According to the news story, Microsoft said the behavior is “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.” As such, Microsoft said the behavior doesn’t meet the definition of a security vulnerability, and company engineers have no plans to change it.
Windows admins are often not aware of credential caching, said Johannes Ullrich, dean of research at the SANS Institute. “The feature is supposed to make it less likely for an admin to be logged out of their system. To prevent this, RDP will cache the last set of credentials used, in case the server is not able to connect back to the authentication server (which these days is often in the cloud). An administrator changing credentials in the cloud may find that the old credentials will still work as a result.”
To exploit this, Ullrich added, an attacker must first learn the old credentials, and they must use them before the administrator uses their new credentials. “Securing RDP is, however, a critical task, and not easy, even without this problem. Administrators must find ways to offer strong authentication and they must isolate RDP endpoints as much as possible,” he said.
