WTF?! The proprietary protocol developed by Microsoft to facilitate remote connections to Windows machines contains an outstanding security flaw. However, Microsoft has stated that it has no plans to fix the issue, as doing so would break compatibility with many applications.
Independent researchers have discovered, or should we say rediscovered, a major security vulnerability in Microsoft's Remote Desktop Protocol (RDP). Previously known as Terminal Services, RDP appears to be designed to always validate a previously used password for remote connections to a Windows machine, even when that password has been revoked by a system administrator or compromised in a security breach.
RDP technology dates back to the Windows NT 4.0 era, an early 32-bit operating system released in 1998. Since Windows XP, every professional or server version of Windows has included an RDP client, officially known as Remote Desktop Connection. This means that, according to the researchers, every version of Windows since the days of analog 56 Kbps modems is affected by this newly (re)discovered vulnerability.
Analyst Daniel Wade reported the issue to Microsoft earlier this month. The flaw violates universally acknowledged operational security (opsec) practices – and then some. When a password is changed, it should no longer provide access to a remote system. "People trust that changing their password will cut off unauthorized access," Wade said.
The researchers found that RDP continues to accept passwords that have been used once and are now cached on a local machine. Windows stores validated passwords in a cryptographically secure location on the disk, and even brand-new machines can use the old password to access other systems.
Microsoft's online management and security platforms – including Entra ID, Azure, and Defender – do not raise any alarms, and newer passwords may be ignored while older ones still function.
Furthermore, Microsoft has provided little information to end users about this remarkable behavior of the RDP protocol. The researchers concluded that millions of users – whether at home, in SOHO environments, or in enterprise setups – are at risk. When asked to address the issue, Microsoft confirmed that the RDP technology is working as intended.
According to Microsoft, the behavior is a design decision meant to "ensure that at least one user account always has the ability to log in no matter how long a system has been offline."
The company had already been warned about this backdoor by other researchers in August 2023, making the new analysis ineligible for a bounty award. Redmond engineers reportedly attempted to modify the code to eliminate the backdoor but abandoned the effort, as the changes could break compatibility with a Windows feature that many applications still rely on.