Network Level Authentication is a feature of Remote Desktop software that requires users to authenticate themselves before they can connect to a PC remotely. A session cannot be established before authentication. The logon screen will also not appear until the authentication is done.
When a client initiates a remote desktop connection to the server with NLA enabled, the initial communication between the client and server involves a negotiation process. During this negotiation, the server presents its digital identity (certificate) to the client. The client verifies the authenticity of the server using this certificate. If the server is trusted, the client generates a challenge, encrypts it using the server's public key, and sends it back to the server.
Upon receiving the encrypted challenge, the server decrypts it using its private key. If the server successfully decrypts the challenge, it proves that it possesses the corresponding private key and is, therefore, a legitimate entity. The server then acknowledges the client as trustworthy and prompts the client to provide its credentials, such as a username and password.
The client securely sends its credentials to the server, encrypted using a session key that was established during the negotiation process. The server decrypts the credentials using the session key and verifies them against its user database. If the credentials are valid, the server allows the client to access the remote desktop environment.
How to activate network level authentication in a computer
By default, Network Level Authentication is normally turned off. This means you will have to enable it for you to use this feature. Only members of the local Administrators group can configure NLA.
Use this method to configure NLA on the host computer):
- Click the Windows Start button
- Point to Administrative Tools
- Point to Remote Desktop Services
- Click Remote Desktop Session Host Configuration. You will see the option 'Connections'
- Right-click the name of the connection, and then Properties.
- From the General tab, select the check box Allow connections only from computers running Remote Desktop with Network Level Authentication
- Click OK.
How to confirm whether a computer supports NLA
- Start Remote Desktop Connection
- On the upper left corner of the Remote Desktop Connection dialog box, you will see an icon. 3. Click this icon, then click About.
- Look for the phrase 'Network Level Authentication supported'
- If you see this phrase, then it means the PC supports NLA.
Please note that some things might change slightly depending on the version of the Operating System that you are using.
Importance of Network Level Authentication
The most obvious benefit of NLA is that it offers protection against cyber attacks, especially Denial of Service attacks. If a client computer that has not been authenticated is allowed to access the host computer, it can consume and stretch the resources of the host computer. This renders it unusable as it becomes overwhelmed. Now imagine if there are many malicious computers trying to access the host computer.
NLA therefore makes it easy for IT professionals and even support staff to work within a secure environment. The chances of making errors are reduced, like forgetting to counter check the authenticity of devices.
This offers users a peace of mind and frees them to focus on their work. They do not have to keep worrying about what can go wrong, since the authentication is automatically triggered immediately a connection is initiated.
NLA also protects against the exploitation of vulnerabilities in the remote desktop, which is normally very easy to occur if a session is established before authentication.
Let’s go through the benefits in detail:
1. NLA prevents unauthorized access
NLA requires clients to authenticate themselves before establishing a remote desktop session. This prevents unauthorized users from gaining access to the host device, as they must provide valid credentials to proceed.
Any device that cannot be authenticated will not be granted access to any resources in the host computer.
2. Mitigates man-in-the-middle attacks
The negotiation process in NLA involves certificate-based authentication. This helps ensure that the client is connecting to the legitimate server and not an intermediary attacker.
Imagine what would happen if for instance, an administrator were to connect to rogue devices remotely, thinking they are official machines that are owned by the company. From data loss to all manner of compromises, the consequences will be dire!
3. NLA reduces chances for Denial-of-Service (DoS) attacks
We mentioned this earlier. NLA helps to mitigate the risk of DoS attacks by requiring authentication before resource allocation. The server can allocate resources only to authenticated clients.
4. Safeguards against credential guessing
With NLA, an attacker cannot repeatedly attempt to guess a user's credentials without authenticating first, making it more challenging to perform brute-force attacks.
Credential guessing is a common trick used by attackers, and surprisingly, it often works. This is because most people tend to use credentials that can be easily guessed. For example, many people tend to use easy combinations like their birthday date plus their name. In such cases, the attacker just needs to have a clue of the user’s name and they will go on to guess different birthday dates.
5. Optimized experience
Once authenticated, a secure connection is established. This automatically reduces the risk of data interception and ensures a safer remote desktop session.
A safe session enhances the experience of those using the server on one side and the client on the other side. One will not have to keep worrying about the authenticity of machines establishing remote connections to their PCs.
6. Client and host validation
NLA validates both the client and server identities. This provides mutual authentication, which ensures that both parties can trust each other.
A connection will not be established if either party is not authenticated.
7. Supports network efficiency
As NLA performs authentication before the remote desktop session starts, it reduces unnecessary network traffic from unauthorized access attempts.
Picture a case where so many unauthorized clients are attempting to create a session with a remote machine. If they were allowed to create connections before authentication, they would practically slow down the host PC as they would have used its resources from the start.
8. The remote computer uses only a few resources at the beginning
At the initial stages before the client is authenticated, the remote computer requires just a small amount of resources to initiate the process. This is because it is not going to start a full connection as is the case when NLA is not enabled.
Weaknesses of NLA
- There are restrictions around the operating system that the computers involved must be using. For example, some versions of Windows may not support NLA
- NLA may be less straightforward for users who are not familiar with certificate-based authentication.
- NLA requires network connectivity during the authentication and negotiation process. If there are network interruptions or latency issues, it could impact the connection experience.
- Deploying and managing certificates on both the server and client sides can be challenging, especially in large-scale environments.
- While NLA enhances network security, it might also limit access for some legitimate users who may not have compatible devices or face difficulties with the certificate-based authentication process.
- NLA might not be fully compatible with certain single sign-on (SSO) solutions or require additional configuration to integrate seamlessly.
Best practices for NLA on Remote Desktops
If you are part of a tech team that is always working with many computers remotely, you definitely understand the cyber threats that can come with remote desktop sessions. As a result, it is in your best interest to ensure that NLA is always working perfectly well.
The following best practices will go a long way.
1. Check that the end user machines can support NLA
You must never establish a session with a remote computer before ensuring that it supports Network Level Authentication.
Without checking, you might find yourself connecting to machines that could potentially expose your organization's network to threats. It's simple to do this: just ask the user of the computer you want to access remotely to confirm to you if their device actually supports NLA.
Guide them until you are able to confirm that indeed their computer supports NLA. Please refer to the above section where we covered how to do this. Take them through the same steps.
2. Train the user
Well, it's always good to ensure that the end user of the computer you want to establish a connection with understands the basics of dealing with NLA. You want them to be able to know what to do in order to enable the NLA feature. You want them to understand the small things that could surprise them.
For example, inform them that once the remote connection is initiated, they will see a message popping up on their screen, and they'll need to act on it for the connection to work.
Explain to them what the message is for — that it's meant for authentication purposes.
Without this kind of education, a sudden message suddenly showing up can scare the user if they do not understand what it's about. Let them know that authentication means that the session is safe for everyone involved as it prevents potential attacks from cyber criminals.
3. Confirm permissions
Some organizations, especially the large ones with thousands of employees, normally have different permissions for different devices.
For example, you might find that only some computers are allowed to connect remotely, or only permitted employees can have their devices accessed remotely.
The point here is to make sure that the devices that need to connect are in the list of devices that are permitted to establish remote connections. This will save you a lot of time.
What is required for NLA to work?
Certain basic things are needed for Network Level Authentication to come to life. These are the most important items.
1. Operating system
The operating system of the client device must be Windows 7, Windows Vista, or Windows XP with Service Pack 3. The OS must also support the CredSSP protocol — Credential Security Support Provider.
The host device must be operating on Windows Server 2008 R2 or Windows Server 2008.
2. Remote Desktop Protocol (RDP)
RDP is a proprietary protocol developed by Microsoft that facilitates remote access and control of a computer's desktop over a network.
The client device ought to be running at least Remote Desktop Connection 6.0.
Both the client and server device or host must be supporting the RDP.
3. Network connectivity
Both the client and server must have network connectivity to establish a remote desktop connection and negotiate the NLA process securely.
Obviously, the network must also be stable throughout the session. Otherwise the users on both ends can encounter a not so pleasant experience.
4. Digital certificates
NLA relies on certificates. The server must have an SSL certificate installed to prove its identity to the client during the negotiation process. Clients must also trust the server's certificate.
5. User credentials
To complete the NLA process, users attempting to access the remote desktop must provide valid credentials (username and password or other authentication methods like smart cards or multi-factor authentication).
Also Read: How to Change Password in Remote Desktop?
6. Proper firewall configuration
Firewalls on both the client and server sides should be configured to allow the necessary traffic for remote desktop connections, including the negotiation process required for NLA.
By the way, while on firewalls, if you are a small business wondering which firewalls might be right for you, here is some help with the most suitable firewalls for a small business.
Also Read: Firewall Migration Plan and Checklist
A Network Level Authentication policy will smooth things
It's imperative that NLA is implemented for all remote device access environments. Whether it's employees who need to access their office computers from outside the company premises, or administrators supporting colleagues or clients remotely, you need to think seriously about implementing a Network level Authentication policy.
Incorporate the policy into your wider network security policy, and make sure employees plus partners are well aware of this policy. This way, NLA will always be on top of everyone’s mind whenever preparing for a remote desktop session.