Microsoft has confirmed that its Remote Desktop Protocol (RDP) allows users to log into Windows machines using passwords that have already been changed or revoked.
It sounds like if you’re using a remote authentication source such as AD or Entra, and that source isnt available, such as the laptop being disconnected from the internet, then the cached creds will still work.
This is the default behavior but you can disable that.
I don’t see the issue here, and it’s not really an RDP issue.
Additionally you should not turn on RDP and expose it to the internet, as you will get brute forced.
The way this is set up it also won’t get you “into” your account if Windows Hello is turned on and required, as the TPM requirement will verify the RSA type key won’t match on the backend? So you would get dumped at the login screen, allowing you to access the password reset screen, requiring you to use to password reset tool (needing the old password still) but then once reset the new password would sync with the hello pin/fingerprint/faceID as that machine is on the network, allowing the user to get back in remotely without having to physically show up at the machine. So it can save you a phone call or 2 to IT and keep a 2 factor authentication up to date remotely without locking the user out. (Not all of these authentication options are as good as others, but standardly you block the ones your company doesn’t want via group policy. )
I’m reading this and I’m wondering if it’s even an issue.
https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios
It sounds like if you’re using a remote authentication source such as AD or Entra, and that source isnt available, such as the laptop being disconnected from the internet, then the cached creds will still work.
This is the default behavior but you can disable that.
I don’t see the issue here, and it’s not really an RDP issue.
Additionally you should not turn on RDP and expose it to the internet, as you will get brute forced.
The way this is set up it also won’t get you “into” your account if Windows Hello is turned on and required, as the TPM requirement will verify the RSA type key won’t match on the backend? So you would get dumped at the login screen, allowing you to access the password reset screen, requiring you to use to password reset tool (needing the old password still) but then once reset the new password would sync with the hello pin/fingerprint/faceID as that machine is on the network, allowing the user to get back in remotely without having to physically show up at the machine. So it can save you a phone call or 2 to IT and keep a 2 factor authentication up to date remotely without locking the user out. (Not all of these authentication options are as good as others, but standardly you block the ones your company doesn’t want via group policy. )