CISOs should re-consider using Microsoft RDP due to password flaw, says expert

CISOs allowing remote access to Windows machines through Remote Desktop Protocol (RDP) should re-think their strategy after the discovery that changed or revoked passwords can still work, says an expert.

“I was unpleasantly surprised” to hear about the vulnerability, David Shipley, head of Canadian security awareness training firm Beauceron Security, said in an interview.

“I would have expected that revoking credentials meant revoking credentials.”

“RDP to people’s desktops is a really risky move to begin with, that will likely end in tears in many cases,” he said. “But to make it extra risky by saying once one has successfully logged in and authenticated, a cached version of the credential has been saved and it will work forever is ‘Yiii, hah!’ for attackers, I guess.”

CISOs “should really be reconsidering Remote Desktop Access and using Microsoft tooling,” he said, “and/or calling their [Microsoft] rep up and saying, ‘This is not OK.’”

Shipley was responding to a report in Ars Technica that Microsoft was recently warned by security researcher Daniel Wade that a flaw in Windows Remote Desktop Protocol (RDP) allows previously changed passwords to still be used to log into an account, allowing a threat actor with stolen credentials to remotely access a computer.

Even after a user changes their account password, the old password will still work for an RDP login. In some cases, the story says, Wade discovered that multiple older passwords will work while newer ones won’t.

The reason: Windows or Azure store the first RDP login credential on a local machine. After that Windows validates RDP logins against that credential.

This means that an attacker could have persistent RDP access to a Windows machine that bypasses cloud verification, multifactor authentication, and Conditional Access policies.

According to the news story, Microsoft said the behavior is “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.” As such, Microsoft said the behavior doesn’t meet the definition of a security vulnerability, and company engineers have no plans to change it.

Windows admins are often not aware of credential caching, said Johannes Ullrich, dean of research at the SANS Institute. “The feature is supposed to make it less likely for an admin to be logged out of their system. To prevent this, RDP will cache the last set of credentials used, in case the server is not able to connect back to the authentication server (which these days is often in the cloud). An administrator changing credentials in the cloud may find that the old credentials will still work as a result.” 

To exploit this, Ullrich added, an attacker must first learn the old credentials, and they must use them before the administrator uses their new credentials. “Securing RDP is, however, a critical task, and not easy, even without this problem. Administrators must find ways to offer strong authentication and they must isolate RDP endpoints as much as possible,” he said.

Shipley is baffled. “It’s a great example of, for all of our talk of zero trust … when it comes to the most important area to apply — continuous validation — apparently this magically doesn’t fit.”

“What I don’t understand,” Shipley added, “is why this isn’t a configurable option for organizations. If they’re saying this is going to break some kind of platform software compatibility, et cetera, let your customer make that call.”

“What I also don’t understand is how this fits with all the brag points of the last 12, 18 months [that] Microsoft is making with the Secure Future Initiative and taking security seriously now.”

A Microsoft spokesperson said the company is looking into CSO’s request for comment.