Windows Remote Desktop Protocol contains a login backdoor Microsoft refuses to fix

[Alfonso Maruccia]

WTF?! The proprietary protocol developed by Microsoft to facilitate remote connections to Windows machines contains an outstanding security flaw. However, Microsoft has stated that it has no plans to fix the issue, as doing so would break compatibility with many applications.

Independent researchers have discovered, or should we say rediscovered, a major security vulnerability in Microsoft's Remote Desktop Protocol (RDP). Previously known as Terminal Services, RDP appears to be designed to always validate a previously used password for remote connections to a Windows machine, even when that password has been revoked by a system administrator or compromised in a security breach.

RDP technology dates back to the Windows NT 4.0 era, an early 32-bit operating system released in 1998. Since Windows XP, every professional or server version of Windows has included an RDP client, officially known as Remote Desktop Connection. This means that, according to the researchers, every version of Windows since the days of analog 56 Kbps modems is affected by this newly (re)discovered vulnerability.

Analyst Daniel Wade reported the issue to Microsoft earlier this month. The flaw violates universally acknowledged operational security (opsec) practices – and then some. When a password is changed, it should no longer provide access to a remote system. "People trust that changing their password will cut off unauthorized access," Wade said.

The researchers found that RDP continues to accept passwords that have been used once and are now cached on a local machine. Windows stores validated passwords in a cryptographically secure location on the disk, and even brand-new machines can use the old password to access other systems.

Microsoft's online management and security platforms – including Entra ID, Azure, and Defender – do not raise any alarms, and newer passwords may be ignored while older ones still function.

Furthermore, Microsoft has provided little information to end users about this remarkable behavior of the RDP protocol. The researchers concluded that millions of users – whether at home, in SOHO environments, or in enterprise setups – are at risk. When asked to address the issue, Microsoft confirmed that the RDP technology is working as intended.

According to Microsoft, the behavior is a design decision meant to "ensure that at least one user account always has the ability to log in no matter how long a system has been offline."

The company had already been warned about this backdoor by other researchers in August 2023, making the new analysis ineligible for a bounty award. Redmond engineers reportedly attempted to modify the code to eliminate the backdoor but abandoned the effort, as the changes could break compatibility with a Windows feature that many applications still rely on.

Permalink to story:

Windows Remote Desktop Protocol contains a login backdoor Microsoft refuses to fix

 

[brucek]

And on the flip side, RDP doesn't recognize a valid Microsoft Account password that is not cached on the local machine. This can easily happen on a new install where you've only logged in using methods other than the password (PIN, windows hello, etc.) This is a great way to lose an hour wondering why you can't log in because it's so easy to think the problem must be some other configuration problem with setting up RDP or elsewhere in the system.

 

[Kotters]

And on the flip side, RDP doesn't recognize a valid Microsoft Account password that is not cached on the local machine. This can easily happen on a new install where you've only logged in using methods other than the password (PIN, windows hello, etc.) This is a great way to lose an hour wondering why you can't log in because it's so easy to think the problem must be some other configuration problem with setting up RDP or elsewhere in the system.

What the hell

 

[kingmustard]

RDP technology dates back to the Windows NT 4.0 era, an early 32-bit operating system released in 1998.

Windows NT 4.0 was released in 1996, not 1998.

 

[Plutoisaplanet]

Windows NT 4.0 was released in 1996, not 1998.

There were multiple editions of Windows NT 4.0 and the release of RDP was not associated with the first editions of NT. The author only claimed that it came out during the NT 4.0 era, not that NT was released in 1998. It was its own operating system named Windows NT 4.0 Terminal Server Edition, and that came out in 1998: https://en.wikipedia.org/wiki/Remote_Desktop_Services

 

[hahahanoobs]

When usage doesn't drop and competition is lacking, this is what can happen.

 

[NotYourITguy]

When usage doesn't drop and competition is lacking, this is what can happen.

While I do understand your comment here, this is not a good article to make this comment on. RDP is leaps and bounds ahead of any alternative solution in terms of it just generally working no matter how good or bad a network connection may be.

Linux users still relying on xorg and x11 is like driving a Ford Model T on the autobahn and wondering why people aren't taking them seriously. Couple that with the fact that xrdp is unstable on non-ideal network connections and you have even more reason to appreciate just how good RDP truly is.

 

[Theinsanegamer]

When usage doesn't drop and competition is lacking, this is what can happen.

Usage is dropping though, Windows is down to 77% marketshare, down from a dominant 95%. Some say its below 75% now. MacOS, ChromeOS, linux, all of them are taking chunks out of MS's desktop/laptop market share.

 

[Raytrace3D]

What I want to know is, why are people using RDP on machines that are not already firewalled and whitelisted? It's not much of an issue if the only one who has access to the system is you.

 

[FireStormOOO]

This is cached credentials working the same way it had for decades, and it's been configurable by GPO for almost as long. The administrator chooses how long the server will remember stale credentials if it can't reach a domain controller immediately to check. No, the defaults don't make sense for a server that expects 100% availability of your authentication infrastructure.

 

[NumberNine]

I've always wondered about the fact that I'm able to reset my own password in Active Directory when my account is locked, so long as I was already in an open desktop session at the moment it was locked. Cached credentials can provide leeway in AD/Linux integrations as well - depending on what you're using for the bridge.

 

[AnilD]

RDP has been around since people argued about Netscape vs. IE, and somehow it’s still granting ancient passwords VIP access. Truly nostalgic security flaws.

The caching behavior might have made sense when networks were less reliable and remote systems could be offline for long periods. But today’s threat landscape makes that design choice borderline dangerous.

 

[alexnode]

Ok this is a hot take, but most security built in most OSes is tailored to a few giant corporations not a home user. Which includes some guys on the 2nd floor in their IT desks, monitoring all the other floors, remote installing updates etc. The other corporations tailored to, are software giants that want access to everything, from game companies to productivity software. The last two categories are cloud computing/rental economy and AI. All of these situations developed for the big money makers and not the individual user are creating a precarious security environments. AI is pretty funny that wants to send every confidential document you are dealing with to the cloud... for a snooping summary.
If you start a new OS today tailored on personal security things will be very different. Phones look like it but they are actually a backdoor to your whole existence...
So if you want confidentiality be offline, computing is more like going to the central square of your town to hide.

 

[human7]

Another reason to call Microsoft on their PR stunt BS about prioritizing security first.

What I want to know is, why are people using RDP on machines that are not already firewalled and whitelisted? It's not much of an issue if the only one who has access to the system is you.

Maybe for a local setup this isn't much of an issue. What about cloud environments? Shared workstations? I can see the headline now: "Fired employee caused data breach even after their password was revoked - company tells the court that Microsoft should be liable". After that happens I'm sure Microsoft would change their tune.

On the bright side, this hasn't happened yet (to my knowledge), so maybe the risk is overstated a bit much. But it isn't good practice by Microsoft. Sometimes breaking compatibility is the best thing to do. But, half of Microsoft's fortune is built on being compatible with legacy apps, otherwise it's unlikely Windows, Office, and related applications would have had such penetration into the enterprise market for so long.

 

[onebignerd]

Glad I have Remote Desktop and Login from Network disabled and disallowed even for Admins! This makes me wonder how much Microsoft really understands the concept of security. Flaunting how secure Windows 11 is, yet clinging to; SMBv1 (originated with IBM DOS file\printer sharing 1983), NetBIOS enabled by default, legacy network tools and protocols, PowerShell version 2, remote desktop and network access rights\services enabled by default, default enabled network registry access, default anonymous network shares access ...etc.

Microsoft pushing for MS account login with Windows 11, forcing users to link their PC to the cloud with default enabled network and remote access. I fail to see anything secure about this!

 

[Theinsanegamer]

Glad I have Remote Desktop and Login from Network disabled and disallowed even for Admins! This makes me wonder how much Microsoft really understands the concept of security. Flaunting how secure Windows 11 is, yet clinging to; SMBv1 (originated with IBM DOS file\printer sharing 1983), NetBIOS enabled by default, legacy network tools and protocols, PowerShell version 2, remote desktop and network access rights\services enabled by default, default enabled network registry access, default anonymous network shares access ...etc.

Microsoft pushing for MS account login with Windows 11, forcing users to link their PC to the cloud with default enabled network and remote access. I fail to see anything secure about this!

How many of those things can you pull out of Windows without breaking other things? MS long ago laid off its competent developers and filled the positions with cheap 18 month contractors. They cant even change the 15 character limit for PC names without breaking domain functions.

 

[hahahanoobs]

While I do understand your comment here, this is not a good article to make this comment on. RDP is leaps and bounds ahead of any alternative solution in terms of it just generally working no matter how good or bad a network connection may be.

Linux users still relying on xorg and x11 is like driving a Ford Model T on the autobahn and wondering why people aren't taking them seriously. Couple that with the fact that xrdp is unstable on non-ideal network connections and you have even more reason to appreciate just how good RDP truly is.

An article about Windows is not a good place to make a comment about Linux on.

 

[alixzibit]

This is actually by design, the default behaviour is to cache windows credentials onto the client pc whom you are taking remote access from.
My IT admins know about this default behaviour and they usually have 2 options 1) if they control the client end via domain server, enforce disabling credentials caching on the client pc, that means Domain server will always be able to dictate to the client to never store RDP credentials for any machine 2) if the server is being exposed to clients/endpoints which are outside the domain server control then force always require password login from server side remote access GPO policy

 

[NotYourITguy]

An article about Windows is not a good place to make a comment about Linux on.

The comment is about RDP being a great tool and comparing to competing tools. I can explain it again but can't make you understand.

 

[George Pearson]

When usage doesn't drop and competition is lacking, this is what can happen.

Just remember MS stands for Marketing Stuff not More Security.
They have always and will always be an insecure OS/ecosystem. They are great at marketing... That's all they are. Reroll software every few years by moving menu items around and changing the numbers on the version. Marketing 101.
I don't understand how people would think a monopoly would provide good security.

 

[asveikau]

NT 4 was released in 1996, not 1998.

 

[ZedRM]

RDP technology dates back to the Windows NT 4.0 era, an early 32-bit operating system released in 1998.

Win NT 4.0 was released August 24th 1996. I know because I was present for the release event.

 

[ZedRM]

Windows Remote Desktop Protocol contains a login backdoor Microsoft refuses to fix

What a shocker. Microsoft being lazy about security and not following established standards of operating procedure. Incompetent gomers.

 

[netman]

"Windows Remote Desktop Protocol contains a login backdoor Microsoft refuses to fix"

Of course... it was designed for NSA and MOSSAD...!

 

[FaTaL]

Looks like MS's idot coding blueprint has finally caught up to them.