Microsoft has no plans to fix Windows RDP bug that lets you log in with old passwords

(Image credit: Shutterstock)

Microsoft apparently has no plans to fix a security flaw that leaves machines vulnerable using Windows Remote Desktop Protocol (RDP). In a recent report submitted to the Microsoft Security Response Center by Daniel Wade, the current configuration of Windows RDP will allow users to access machines to using old, cached passwords even if they have been updated or changed.

This makes it impossible to prevent access to machines using RDP by changing the password. Old cached passwords will still allow a successful login which is a huge security concern. Despite the glaring open backdoor, Microsoft has insisted that this is intentional and the company has no plans to change the way this function operates as it provides a method for users to never be completely locked out of their machine.

Microsoft has their own definition of what qualifies as a "security vulnerability" and claims that this does not count as a vulnerability. The feature was intentionally designed to make sure users could access a given machine through RDP even after it's been offline for a long period of time. Despite the concern, the feature is not optional and cannot be disabled.

Wade described the security concern has a breakdown of trust. When it comes to information security, changing a password is generally perceived as a surefire way to terminate access to a given account when they're authenticated using any previous password. In this case, you can't prevent access using old passwords and receive no warning that the old passwords are still valid when using RDP.

This is especially concerning in situations where passwords have been publicly compromised. Because there's no way to eliminate the RDP authorization with them, would be hackers can technically gain access to the machine with the account owner being none the wiser.

Microsoft has been aware of the issue for some time, citing a previous report from August of 2023. Although the issue was investigated back then, the decision was ultimately made to not to change the way it functions out of concern for compatibility issues it could face with existing applications.

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.

Ash Hill is a contributing writer for Tom's Hardware with a wealth of experience in the hobby electronics, 3D printing and PCs. She manages the Pi projects of the month and much of our daily Raspberry Pi reporting while also finding the best coupons and deals on all tech.

More about windows

Windows 11 update failure stops machines from updating to version 24H2 using WSUS

Janet Jackson's 'Rhythm Nation' would still be crashing hard drives without this audio processing filter

Nvidia CEO Jensen Huang scores his first base salary increase since 2015

See more latest

8 Comments Comment from the forums

Hooda Thunkett

The only situation where I might kind-of, sorta, grudgingly like this feature is if someone hacked into my account and changed the password to lock me out, but this really doesn't fix that issue. With this system, they're still in, and you probably won't have a clue about it. You're much better off having 2FA and adding in an account recovery process with that. Maybe have your regular password and 2FA for regular log-in, and your different, extra secure 2FA for account recovery.
This is a huge problem. It needs to be fixed.
Reply
jg.millirem

Astounding.
Reply
Konomi

Sounds like Microsoft forgot about the concept of password reset disks. Shouldn't be hard to do a modern implementation of that and fix that at the same time if they were so concerned about not locking people out of accounts permanently.
Reply
EzzyB

It doesn't seem to be a big deal to consumer computers. Remote access is very easy to turn off at the PC or block at your router's firewall or both. This isn't going to work if the service isn't running or the port is blocked.
Reply
bikemanI7

This is shocking to me that they won't fix it, as i use Remote Desktop alot from my Windows 11 Pro Desktop to update the family Windows 10 Pro Desktop downstairs, as saves me having to get up and go down to check if its done or not.

Perhaps though i should turn it off, and go back to manually going down to update that system at times

Been using Remote Desktop since first got a Windows Pro Edition when clean installed Windows 8 since got a Free upgrade to Pro since previously had Media Center pack with Windows 7 back then.
Reply
edzieba

This is an edge-case, and only works when the network-connected computer you are remoting into with RDP has enough network access for you to... remote into it, but not enough to reach the authentication server (e.g. Azure, for Microsoft accounts) to check the account credentials used are still valid.

For the vast majority of cases, if a device is online enough for you to RDP into it, it is online enough for that device to check the live password rather than relying on the cached credential.

If you're doing RDP at scale (i.e. hosting your own authentication solution) use the GPO to disable credential caching ('Credential Delegation') as you should be anyway to avoid SSO descync issues.
Reply
A Stoner

I can see both sides of the argument. But honestly, it should be an opt in option to allow defunct passwords to work through RDP rather than a 'feature'. If you have a fired employee you have tried to lock out of your systems but they retained some electronics, maybe even stole some hardware on their way out, if you do not lock all of those devices out of your network, it leaves computers vulnerable to attack.
Reply
JamesJones44

Nothing surprises me when it comes to Microsoft. Remove Azure and Microsoft is still pretty much Steve Ballmer's version of it all be it, a little less angry (ironically Ballmer started the push for Azure, but Nadella gets the credit for it).
Reply

Show more comments

Stay On the Cutting Edge: Get the Tom's Hardware Newsletter