Windows RDP lets you log-in using revoked passwords. Microsoft is ok with that

Two things can be true:<p>- This is not a bug; it is a design decision.<p>- Microsoft could still try.<p>This functionality is critical for offline access; in fact in some scenarios you may not be able to configure WiFi (or VPN) for Domain Access without first logging in. If the offline password didn&#x27;t exist the machine would be inoperable.<p>Let&#x27;s also acknowledge the fact that even if they try to address this, unplugging the network cable or otherwise interfering with connectivity would always fall back to offline credentials. You cannot simply invalidate them for reasons previously stated.<p>So now we&#x27;re at the point where the fix is at best unreliable, and NOT even a hard security boundary. Yet they could still try. For example either phoning the mothership (e.g. AD, Microsoft Login, et al) on a regular schedule for a logged-in user and verifying offline credentials OR phoning the mothership during successful cached login (with aggressive timeouts).<p>There is actually precedent for this: UAC. UAC is also not a real security boundary, and is also unreliable. It is a &quot;best effort&quot; improvement. This would be of that nature, engineering effort to kinda-sorta make it better than nothing but trivial for a trained attacker to bypass.<p>But ultimately, this isn&#x27;t a bug, and any improvements Microsoft makes will be similarly criticized (due to the trivially of bypassing them).

I&#x27;ll take a look at this tomorrow, but it seems like a security researcher angling for a bug bounty.<p>Cached local credentials and saved rdp credentials have existed for a long time and both have gpo settings to modify&#x2F;disable - you just don&#x27;t do it because no caching requires some kind of sase&#x2F; always on vpn, etc. I think most systems have disallowed rdp credential saving for years.<p>Furthermore, how does one connect to the domain with an invalid password? I&#x27;m inclined to think this was tested on a workgroup and not a domain. If you go long enough your trust tombstones and you lose all access anyway, cached and saved or not.

Sounds like bollocks to me.<p>Your RPD password is your AD password and that is encrypted and salted (I think). There are some worrying extensions to MSAD but I don&#x27;t think that unless you tick the box in ADUC that your password will be stored unencrypted, it will be stored unencrypted (hashed or whatever).<p>We need to understand what:<p>&quot;...Microsoft said the behavior is a “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.&quot;<p>really means.<p>I&#x27;m a Linux jockey but I can&#x27;t be arsed with nonsense like this.

&quot;It&#x27;s an older code, sir, but it checks out. I was going to let them through.&quot; <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=4HJ-Y8YTo8Q" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=4HJ-Y8YTo8Q</a>

This is true for basically any AD windows login. If you log in with an account on a machine on your domain, then take that machine offline and change the password elsewhere- you can login with the old password.<p>If you instead restore network access after it’s been offline long enough - depending on the exact process it will still accept the old password. Entering the old password isn’t enough to trigger domain check in. However, if I recall correctly entering an incorrect password will cause the login window to hang for 30+ seconds while it attempts to perform such a check in to see if your password changed in the interim. This will usually fail - but not always.<p>It’s probably bad behavior but it’s probably configurable in the domain settings. But it makes the user experience terrible because logging in gets super slow, because domain syncs in azure&#x2F; Active Directory are super slow.

This isn&#x27;t working for me on an enterprise domain, I&#x27;m simply refused access. TFA doesn&#x27;t link to any instructions either.

That is… insane. In what world is this expected or acceptable behavior?