I've come across some information stating that all versions of Remote Desktop Protocol (RDP) allow users to log in even with expired or revoked passwords. Since we use RDP for support across all our stations, does that mean every station keeps these old logins cached?
5 Answers
Check out Microsoft's documentation on cached domain logon information. In short: every RDP client keeps a cache of all usernames and passwords ever entered, just in case you need to log in without a domain.
It's how Windows has been functioning for decades. This isn’t a bug - it’s intended behavior. To enhance security, avoid exposing your Windows machines directly to the internet, since cached credentials can pose a risk.
Windows does cache credentials by default. If your network’s domain is available, any login attempts will verify against it. If not, it uses the cached credentials, but the cache doesn’t track expiration. This setup has been the case for years, not just RDP related. If this behavior is a concern, you can disable it in the group policy settings.
It's not a bug; this issue has been discussed before. It’s not exclusive to RDP either. Windows has operated this way consistently.
Yup, this is definitely a feature in Windows.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures