{"id":37940,"date":"2025-05-05T00:46:53","date_gmt":"2025-05-04T22:46:53","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=37940"},"modified":"2025-05-05T00:46:53","modified_gmt":"2025-05-04T22:46:53","slug":"windows-rdp-access-possible-with-old-cached-credentials","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2025\/05\/05\/windows-rdp-access-possible-with-old-cached-credentials\/","title":{"rendered":"Windows: RDP access possible with old cached credentials"},"content":{"rendered":"

\"Windows\"[German<\/a>]It has recently become known that remote desktop connections (RDP access) can also use old, revoked passwords from the cache for connections. Some people see this as a security risk. Microsoft has been informed by the security researcher, who discoved this behavior. However, Microsoft does not want to change this situation.
\n
\n\"\"A blog reader pointed out here in the blog in the discussion area (thanks for that) that RDP remembers old passwords locally encrypted in a cache. This means that under certain circumstances, RDP logins can take place under Windows with an old, outdated password (because it was changed in the cloud). Dan Gookin picked it up on Arstechnica in the article Windows RDP lets you log in using revoked passwords<\/a>.<\/p>\n

Windows RDP connections<\/h2>\n

The proprietary Remote Desktop Protocol (RDP) is implemented in Windows to support RDP connections. If the user has logged on to a computer via Remote Desktop Protocol (RDP), they can control the computer in question remotely.<\/p>\n

RDP connections use cached login data<\/h2>\n

Security researcher Daniel Wade has now noticed that the RDP connections use the access data for Microsoft accounts from a cache. This means that passwords that have been changed and thus recalled as invalid remain valid.<\/p>\n

The scenario of logging in with a revoked password via RDP occurs on Windows computers that are logged in with a Microsoft or Azure account and configured so that remote desktop access is enabled. In this case, users can log in via RDP with a dedicated password that is validated against a locally stored credential. Alternatively, users can log in using the credentials for the online account that was used to log in to the computer.<\/p>\n

Microsoft does not want to change anything<\/h2>\n

Wade states that this mechanism also makes it possible to log in with old passwords (even from new computers) and sees this as a \"breach of trust\". After all, what do you do if you suspect that an account password may have been compromised? You change the password to change the access, but this does not work due to caching – the old access data continues to work.<\/p>\n

It seems that the end user cannot recognize the problem, and Microsoft has not pointed it out – Redmond only added a note<\/a> after the security researcher reported the issue. Daniel Wade reported the behavior to the Microsoft Security Response Center at the beginning of April 2025.<\/p>\n

Microsoft's feedback was that this behavior is a design decision. This is to ensure that at least one user account is always able to log in, regardless of how long a system has been offline. For Microsoft, the behavior does not meet the definition of a security vulnerability. The company therefore has no plans to change the behavior.<\/p>\n

Microsoft told Wade that he was not the first person to report the \"problem\". A security researcher had already pointed out the issue in 2023. Microsoft's statement was: \"We originally considered a code change for this issue, but upon further review of the design documentation, code changes could impact compatibility with features used by many applications.\"<\/p>\n

The working solution is (see<\/a>), set Interactive logon <\/em>via GPO to Number of previous logins that are cached (if the domain controller is not available) = 0.\u00a0<\/em>Then the user always has to authenticate online against a DC, as the credentials are not stored.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]It has recently become known that remote desktop connections (RDP access) can also use old, revoked passwords from the cache for connections. Some people see this as a security risk. Microsoft has been informed by the security researcher, who discoved … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547,2],"tags":[1359,69,194],"class_list":["post-37940","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-windows","tag-rdp","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37940","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=37940"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37940\/revisions"}],"predecessor-version":[{"id":37941,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37940\/revisions\/37941"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=37940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=37940"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=37940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}