this post was submitted on 05 May 2025
57 points (92.5% liked)

Cybersecurity

7804 readers
142 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago
MODERATORS
kid@sh.itjust.works
Lanky_Pomegranate530@midwest.social
57
Windows RDP Bug Allows Login With Expired Passwords - Microsoft Confirms No Fix (cybersecuritynews.com)
submitted 2 months ago by kid@sh.itjust.works to c/cybersecurity@sh.itjust.works
15 comments fedilink hide all child comments
top 15 comments
sorted by: hot top controversial new old
[–] Brkdncr@lemmy.world 10 points 2 months ago* (last edited 2 months ago) (1 children)

I’m reading this and I’m wondering if it’s even an issue.

https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios

It sounds like if you’re using a remote authentication source such as AD or Entra, and that source isnt available, such as the laptop being disconnected from the internet, then the cached creds will still work.

This is the default behavior but you can disable that.

I don’t see the issue here, and it’s not really an RDP issue.

Additionally you should not turn on RDP and expose it to the internet, as you will get brute forced.

[–] LifeInMultipleChoice@lemmy.dbzer0.com 1 points 2 months ago* (last edited 2 months ago)

The way this is set up it also won't get you "into" your account if Windows Hello is turned on and required, as the TPM requirement will verify the RSA type key won't match on the backend? So you would get dumped at the login screen, allowing you to access the password reset screen, requiring you to use to password reset tool (needing the old password still) but then once reset the new password would sync with the hello pin/fingerprint/faceID as that machine is on the network, allowing the user to get back in remotely without having to physically show up at the machine. So it can save you a phone call or 2 to IT and keep a 2 factor authentication up to date remotely without locking the user out. (Not all of these authentication options are as good as others, but standardly you block the ones your company doesn't want via group policy. )

[–] bhamlin@lemmy.world 8 points 2 months ago

Not really news. This functionality is to allow password resets on login, among other things.

Still not a good choice, definitely. But this has been known for a long time.

[–] vk6flab@lemmy.radio 4 points 2 months ago (1 children)

From the article:

A Microsoft spokesperson confirmed the company has been aware of the issue since at least August 2023, but maintains that changing the behavior could break compatibility with existing applications.

  • Changing your Microsoft or Azure password does not immediately revoke RDP access for old credentials.
  • There are no clear alerts or warnings when old passwords are used for RDP logins.
  • Microsoft’s security tools, including Defender and Azure, do not flag this behavior.
[–] atro_city@fedia.io 4 points 2 months ago

Compatibility over security. Genius

[–] Brkdncr@lemmy.world 2 points 2 months ago

Is it just me or did the author of the article not cite any sources?