Windows RDP lets you log in using revoked passwords. Microsoft is OK with that.
Briefly

Microsoft and Azure accounts logged into Windows machines can allow RDP access even with revoked passwords. When such accounts are compromised and their passwords changed, the old passwords remain valid for RDP access indefinitely. This means users might unknowingly leave a backdoor for attackers, who can access the system without needing valid online credentials. Security experts criticize this behavior, stating it undermines trust in password changes, as old passwords should no longer grant access. The phenomenon stems from credential caching mechanisms on Windows systems.
This creates a silent, remote backdoor into any system where the password was ever cached, and Windows will still trust the password.
It doesn't make sense from a security perspective. If I'm a sysadmin, I'd expect that the moment I change the password, the old credentials cannot be used anywhere.
Read at Ars Technica
[
|
]