Researchers have discovered a significant security vulnerability in Microsoft's Remote Desktop Protocol. Known as Terminal Services, RDP appears to be designed to always to validate a previously used password for remote connections to a Windows machine. Passwords that have been revoked by a system administrator or changed by the user could still be accepted.
Users can log in over RDP with a dedicated password validated against a locally stored credential. Alternatively, users can log in using the credentials for the online account used to sign in to the machine. Even after users change their account password, it remains valid for RDP logins indefinitely. The result: persistent RDP access that bypasses cloud verification, multifactor authentication, and Conditional Access policies.
This would mean any passwords, whether user or administrator, stolen and used on to access a machine, would allow the attacker to log in to a machine regardless if the password has been changed. Proving costly in scenarios where a Microsoft or Azure account has been compromised.
Credential caching is a problem
The mechanism that makes all of this possible is credential caching on the local machine's hard drive. The first time a user logs in using Microsoft or Azure account credentials, RDP will confirm the password's validity online. Windows then stores the credential in a cryptographically secure format on the local machine. From then on, Windows will validate any password entered during an RDP login by comparing it against the locally stored credential, with no online lookup. With that, the revoked password will still give remote access through RDP.
From Microsoft
Caution
When a user performs a local logon, their credentials are verified locally against a cached copy before being authenticated with an identity provider over the network. If the cache verification is successful, the user gains access to the desktop even if the device is offline. However, if the user changes their password in the cloud, the cached verifier is not updated, meaning they can still access their local machine using their old password.
The behaviour is a design decision meant to "ensure that at least one user account always can log in no matter how long a system has been offline."
Further information can be found on Microsoft's website.
How do I fix this?
It looks like Microsoft is not going to fix this. We are investigating whether turning off credential caching resolves the problem and, if so, what problem it introduces.