The Remote Desktop Protocol is a proprietary feature built into Windows that lets a remote user log in and control a machine, much like any other remote desktop app. And since it essentially gives someone full access to your device, you’d expect strong protections to prevent unauthorized logins. But Microsoft seems to think otherwise. Despite being made aware of it, the company still hasn't addressed a serious flaw in the RDP login system that allows access using revoked passwords.

Earlier this month, independent security researcher Daniel Wade again reported the issue to the Microsoft Security Response Center. He warned that the current system goes against the widely held expectation that changing a password should immediately cut off access to any devices or accounts tied to it. “People trust that changing their password will cut off unauthorized access”, Wade wrote in his report, adding:

It's the first thing anyone does after suspecting compromise. And yet:

• Old credentials continue working for RDP—even from brand-new machines.
• Defender, Entra ID, and Azure don't raise any flags.
• There is no clear way for end-users to detect or fix the issue.
• No Microsoft documentation or guidance addresses this scenario directly.
• Even newer passwords may be ignored while older ones continue to function.

The result? Millions of users—at home, in small businesses, or hybrid work setups—are unknowingly at risk.

Daniel Wade via arstechnica

Microsoft doesn’t see it as a security vulnerability

In response to Wade’s report, Microsoft said the behavior doesn’t meet its definition of a security vulnerability, and its engineers have no plans to change it. Instead, the company considers it a “design decision to ensure that at least one user account always has the ability to log in, no matter how long a system has been offline.” Will Dormann, a senior vulnerability analyst at security firm Analygence, said in an online interview:

It doesn’t make sense from a security perspective. If I’m a sysadmin, I’d expect that the moment I change the password of an account, then that account’s old credentials cannot be used anywhere. But this is not the case.

Will Dormann

Since Microsoft fails to advise users on what steps to take if their account is compromised, Dormann said the only viable option is to configure RDP to authenticate against locally stored credentials only. That said, this isn’t the first time this issue has been brought up to Microsoft, as the company says their security engineers have been aware of the behavior for nearly two years. Microsoft said it had updated its online documentation to better inform users about the behavior.

We have determined that this is an issue that has already been reported to us by another researcher in August 2023. We originally looked at a code change for this issue, but after further review of design documentation, changes to code could break compatibility with functionality used by many applications.

Microsoft Employees

About the Author

Hassam Nasir

Hassam boasts over seven years of professional experience as a dedicated PC hardware reviewer and writer.