Microsoft recently introduced a change in Windows 10 version 1803 and Windows Server 2019 that impacts how locked RDP sessions behave on reconnect. Now, after a temporary disconnect, the RDP client will automatically reconnect and unlock the session using cached credentials, without prompting the user to reauthenticate.
This change hinders additional credential providers from inserting an authentication step when unlocking a reconnected RDP session. Microsoft is now solely relying on the cached credentials to unlock the session, bypassing prompts that would normally appear.
To clarify, this is not a vulnerability in Mi-Token application specifically. Rather, it is an issue caused by Microsoft's implementation that removes an authentication touchpoint which Mi-Token and other providers rely on.
We strongly suggest disabling Automatic RDP Reconnection on your servers to prevent sessions from unlocking without reauthentication after reconnects.
Additionally, implementing secondary login mechanisms like Mi-Token CP on client machines can mitigate unauthorized access from this issue.
The Automatic Reconnection feature can be disabled in Windows Group Policy by disabling the "Automatic reconnection" registry key:
1. Navigate to Local Computer > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
2. Select Automatic reconnection
3. Change the key's state to "Disabled"
See CERT/CC VU#576688 for more technical details on this vulnerability introduced by Microsoft's design change. We want to make customers aware of changes like this that can impact integrated security tools.
https://kb.cert.org/vuls/id/576688.