Windows RDP lets you log in using revoked passwords. Microsoft is OK with that. This behavior, recently highlighted by security researcher Daniel Wade, reveals a critical flaw in Windows Remote Desktop Protocol (RDP). Despite password changes, RDP allows access using old credentials, and Microsoft considers this a design feature rather than a vulnerability.(CSO Online, Tom’s Hardware)
Table of Contents
Understanding the RDP Credential Caching Issue
The core of the issue lies in how Windows RDP handles credential caching. When a user logs in via RDP, their credentials are stored locally on the machine. Subsequent RDP logins validate against these cached credentials, even if the user’s password has been changed in Active Directory or Azure AD. This means that old passwords remain valid for RDP access, effectively bypassing password changes intended to revoke access.(Cyber Security News)
This behavior persists across various Windows versions and configurations, posing a significant security risk, especially in environments where RDP is exposed to the internet or used extensively for remote administration.(TechDirectArchive)
Microsoft’s Stance on the Behavior
Microsoft has acknowledged this behavior but does not classify it as a security vulnerability. According to the company, the design ensures that at least one user account can always log in, even if the system has been offline for an extended period. Microsoft argues that this feature prevents users from being locked out due to connectivity issues with authentication servers.(TechRadar, GIGAZINE)
However, this stance has drawn criticism from the cybersecurity community. Experts argue that the ability to log in with revoked passwords undermines security protocols and user trust, especially when there’s no clear documentation or warnings about this behavior.(Cyber Security News)
Security Implications for Organizations
The implications of this behavior are far-reaching:
- Persistent Access for Threat Actors: If an attacker obtains valid credentials, they can maintain RDP access even after the password is changed, leading to prolonged unauthorized access.(CSO Online)
- Bypassing Security Measures: This behavior can circumvent multi-factor authentication (MFA) and Conditional Access policies that rely on real-time credential validation.(CSO Online)
- Lack of Visibility: Since RDP logins using cached credentials do not trigger alerts in systems like Azure AD or Microsoft Defender, organizations may be unaware of unauthorized access.
- Compliance Risks: Organizations subject to regulatory standards may find that this behavior conflicts with requirements for immediate revocation of access upon credential changes.
Mitigation Strategies and Recommendations
While Microsoft does not offer a direct fix, organizations can implement several measures to mitigate the risk:
1. Disable Credential Caching
Use Group Policy to prevent Windows from caching credentials:(TechDirectArchive)
Computer Configuration > Administrative Templates > System > Credentials Delegation > Do not allow storage of passwords and credentials for network authentication
Set this policy to Enabled.
2. Enforce Network Level Authentication (NLA)
Ensure that RDP connections require NLA, which mandates user authentication before establishing a session:(Wikipedia)
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Require user authentication for remote connections by using Network Level Authentication
Set this policy to Enabled.
3. Implement Just-In-Time (JIT) Access
Use JIT access controls to limit the time frame during which RDP access is permitted, reducing the window of opportunity for unauthorized access.
4. Monitor and Audit RDP Access
Regularly review RDP access logs and implement monitoring solutions to detect unusual login patterns or access from unexpected locations.
Detection and Monitoring Techniques
To identify potential misuse of cached credentials, consider implementing the following detection methods:(Windows OS Hub)
Sigma Rule Example
title: Suspicious RDP Logins Using Cached Credentials
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 10
AuthenticationPackageName: "NTLM"
condition: selection
fields:
- SubjectUserName
- IpAddress
- WorkstationName
level: medium
This rule detects RDP logins (LogonType 10) that use NTLM authentication, which may indicate the use of cached credentials.
PowerShell Script for Audit
Use PowerShell to identify systems with cached credentials:
Get-WmiObject -Class Win32_CacheMemory | Select-Object -Property *
This script retrieves information about cached memory, which can help identify systems storing credentials.
Conclusion
The revelation that Windows RDP allows logins with revoked passwords poses a significant security challenge. Organizations must proactively implement mitigation strategies to protect against unauthorized access. By disabling credential caching, enforcing NLA, implementing JIT access, and monitoring RDP activity, organizations can reduce the risk associated with this behavior. While Microsoft’s current stance is that this is a feature, the security community must continue to advocate for more robust and secure authentication mechanisms.(Tom’s Hardware, Wikipedia, WinBuzzer)
Sources and Assumptions:
- Information based on recent reports highlighting the RDP credential caching issue.
- Assumes standard Windows environments with RDP enabled and default configurations.