Windows RDP lets you log in using revoked passwords. Microsoft is OK with that. arstechnica.com/security/…

From the department of head scratches comes this counterintuitive news: Microsoft says it has no plans to change a remote login protocol in Windows that allows people to log in to machines using passwords that have been revoked.

In response, Microsoft said the behavior is a “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.” As such, Microsoft said the behavior doesn’t meet the definition of a security vulnerability, and company engineers have no plans to change it.

Even after users change their account password, however, it remains valid for RDP logins indefinitely. In some cases, Wade reported, multiple older passwords will work while newer ones won’t. The result: persistent RDP access that bypasses cloud verification, multifactor authentication, and Conditional Access policies.