Researchers found flaws in RDP but Microsoft said it was a new feature, not a vulnerability
Microsoft’s Remote Desktop Protocol supports Network Level Authentication (NLA), which is designed to authenticate users and provide remote desktop security. In theory, if the user does not actively share the necessary authentication information to others, other people or attackers naturally cannot operate the remote session. However, some researchers have found that Microsoft adjusts the authentication process in Windows 10 Version 1903 and may allow attackers to remotely control it.
After the network level authentication is enabled in the old version, the user can successfully connect to the remote session, but after connecting, enter the password of the host on the login interface. In Windows 10 Version 1903, after the user first connects to the remote session, the authentication system caches the login credentials to the host. If the user disconnects, the user can reconnect to the remote desktop session and log in automatically, without the user entering the username and password of the host. To make matters worse, the researchers also found that the new version of network-level authentication can even log in to the controlled device directly around the multi-factor authentication system.
After the issue was notified to Microsoft, the company said it was not a vulnerability but a new feature that was designed to simplify the user process and improve the user experience. The user needs to provide an account and password when connecting for the first time. If multi-factor authentication is enabled, you need to enter the corresponding verification code to connect. After that, the login credentials are cached and can be used directly. Since the previous steps have already determined the user’s identity, there is no need to verify the multi-factor verification code again. Based on this, Microsoft will not release any security updates at least for the time being, and it will not improve the problem after evaluation. After all, this is a new feature.
Of course, we also hope that Microsoft can issue announcements in advance when adjusting the strategy related to security issues, and then the user chooses which method to use.
Via: nakedsecurity