWhat I don\u2019t understand,\u201d Shipley added, \u201cis why this isn\u2019t a configurable option for organizations. If they\u2019re saying this is going to break some kind of platform software compatibility, et cetera, let your customer make that call.\u201d<\/p>\n<p>\u201cWhat I also don\u2019t understand is how this fits with all the brag points of the last 12, 18 months [that] <a href=\"https:\/\/www.csoonline.com\/article\/3966122\/microsoft-sfi-update-five-of-28-security-objectives-nearly-complete.html\" target=\"_blank\" rel=\"noopener\">Microsoft is making with the Secure Future Initiative <\/a>and taking security seriously now.\u201d<\/p>\n<p>A Microsoft spokesperson said the company is looking into CSO\u2019s request for comment.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>CISOs allowing remote access to Windows machines through Remote Desktop Protocol (RDP) should re-think their strategy after the discovery that changed or revoked passwords can still work, says an expert. \u201cI was unpleasantly surprised\u201d to hear about the vulnerability, David Shipley, head of Canadian security awareness training firm Beauceron Security, said in an interview. \u201cI [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3023,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3022","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3022"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3022"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3022\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3023"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}