Network Level Authentication
Encyclopedia
Network Level Authentication is a technology used in Remote Desktop Services (RDP Server) or Remote Desktop Connection
(RDP Client) that requires the connecting user to authenticate themselves before a session is established with the server. Originally, if you opened an RDP (remote desktop session) to a server it would load the login screen from the server for you. This would use up resources on the server, and was a potential area for denial of service
attacks. NLA delegates the user's credentials from the client through a client side Security Support Provider
and prompts the user to authenticate before establishing a session on the server.
Network Level Authentication was introduced in RDP 6.0 and supported initially in Windows Vista
. It uses the new Security Service Provider, CredSSP, which is available through SSPI
in Windows Vista. With Windows XP Service Pack 3, CredSSP was introduced on that platform and the included RDP 6.1 Client supports NLA; however CredSSP must be enabled in the registry first.
Remote Desktop Protocol
Remote Desktop Protocol is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer. The protocol is an extension of the ITU-T T.128 application sharing protocol. Clients exist for most versions of Microsoft Windows , Linux, Unix, Mac OS...
(RDP Client) that requires the connecting user to authenticate themselves before a session is established with the server. Originally, if you opened an RDP (remote desktop session) to a server it would load the login screen from the server for you. This would use up resources on the server, and was a potential area for denial of service
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
attacks. NLA delegates the user's credentials from the client through a client side Security Support Provider
Security Support Provider Interface
Security Support Provider Interface is an API used by Microsoft Windows systems to perform a variety of security-related operations such as authentication....
and prompts the user to authenticate before establishing a session on the server.
Network Level Authentication was introduced in RDP 6.0 and supported initially in Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
. It uses the new Security Service Provider, CredSSP, which is available through SSPI
Security Support Provider Interface
Security Support Provider Interface is an API used by Microsoft Windows systems to perform a variety of security-related operations such as authentication....
in Windows Vista. With Windows XP Service Pack 3, CredSSP was introduced on that platform and the included RDP 6.1 Client supports NLA; however CredSSP must be enabled in the registry first.
Advantages
The advantages of Network Level Authentication are:- It requires fewer remote computerRemote computerA remote computer is a computer to which a user does not have physical access, but which he or she can access or manipulate via some kind of network....
resources initially, by preventing the initiation of a full remote desktop connectionTerminal ServicesRemote Desktop Services in Windows Server 2008 R2, formerly known as Terminal Services in Windows Server 2008 and previous versions, is one of the components of Microsoft Windows that allows a user to access applications and data on a remote computer over a network, using the Remote Desktop...
until the user is authenticated, reducing the risk of denial-of-service attacks. - It allows NT Single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
(SSO) to extend to Remote Desktop Services.
Disadvantages
- No support for other credential providers
- Like any SSOSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
scheme, suffers from the 'keys to the castle' problem. - To use Network Level Authentication in Remote Desktop Services, the client must be running Windows XP SP3 or later, and the server must be running Windows 7 or Windows Server 2008.
- Support for RDP Servers requiring Network Level Authentication needs to be configured via registry keys for use on Windows XP SP3.
- Not possible to log on and change password when "User must change password at next logon" is enabled on the user account.