Conversation

Notices

1. Embed this notice
   Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 01-May-2025 21:31:57 JST Will Dormann

   • Kevin Beaumont
   • Taggart :donor:

   @GossiTheDog @mttaggart
   Yeah, I didn't have a local AD ready to test.
   But I could definitely see a difference with authenticating RDP using a local account vs. an online account.
   With local accounts, the instant the password changes, the RDP client needs the new password.
   For online accounts, the old password still works, indefinitely.

   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 01-May-2025 04:52:51 JST Will Dormann

     in reply to

     • Taggart :donor:

     @mttaggart
     I've seen no evidence that the RDP cred cache gets updated ever.
     Granted, I only started looking at this very recently, but the reporter seems to indicate that this is the case.

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Thursday, 01-May-2025 04:52:51 JST Taggart :donor:

     in reply to

     @wdormann Okay so this is testable! Do I understand the claim correctly:

     The RDP cache, even when a machine is able to access a domain controller/Entra, will not update, thereby allowing old passwords to work for auth?

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Thursday, 01-May-2025 04:52:52 JST Taggart :donor:

     Since @wdormann is quoted in this piece and I can't find Dan Wade's handle, I'm tagging him in.

     Is this suggesting that the RDP cred cache never gets updated? Ever ever?

     Also what's up with this?

     Old credentials continue working for RDP—even from brand-new machines.

     That makes no sense at all.

     https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Thursday, 01-May-2025 21:31:55 JST Taggart :donor:

     in reply to

     • Kevin Beaumont

     @wdormann @GossiTheDog But at any rate, with this configuration, I've confirmed that when I change my account password through account.microsoft.com or whatever, the old creds immediately cease to work for RDP access.

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Thursday, 01-May-2025 21:31:56 JST Taggart :donor:

     in reply to

     • Kevin Beaumont

     @wdormann @GossiTheDog Labbing this up now

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Thursday, 01-May-2025 21:31:56 JST Taggart :donor:

     in reply to

     • Kevin Beaumont

     @wdormann @GossiTheDog Okay well the first lesson I'm learning is that even setting up RDP for a Microsoft Account sucks

   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 01-May-2025 21:31:56 JST Will Dormann

     in reply to

     • Kevin Beaumont
     • Taggart :donor:

     @mttaggart @GossiTheDog
     Really? I found it quite easy:
     1) log in to windows with a Microsoft account
     2) Turn on RDP
     🤷♂️

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Thursday, 01-May-2025 21:31:56 JST Taggart :donor:

     in reply to

     • Kevin Beaumont

     @wdormann @GossiTheDog Not over here. Now maybe this is because I'm using the Win11-Enterprise image, but for a clean build, you have to make sure you log in a second time with a non-Hello method (which is now basically enforced on first login).

     And even then, I had to make sure enable "Use a Web account" in the RDP client settings.

   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 01-May-2025 21:32:25 JST Will Dormann

     in reply to

     • Kevin Beaumont
     • Taggart :donor:

     @mttaggart @GossiTheDog
     Hm, that all sounds different than what I tested.

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Thursday, 01-May-2025 21:32:25 JST Taggart :donor:

     in reply to

     • Kevin Beaumont

     @wdormann @GossiTheDog Were you using Win 11 Enterprise? I also had to set up a "work account" in Entra—personal wouldn't do.

   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 01-May-2025 21:32:25 JST Will Dormann

     in reply to

     • Kevin Beaumont
     • Taggart :donor:

     @mttaggart @GossiTheDog
     In my case:
     Windows 11 Enterprise with a local account initially (via BYPASSNRO)
     I added a Microsoft (hotmail.com) account.
     I then turned on RDP.
     That's all. Absolutely nothing else.

     If I log in via that hotmail account to RDP, it will accept the original cached password even if I change my hotmail account password.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 01-May-2025 21:32:25 JST Kevin Beaumont

     in reply to

     • Taggart :donor:

     @wdormann @mttaggart what happens if you turn passwordless on with the account, does it still accept the old password?

   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 01-May-2025 23:36:48 JST Will Dormann

     in reply to

     • Kevin Beaumont
     • Taggart :donor:

     @GossiTheDog @mttaggart
     Not sure what you mean...
     My hotmail account is passwordless? (Locally it uses a PIN)

     Unless you're talking about something else?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 01-May-2025 23:36:48 JST Kevin Beaumont

     in reply to

     • Taggart :donor:

     @wdormann @mttaggart in account.microsoft.com you can turn on passwordless, so your hotmail account has no password at all, MFA is used for access.

     But if you enable it, can you still RDP with the old password?