[German]In a recent article, the CERT Coordination Center warns that Microsoft Windows RDP Network Level Authentication also works with LockScreen locked Windows.
The warning has been published within the CERT document Microsoft Windows RDP Network Level Authentication can bypass the Windows lock screen. Also this article from The Hacker News discusses the issue.
Microsoft Windows Remote Desktop supports a feature called Network Level Authentication (NLA) that moves the authentication aspect of a remote session from the RDP layer to the network layer. The use of NLA is recommended to reduce the attack surface of systems exposed to the RDP protocol. Under Windows, a session can be blocked by the user, which causes a LockScreen to appear on the screen. This requires authentication from the user to continue using the session. Session locking can also be done via RDP in the same way that a local session can be locked.
(Quelle: Pexels Markus Spiske CC0 Lizenz)
A change from Windows 10 Version 1803 onwards
Since Windows 10 1803 (released in April 2018) and Windows Server 2019, the handling of NLA-based RDP sessions has changed to the point where unexpected session locking behavior can occur. If a network anomaly triggers a temporary RDP disconnect, the RDP session is put into an unlocked state when the connection is automatically reestablished. Unfortunately, this is independent of how the remote system was left. The CERT describes the scenario in its article linked above with the following steps:
- The user connects to the remote Windows 10 1803 or Server 2019 or later system via RDP.
- The user locks the remote desktop session.
- The user leaves the physical environment of the system used as the RDP client.
At this point, an attacker can interrupt the network connection of the RDP client system. The RDP client software automatically reconnects to the remote system once the Internet connection is restored.
However, this vulnerability causes the restored RDP session to be restored to a logged on desktop instead of the login screen. This means that the remote system is unlocked without having to manually enter credentials.
2FA and login policy will be bypassed
Two-factor authentication systems that integrate with the Windows logon screen, such as Duo Security MFA, can also be bypassed with this mechanism. People at CERT suspect that other MFA solutions that use the Windows logon screen are similarly affected. Any login policies enforced by a company will also be bypassed.
By disrupting a system’s network connection, an attacker with access to a system used as a Windows RDP client can gain access to a connected remote system, regardless of whether the remote system is locked or not. CERT/CC does not currently have a practical solution to this problem. The following workarounds are recommended.
- Protect access to RDP client systems: If you have a system that is used as an RDP client, make sure that you lock the local system, not the remote system. Locking the remote system via RDP does not provide protection. .
- Disconnect RDP sessions instead of locking them: Because locking a remote RDP session does not provide effective protection, RDP sessions should be disconnected rather than locked. This will invalidate the current session, preventing the RDP session from automatically reconnecting without credentials.
It seems that companies who are using RDP with Windows are now having a lot of headaches for security reasons.