Revoked Microsoft RDP Passwords Still Work: A Persistent Backdoor

By Jane Smith – Jun 15, 2025
IT’S A FEATURE, NOT A BUG
Windows Remote Desktop Protocol (RDP) continues to accept revoked Microsoft and Azure account passwords for remote logins, even after users have changed them. Independent researchers and security experts warn this behavior amounts to a silent backdoor, bypassing cloud verification, multi-factor authentication, and Conditional Access policies.
How RDP Password Caching Works
The root cause is credential caching on the local machine. When a user first logs in via RDP with a Microsoft or Azure AD account, Windows performs an online validation of the password. Once confirmed, the system stores a verifier — a cryptographically hashed credential blob — in the Local Security Authority (LSA) secrets store. Subsequent logins compare the entered password against this local cache, without consulting Azure AD or Entra ID.
- First online validation: RDP calls
Advapi32::LogonUserExExW
to authenticate against Azure AD. - Cache storage: LSA secrets hold the NT hash and salt, encrypted with the system’s DPAPI master key.
- Offline validation: RDP login checks the locally stored NT hash via
MSV1_0
authentication packages.
Because the cache isn’t updated when the cloud password changes, revoked credentials remain valid indefinitely for RDP access.
Researcher Findings and Microsoft’s Response
On April 8, 2025, researcher Daniel Wade filed a detailed report with the Microsoft Security Response Center (MSRC), demonstrating:
- Old passwords grant RDP access from new, never-used devices.
- No alerts in Microsoft Defender, Azure AD sign‐in logs, or Conditional Access policies.
- New passwords sometimes fail while older ones continue working.
- Absence of user‐facing tools to invalidate cached credentials.
Microsoft classified the behavior as a “design decision” to ensure at least one account can log on if the machine is offline for extended periods. The company updated its documentation on May 2, 2025, but stopped short of providing mitigation guidance beyond noting the caching caveat.
Latest Advisory from Cybersecurity Authorities
On June 1, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued CSA 25-164, warning enterprise admins to review RDP caching configurations. The advisory recommends:
- Auditing LSA secret stores for legacy credential blobs.
- Implementing Azure AD Seamless SSO with Windows Hello for Business to avoid password caching.
- Using Just-In-Time (JIT) access in Azure Privileged Identity Management (PIM).
Technical Deep Dive: LSA and DPAPI Mechanics
Windows uses the Data Protection API (DPAPI) to encrypt LSA secrets. Each secret is wrapped by a system‐wide machine master key, stored in %SystemRoot%\System32\Microsoft\Protect\MachineKeys
. When a password is set or changed:
- LSA store update: Local logon updates LSA secrets if offline; RDP logon does not.
- Master key rotation: Windows rotates DPAPI master keys only when the machine OS is re-provisioned or the user profile is deleted.
- Cache invalidation: No built-in mechanism ties secret refresh to Azure AD password change events.
This gap means that any password ever successfully used over RDP remains valid until the LSA secret is manually purged or the machine is reimaged.
Mitigation Strategies and Best Practices
Security professionals recommend several countermeasures:
- Disable
CacheCredentials
via Group Policy (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
). - Enforce NTLMMinClientSec and NTLMMinServerSec to require session signing and encryption.
- Deploy Azure AD Conditional Access policies that block legacy authentication and enforce MFA on all RDP sessions through the Azure AD Application Proxy.
- Regularly rotate machine-level DPAPI master keys by rejoining the domain or rebuilding the host OS.
- Use Windows Hello for Business or FIDO2 security keys to eliminate password-based logins.
Industry Implications and Future Outlook
The persistence of revoked passwords in RDP challenges fundamental security assumptions about credential handling. As enterprises accelerate hybrid work deployments, overlooked local caching mechanisms undermine cloud-native identity protections. Microsoft has indicated no plans for a code fix, citing backward compatibility with legacy applications such as Citrix and third-party VPNs that rely on local NTLM authentication.
Moving forward, industry experts predict:
- Expansion of Zero Trust frameworks to include local cache invalidation.
- A surge in third-party RDP alternatives offering real-time cloud verification (e.g., RustDesk, Parsec).
- Stronger audit requirements in compliance standards (PCI DSS, HIPAA) for credential cache management.
Conclusion
While Microsoft labels the behavior a “feature,” security teams must treat RDP credential caching as a potential backdoor. Administrators should audit, restrict, and monitor local secrets stores, adopt passwordless authentication, and integrate RDP access with Azure AD’s continuous access evaluation. Until Microsoft introduces a remediation, elevated vigilance around legacy credential handling remains the best defense.