Safety of RDP without network level authentication

security vpn openvpn remote-desktop rdp
8,677

That is not accurate, and you are missing the point why NLA was created. Without NLA, a computer can establish a session to a remote desktop server before authenticating. It's trivial to create enough sessions to exhaust all resources on the server. That is straight from the Wikipedia page:

https://en.wikipedia.org/wiki/Network_Level_Authentication

It isn't required to authenticate the client to Active Directory, because NLA can be used to authenticate local accounts. Some people may argue that NLA on an internal network that is not accessible from the Internet is actually less secure, because it prevents blocking network access for some local accounts and creates a vulnerability where lateral movement may be used with local accounts.

Share:
8,677

Related videos on Youtube

Shard
Author by

Shard

Updated on September 18, 2022

Comments

  • Shard
    Shard over 1 year

    I have been reading about RDP and Active Directories and I have gathered following understandings that I'm not sure are correct:

    1. Seems like RDP with Network Level Authentication works only (or most easily) with computers in Active Directory
    2. Active Directory is a service that runs on a computer making the computer a Domain Controller.
      1. Since Active Directory runs on a server machine, it can't be used to authenticate login to that same server machine. (chicken-egg problem)

    Final understanding, and this is the most important one: If the only way to access the network from outside is through VPN, Network Level Authentication is only really useful in preventing unauthorized access to RDP allowed computers from same LAN network.

    Am I understanding things correct? Can I just disable Network Level Authentication in RDP and go with less secure option if my home network is behind VPN and I trust all clients on LAN?

    • Harry Johnston
      Harry Johnston over 5 years
      (3) is definitely wrong. You can log into a domain controller with an Active Directory account. In fact, you can only log into a domain controller with an Active Directory account.
    • Sajuuk
      Sajuuk almost 5 years
      to sum it up, NLA has nothing to do with AD, the purpose of NLA is to offload the huge overhead of RDP session initiation just for a password input..(and to add identify verification)
  • Shard
    Shard over 5 years
    So you are saying that it is worth buying another computer just to run Active Directory on it? (Since it is not recommended to run AD in VM). In other words the extra security it adds to a network behind VPN is worth the hassle?
  • Shard
    Shard over 5 years
    Would you say that in my case where my home network is only accessible from a VPN, NLA is not worth getting additional hardware to run the AD on?
  • Greg Askew
    Greg Askew over 5 years
    @Shard: Why are you asking about AD?
  • Shard
    Shard over 5 years
    My understanding is that NLA works best with AD set up. When I disable NLA I can RDP to my Hyper-V Server, if I enable NLA I can't remote to my Hyper-V Server. So I am currenly enabling RDP without NLA, but I'm concerned about security.
  • Greg Askew
    Greg Askew over 5 years
    @Shard: Active Directory and Network Level Authentication have nothing to do with each other. Network Level Authentication performs one function, and it works exactly the same with or without Active Directory.
  • spacenomyous
    spacenomyous over 5 years
    Worth the hassle is a decision your security team needs to make. As far as AD being not recommended for virtualization, that is a dated concern considering the fact that Microsoft makes it's own hypervisor. The problem becomes if your virtualization environment uses AD to authenticate and you then host your AD infrastructure entirely inside that environment - that is truly a chicken-egg scenario. But if the virtualization authentication is outside AD or you have another DC outside of the environment (it can be in another host/cluster - or simply physical) you'll be fine.
  • Shard
    Shard over 5 years
    So what this guy says in his tutorial video is technically false? youtube.com/watch?v=57Ijn7re8X8&feature=youtu.be&t=440
  • Shard
    Shard over 5 years
    There is no security team, I'm talking about my home setup with Hyper-V. One guy, one server machine and one person that ever needs to access the Hyper-V host machine. My issue is just that whole non AD way of accessing Hyper-V host with Manager from Windows 10 Pro is a major pain.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Remmina Desktop - cannot connect to RDP server
How do I setup OpenVPN so I can securely use the internet from an unsecured hotspot?
Hide public ip and location with openvpn on raspberry pi
Best way to secure RDP connections WITHOUT VPN?
Where to put OpenVPN server - DMZ or LAN?
Unknown and strange RDP successful logins in EventViewer
Remote Desktop Authentication without NTLM - How to Configure from non-Windows clients?
Is a PPTP VPN too insecure to consider using?
Pros / cons of using password-less OpenVPN client keys
How can I enable RDP over VPN only?