Network Level Authentication (NLA) is a feature of

Remote Desktop Services Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine ...

(RDP Server) or

Remote Desktop Connection Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine ...

(RDP Client) that requires the connecting user to authenticate themselves before a session is established with the server. Originally, if a user opened an RDP (remote desktop) session to a server it would load the login screen from the server for the user. This would use up resources on the server, and was a potential area for

denial of service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...

attacks as well as

remote code execution In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in softwar ...

attacks (see

BlueKeep BlueKeep () is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution. First reported in May 2019, it is present in all unpatched W ...

). Network Level Authentication delegates the user's credentials from the client through a client-side

Security Support Provider Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication. SSPI functions as a common interface to several Security Support Providers (SSPs): A Security Support Provid ...

and prompts the user to authenticate before establishing a session on the server. Network Level Authentication was introduced in RDP 6.0 and supported initially in

Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...

. It uses the new Security Support Provider, CredSSP, which is available through SSPI in Windows Vista. With

Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...

Service Pack 3, CredSSP was introduced on that platform and the included RDP 6.1 Client supports NLA; however CredSSP must be enabled in the registry first.

Advantages

The advantages of Network Level Authentication are: * It requires fewer

remote computer In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely off of one system (usually a PC, but the concept applies equally to a server (comp ...

resources initially, by preventing the initiation of a full

remote desktop connection Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine ...

until the user is authenticated, reducing the risk of denial-of-service attacks. * It allows NT

Single sign-on Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-enterin ...

(SSO) to extend to

. * It can help mitigate Remote Desktop vulnerabilities that can only be exploited prior to authentication.

Disadvantages

* No support for other credential providers * To use Network Level Authentication in Remote Desktop Services, the client must be running Windows XP SP3 or later, and the host must be running Windows Vista or later or Windows Server 2008 or later. * Support for RDP Servers requiring Network Level Authentication needs to be configured via registry keys for use on Windows XP SP3. * Not possible to change password via CredSSP. This is a problem when "User must change password at next logon" is enabled or if an account's password expires. * Requires "Access this computer from the network" privilege, which may be restricted for other reasons. * The IP addresses of the clients trying to log in will not be stored in the security audit logs, making it harder to block brute force or dictionary attacks by means of a firewall. * Smart card authentication from one domain to another using a remote desktop gateway is not supported with NLA enabled on the end client.

References

External links

* * {{cite web , url = http://windows.microsoft.com/en-us/windows/types-remote-desktop-connections-allow , title = What types of Remote Desktop connections should I allow? , publisher =

Microsoft Corporation Microsoft Corporation is an American multinational corporation, multinational technology company, technology corporation producing Software, computer software, consumer electronics, personal computers, and related services headquartered at th ...

, archive-url=https://web.archive.org/web/20160608234056/http://windows.microsoft.com/en-us/windows/types-remote-desktop-connections-allow#1TC=windows-7 , archive-date=2016-06-08 , url-status=dead Centralized computing Microsoft server technology Remote desktop Windows communication and services