this post was submitted on 01 May 2025
15 points (82.6% liked)

Security

880 readers
3 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
LinearArray
15
Windows RDP lets you log in using revoked passwords. Microsoft is OK with that. - Ars Technica (arstechnica.com)
submitted 1 week ago by Kissaki to c/security
2 comments fedilink hide all child comments
 

Even after users change their account password, however, it remains valid for RDP logins indefinitely. In some cases, Wade reported, multiple older passwords will work while newer ones won’t. The result: persistent RDP access that bypasses cloud verification, multifactor authentication, and Conditional Access policies.

you are viewing a single comment's thread
view the rest of the comments
[–] Kissaki 1 points 1 week ago* (last edited 1 week ago)

If it can’t reach the IDP

But also when being able to reach the IDP, no?

I don't see how being able to use passwords previous to the previous makes any sense even with that in mind.

When the PC can connect to the IDP, I would expect it to validate against that one and only that one.