What is Network Level Authentication?

Network level authentication is used for authenticating Remote Desktop services, such as Windows RDP, and Remote Desktop Connection (RDP Client). You might also hear it called front authentication. This article will cover what network level authentication is for, how it’s used, and how to enable and disable network level authentication in a specific environment. Let’s dive in!

What is Network Level Authentication (NLA) used for?

Before you can start a remote desktop session, the user will need to authenticate themselves – ie, prove that they are who they say they are. Using network level authentication means that a false connection can’t be made, which would use up CPU and cause a strain on the resources of the network. This offers a level of security against some cyberattacks such as Denial of Service attacks, where multiple requests are made all at once towards a network, overwhelming its ability to cope. To combat this, you can turn on network level authentication to authenticate the user’s credentials before starting a remote access session. If the user’s credentials aren’t authenticated, then the connection is simply denied.

How Can I Enable Network Level Authentication?

Excited about the security benefits of using network level authentication? Be careful, this feature is not automatically turned on, you’ll need to make sure you have turned it on manually if you want to benefit from it. In contrast, if you don’t want to use network level authentication, you should check that it’s turned off. There are a couple of ways to do this – you can choose the one that works for you. Of course, if you’re working remotely, you’ll need to ask your customers to follow these paths.

Remote Desktop Settings

The first option is to go to Settings in your Start menu, and choose Remote Desktop. Now click Enable Remote Desktop ON, and Confirm with the pop up window. Click into the Advanced Settings, and select the option that says Require computers to use Network Level Authentication to connect.

System and Security Settings

You can also access this setting under system and security, which you can find under the Control Panel of your machine. Click on System and Security, followed by the Allow Remote Access option. Now click on Remote, Remote Desktop, and you’ll see an option called Allow remote connections to this computer. You will also see Allow connections only from computers running Remote Desktop with Network Level Authentication.

Can I Use Scripts to Disable Network Level Authentication?

You know how much we love automation and scripting at Atera! Here’s how you can use PowerShell to disable NLA if you’ve decided it doesn’t work for your business context.
Use the Windows Key and S to launch the search bar and then redirect to PowerShell as the administrator. Then execute the following command:

$TargetMachine = “Target-Machine-Name”
(Get-WmiObject -Cclass “Win32_TSGeneralSetting” – Namespac root\cimv2\terminalServices-ComputerName $TargetMachine – filter “TerminalName =’RDP-tcp”) .SetUserAuthenticationRequired (0)

If you prefer to use Properties to disable NLA, you can do that as well, by choosing the Windows key and the letter R, and typing sysdm.cpl, followed by Enter. You’ll be taken to system properties, where you can choose the Remote tab. Here, just uncheck the option that says “Allow connections only from computers running Remote Desktop with Network Level Authentication”. Note that it will say it’s recommended to keep this option toggled on. Don’t forget to Apply changes to make sure that the settings are saved.

Can Anyone Use Network Level Authentication?

While NLA is a more secure way of establishing Remote Desktop activities – it’s not suitable for all users. First of all, home networks won’t support Remote Desktop. The client computer needs to be using at least Remote Desktop Connection 6.0 for NLA to work. They also need to use an operating system which supports the Credential Security Support Provider protocol, usually known as CredSSP. Examples of these operating systems are Windows 7, Windows Vista, or Windows XP with Service Pack 3. Finally, the session host for the Remote Desktop needs to be running Windows Server 2008 R2, or Windows Server 2008.

How Do I Know if My Computer Can Support Network Level Authentication?

There is a very easy way to determine whether the machine a user is working on will be able to support network level authentication. Simply ask your user to start the Remote Desktop Connection in whatever way is easiest for them, and then to look at the top left corner of the Remote Desktop Connection dialog box. Here, they will see an option that says About. In the About Remote Desktop Connection dialog box, there should be mention of “Network Level Authentication supported” which should clear up that query pretty quickly.

What will Network Level Authentication Look Like for my User in Practice?

You probably want to be able to explain to the client what will happen when NLA is used in a Remote Desktop request. Here’s what you can tell them. Firstly, whenever a remote desktop connection is made, there will be a message that appears so that the user can authenticate who they are before the connection is established. This will provide additional security when connecting clients with the RDP. The client’s credentials will be requested, and then approved. The whole thing is very quick. Users will not be able to join the connection if the credentials are not approved – or if the credentials are expired for example.

Know everything you wanted to know about Network Level Authentication? Then we got our job right! Want to learn more about remote access best practices – such as how to use remote access on multiple monitors? Check out our article on the topic here.