Network Level Authentication

Network Level Authentication (NLA) is a feature of Remote Desktop Services (RDP Server) or Remote Desktop Connection (RDP Client) that requires the connecting user to authenticate themselves before a session is established with the server.

Originally, if a user opened an RDP (remote desktop) session to a server it would load the login screen from the server for the user. This would use up resources on the server, and was a potential area for denial of service attacks as well as remote code execution attacks (see BlueKeep). Network Level Authentication delegates the user's credentials from the client through a client-side Security Support Provider and prompts the user to authenticate before establishing a session on the server.

Network Level Authentication was introduced in RDP 6.0 and supported initially in Windows Vista. It uses the new Security Support Provider, CredSSP, which is available through SSPI in Windows Vista. With Windows XP Service Pack 3, CredSSP was introduced on that platform and the included RDP 6.1 Client supports NLA; however CredSSP must be enabled in the registry first.^[1]^[2]

Advantages

The advantages of Network Level Authentication are:

It requires fewer remote computer resources initially, by preventing the initiation of a full remote desktop connection until the user is authenticated, reducing the risk of denial-of-service attacks.
It allows NT Single sign-on (SSO) to extend to Remote Desktop Services.
It can help mitigate Remote Desktop vulnerabilities than can only be exploited prior to authentication. ^[3]

Disadvantages

No support for other credential providers
To use Network Level Authentication in Remote Desktop Services, the client must be running Windows XP SP3 or later, and the host must be running Windows Vista or later ^[4] or Windows Server 2008 or later.
Support for RDP Servers requiring Network Level Authentication needs to be configured via registry keys for use on Windows XP SP3.
Not possible to change password via CredSSP. This is a problem when "User must change password at next logon" is enabled or if an account's password expires.
Requires "Access this computer from the network" privilege, which may be restricted for other reasons.
The IP addresses of the clients trying to log in will not be stored in the security audit logs, making it harder to block brute force or dictionary attacks by means of a firewall.
Smart card authentication from one domain to another using a remote desktop gateway is not supported with NLA enabled on the end client.

References

^ "Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3". Archived from the original on 2017-09-18.
^ "Description of the Remote Desktop Connection 6.1 client update for Terminal Services". Microsoft. 2011-09-23. Retrieved 2020-05-07.
^ Simon Pope (2019-05-14). "Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)". Microsoft Security Response Center. Retrieved 2020-05-07.
^ "Configure Network Level Authentication for Remote Desktop Services Connections". Microsoft TechNet. 2009-11-17. Retrieved 2020-05-07.

External links

"Configure Network Level Authentication for Remote Desktop Services Connections". Microsoft TechNet.

"What types of Remote Desktop connections should I allow?". Microsoft Corporation. Archived from the original on 2016-06-08.

[1] "Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3". Archived from the original on 2017-09-18.

[2] "Description of the Remote Desktop Connection 6.1 client update for Terminal Services". Microsoft. 2011-09-23. Retrieved 2020-05-07.

[3] Simon Pope (2019-05-14). "Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)". Microsoft Security Response Center. Retrieved 2020-05-07.

[4] "Configure Network Level Authentication for Remote Desktop Services Connections". Microsoft TechNet. 2009-11-17. Retrieved 2020-05-07.

[1]

[2]

[3]

[4]