Group Policy Quick Tip – Enable Remote Desktop Network Level Authentication

Following our last tip, today’s Group Policy Quick Tip is about adding additional security to Remote Desktop sessions on your computers.  Normally, an RDP session is established before authentication takes place.  Enabling Network Level Authentication (NLA) allows authentication to take place before the RDP session is established.

Why would you want to set this policy?

  • Using NLA secures your Remote Desktop sessions by requiring that remote client authenticate earlier.  A number of recent RDP exploits (and I’m sure future ones) were preventable if you had NLA enabled.

Where is the policy located?

  • Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Require user authentication for remote connections by using Network Level Authentication

Configurable Options

  • Enabled – Only clients that support Network Level Authentication will be able to connect to RDS on the local system.
  • Disabled – Network Level Authentication is not required.

Supported Operating Systems/Software

  • Windows Vista and up

Gotchas and Other Considerations

  • Your RDP client must support the RDP 6.0 protocol.  Any Windows 7, Vista, or XP SP3 box should work.  The latest RDP client for Mac will work also.

Leave a Reply