The new authentication mechanism caches the client's login credentials on the RDP host so that the client can login again quickly when it loses connection. This change allows the attacker to bypass the Windows lock screen.
In this regard, NakedSecurity has issued a warning to the computer Emergency response team (CERT / CC), which is already in a security bulletin (VU#)Five hundred and seventy-six thousand six hundred and eighty-eight) Detailed introduction is given.
Affected by this, the reconnected RDP session will be restored to the login interface rather than left on the login screen, which means that the remote system can be unlocked without manually entering any credentials.
(Figure from: CERT)
Worse still,This vulnerability allows an attacker to bypass multiple factor authentication (MFA) systems whileMicrosoftHowever, it is regarded as a special RDP function.The company responded:
After investigation, we believe that this is in line with Microsoft's Windows Security Service Standard. This example refers to the Network-Level Authentication (NLA) supported by Windows Server 2019.
NLA will request user information early in the connection and use the same identity credentials when the user enters the session (or reconnects).
As long as it is connected, the client caches the credentials and calls them when it needs to reconnect automatically (thus bypassing NLA).
CERT points out that:Since Microsoft only acknowledges that this is a feature, not a bug, it means that it will not provide any fixes soon.It is recommended that users try to use the lock screen mechanism of local machines (rather than remote desktop connections).