Windows RDP Network Level Authentication can bypass lock screen

[German]In a recent article, the CERT Coordination Center warns that Microsoft Windows RDP Network Level Authentication also works with LockScreen locked Windows.


Advertising

The warning has been published within the CERT document Microsoft Windows RDP Network Level Authentication can bypass the Windows lock screen. Also this article from The Hacker News discusses the issue.

The Vulnerability

Microsoft Windows Remote Desktop supports a feature called Network Level Authentication (NLA) that moves the authentication aspect of a remote session from the RDP layer to the network layer. The use of NLA is recommended to reduce the attack surface of systems exposed to the RDP protocol. Under Windows, a session can be blocked by the user, which causes a LockScreen to appear on the screen. This requires authentication from the user to continue using the session. Session locking can also be done via RDP in the same way that a local session can be locked.

KRITIS-Netzwerk
(Quelle: Pexels Markus Spiske CC0 Lizenz)

A change from Windows 10 Version 1803 onwards

Since Windows 10 1803 (released in April 2018) and Windows Server 2019, the handling of NLA-based RDP sessions has changed to the point where unexpected session locking behavior can occur. If a network anomaly triggers a temporary RDP disconnect, the RDP session is put into an unlocked state when the connection is automatically reestablished. Unfortunately, this is independent of how the remote system was left. The CERT describes the scenario in its article linked above with the following steps:

  1. The user connects to the remote Windows 10 1803 or Server 2019 or later system via RDP.
  2. The user locks the remote desktop session.
  3. The user leaves the physical environment of the system used as the RDP client.

At this point, an attacker can interrupt the network connection of the RDP client system. The RDP client software automatically reconnects to the remote system once the Internet connection is restored.


Advertising

However, this vulnerability causes the restored RDP session to be restored to a logged on desktop instead of the login screen. This means that the remote system is unlocked without having to manually enter credentials.

2FA and login policy will be bypassed

Two-factor authentication systems that integrate with the Windows logon screen, such as Duo Security MFA, can also be bypassed with this mechanism. People at CERT suspect that other MFA solutions that use the Windows logon screen are similarly affected. Any login policies enforced by a company will also be bypassed.

The impact

By disrupting a system’s network connection, an attacker with access to a system used as a Windows RDP client can gain access to a connected remote system, regardless of whether the remote system is locked or not.  CERT/CC does not currently have a practical solution to this problem. The following workarounds are recommended.

  • Protect access to RDP client systems: If you have a system that is used as an RDP client, make sure that you lock the local system, not the remote system. Locking the remote system via RDP does not provide protection. .
  • Disconnect RDP sessions instead of locking them: Because locking a remote RDP session does not provide effective protection, RDP sessions should be disconnected rather than locked. This will invalidate the current session, preventing the RDP session from automatically reconnecting without credentials.

It seems that companies who are using RDP with Windows are now having a lot of headaches for security reasons.


Advertising
This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *