A Microsoft spokesperson confirmed the company has been aware of the issue since at least August 2023, but maintains that changing the behavior could break compatibility with existing applications.
Changing your Microsoft or Azure password does not immediately revoke RDP access for old credentials.
There are no clear alerts or warnings when old passwords are used for RDP logins.
Microsoft’s security tools, including Defender and Azure, do not flag this behavior.
It sounds like if you’re using a remote authentication source such as AD or Entra, and that source isnt available, such as the laptop being disconnected from the internet, then the cached creds will still work.
This is the default behavior but you can disable that.
I don’t see the issue here, and it’s not really an RDP issue.
Additionally you should not turn on RDP and expose it to the internet, as you will get brute forced.
LifeInMultipleChoice@lemmy.dbzer0.com
on 05 May 20:10
collapse
The way this is set up it also won’t get you “into” your account if Windows Hello is turned on and required, as the TPM requirement will verify the RSA type key won’t match on the backend? So you would get dumped at the login screen, allowing you to access the password reset screen, requiring you to use to password reset tool (needing the old password still) but then once reset the new password would sync with the hello pin/fingerprint/faceID as that machine is on the network, allowing the user to get back in remotely without having to physically show up at the machine. So it can save you a phone call or 2 to IT and keep a 2 factor authentication up to date remotely without locking the user out. (Not all of these authentication options are as good as others, but standardly you block the ones your company doesn’t want via group policy. )
threaded - newest
From the article:
Compatibility over security. Genius
Nobody should be using RDP, it has been swiss cheese since it was created.
All fine and dandy … got any realistic alternatives?
Probably VNC (lol).
I’d rather use something built into windows than use 3rd party.
Same for MacOS. I wouldnt install an RDP-compatible server on it.
I think I had to use that once at work. Is it the thing that only allows passwords with like 6 letters or something?
No. It’s Remote Desktop.
The password length isn't limited when logging in?
No. I have no idea what would limit password length other than a bad systems admin
TIL there's no password limit on the application and it's the admin who sets the password limit. No idea wtf our admin was thinking. Wow..
Realistically, it should be assumed RDP is insecure, so use it via VPN.
Is it just me or did the author of the article not cite any sources?
Not really news. This functionality is to allow password resets on login, among other things.
Still not a good choice, definitely. But this has been known for a long time.
I’m reading this and I’m wondering if it’s even an issue.
learn.microsoft.com/…/windows-logon-scenarios
It sounds like if you’re using a remote authentication source such as AD or Entra, and that source isnt available, such as the laptop being disconnected from the internet, then the cached creds will still work.
This is the default behavior but you can disable that.
I don’t see the issue here, and it’s not really an RDP issue.
Additionally you should not turn on RDP and expose it to the internet, as you will get brute forced.
The way this is set up it also won’t get you “into” your account if Windows Hello is turned on and required, as the TPM requirement will verify the RSA type key won’t match on the backend? So you would get dumped at the login screen, allowing you to access the password reset screen, requiring you to use to password reset tool (needing the old password still) but then once reset the new password would sync with the hello pin/fingerprint/faceID as that machine is on the network, allowing the user to get back in remotely without having to physically show up at the machine. So it can save you a phone call or 2 to IT and keep a 2 factor authentication up to date remotely without locking the user out. (Not all of these authentication options are as good as others, but standardly you block the ones your company doesn’t want via group policy. )