Windows

574 readers

1 users here now

For all things Windows.

founded 4 years ago

MODERATORS

QuentinCallaghan@sopuli.xyz

Windows RDP lets you log in using revoked passwords. Microsoft is OK with that. (arstechnica.com)

submitted 2 months ago by neme@lemm.ee to c/windows@sopuli.xyz

6 comments fedilink hide all child comments

all 7 comments

sorted by: hot top controversial new old

[+] 18USCode2381@infosec.pub 9 points 2 months ago* (last edited 1 month ago) (1 children)

[deleted]

[–] Onomatopoeia@lemmy.cafe 7 points 2 months ago* (last edited 2 months ago) (1 children)

Sounds like this is nothing more than the native credential token caching NT always had. So even if you lost domain connectivity for months, anyone who had previously logged into that machine could still log in (of course, because it hasn't connected to the domain directory for credential updates).

Not sure why it's seen as an RDP specific thing, I don't see anything in the article clarifying this only affects RDP. It should affect the entire machine/any local logins (not local credentials, any logins that happened on the machine, so the domain credential token was cached).

Some clarification around how credentials are updated from Azure/MS would be helpful, and clarify if this is any more than the original NT token caching.

[–] wizardbeard@lemmy.dbzer0.com 4 points 2 months ago

Thank you. It's annoying that there isn't a separate set of settings for RDP connections specifically, but as far as I can tell this is the standard caching feature controlled/mitigated by the same means as it always has been.

[–] Nougat@fedia.io 7 points 2 months ago (1 children)

Cached credentials have been a thing for a long time, and that’s saved my bacon more than once.

The trouble here is that RDP will check the cached credentials first, even if the machine is online and able to check the authoritative creds. And then it doesn’t erase the obsolete cached creds. This is apparently only for Microsoft or Azure accounts, but ffs they’ve been pushing individuals and businesses that way for so long.

This most definitely is a security issue.

[–] phoenixz@lemmy.ca 2 points 2 months ago

This most definitely is a security issue

Meaning that Microsoft won't fix it

[–] Zachariah@lemmy.world 5 points 2 months ago

Microsoft said the behavior is a “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.” As such, Microsoft said the behavior doesn’t meet the definition of a security vulnerability, and company engineers have no plans to change it.

[–] phoenixz@lemmy.ca 1 points 2 months ago

Install Linux already, just get it over with