XPost: alt.comp.os.windows-11

Windows RDP is a mechanism for doing remote GUI logins to a Dimdows
machine. It turns out that RDP has a “feature” whereby it continues to allow you to log in using an old password, even after that password
has been revoked.

Microsoft doesn’t seem to see this as a security issue at all:

In response, Microsoft said the behavior is a “a design decision
to ensure that at least one user account always has the ability to
log in no matter how long a system has been offline.” As such,
Microsoft said the behavior doesn’t meet the definition of a
security vulnerability, and company engineers have no plans to
change it.

Not only that, the problem had been reported to the company by another
security researcher nearly two years earlier:

"We originally looked at a code change for this issue, but after
further review of design documentation, changes to code could
break compatibility with functionality used by many applications."

<https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 2025-04-30 19:36, Lawrence D'Oliveiro wrote:

Windows RDP is a mechanism for doing remote GUI logins to a Dimdows
machine. It turns out that RDP has a “feature” whereby it continues to allow you to log in using an old password, even after that password
has been revoked.

Microsoft doesn’t seem to see this as a security issue at all:

In response, Microsoft said the behavior is a “a design decision
to ensure that at least one user account always has the ability to
log in no matter how long a system has been offline.” As such,
Microsoft said the behavior doesn’t meet the definition of a
security vulnerability, and company engineers have no plans to
change it.

Not only that, the problem had been reported to the company by another security researcher nearly two years earlier:

"We originally looked at a code change for this issue, but after
further review of design documentation, changes to code could
break compatibility with functionality used by many applications."

<https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/>

Geez, it's impossible to take them and their offerings seriously.

--
God be with you,

CrudeSausage
KDE & LibreOffice supporter
John 14:6

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 4/30/25 4:36 PM, Lawrence D'Oliveiro wrote:

Windows RDP is a mechanism for doing remote GUI logins to a Dimdows
machine. It turns out that RDP has a “feature” whereby it continues to allow you to log in using an old password, even after that password
has been revoked.

Microsoft doesn’t seem to see this as a security issue at all:

In response, Microsoft said the behavior is a “a design decision
to ensure that at least one user account always has the ability to
log in no matter how long a system has been offline.” As such,
Microsoft said the behavior doesn’t meet the definition of a
security vulnerability, and company engineers have no plans to
change it.

Not only that, the problem had been reported to the company by another security researcher nearly two years earlier:

"We originally looked at a code change for this issue, but after
further review of design documentation, changes to code could
break compatibility with functionality used by many applications."

<https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/>

This does not pass the stink test.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)