Safety of RDP without network level authentication
That is not accurate, and you are missing the point why NLA was created. Without NLA, a computer can establish a session to a remote desktop server before authenticating. It's trivial to create enough sessions to exhaust all resources on the server. That is straight from the Wikipedia page:
https://en.wikipedia.org/wiki/Network_Level_Authentication
It isn't required to authenticate the client to Active Directory, because NLA can be used to authenticate local accounts. Some people may argue that NLA on an internal network that is not accessible from the Internet is actually less secure, because it prevents blocking network access for some local accounts and creates a vulnerability where lateral movement may be used with local accounts.
Related videos on Youtube
Shard
Updated on September 18, 2022Comments
-
Shard over 1 year
I have been reading about RDP and Active Directories and I have gathered following understandings that I'm not sure are correct:
- Seems like RDP with Network Level Authentication works only (or most easily) with computers in Active Directory
- Active Directory is a service that runs on a computer making the computer a Domain Controller.
- Since Active Directory runs on a server machine, it can't be used to authenticate login to that same server machine. (chicken-egg problem)
Final understanding, and this is the most important one: If the only way to access the network from outside is through VPN, Network Level Authentication is only really useful in preventing unauthorized access to RDP allowed computers from same LAN network.
Am I understanding things correct? Can I just disable Network Level Authentication in RDP and go with less secure option if my home network is behind VPN and I trust all clients on LAN?
-
Harry Johnston over 5 years(3) is definitely wrong. You can log into a domain controller with an Active Directory account. In fact, you can only log into a domain controller with an Active Directory account.
-
Sajuuk almost 5 yearsto sum it up, NLA has nothing to do with AD, the purpose of NLA is to offload the huge overhead of RDP session initiation just for a password input..(and to add identify verification)
-
Shard over 5 yearsSo you are saying that it is worth buying another computer just to run Active Directory on it? (Since it is not recommended to run AD in VM). In other words the extra security it adds to a network behind VPN is worth the hassle?
-
Shard over 5 yearsWould you say that in my case where my home network is only accessible from a VPN, NLA is not worth getting additional hardware to run the AD on?
-
Greg Askew over 5 years@Shard: Why are you asking about AD?
-
Shard over 5 yearsMy understanding is that NLA works best with AD set up. When I disable NLA I can RDP to my Hyper-V Server, if I enable NLA I can't remote to my Hyper-V Server. So I am currenly enabling RDP without NLA, but I'm concerned about security.
-
Greg Askew over 5 years@Shard: Active Directory and Network Level Authentication have nothing to do with each other. Network Level Authentication performs one function, and it works exactly the same with or without Active Directory.
-
spacenomyous over 5 yearsWorth the hassle is a decision your security team needs to make. As far as AD being not recommended for virtualization, that is a dated concern considering the fact that Microsoft makes it's own hypervisor. The problem becomes if your virtualization environment uses AD to authenticate and you then host your AD infrastructure entirely inside that environment - that is truly a chicken-egg scenario. But if the virtualization authentication is outside AD or you have another DC outside of the environment (it can be in another host/cluster - or simply physical) you'll be fine.
-
Shard over 5 yearsSo what this guy says in his tutorial video is technically false? youtube.com/watch?v=57Ijn7re8X8&feature=youtu.be&t=440
-
Shard over 5 yearsThere is no security team, I'm talking about my home setup with Hyper-V. One guy, one server machine and one person that ever needs to access the Hyper-V host machine. My issue is just that whole non AD way of accessing Hyper-V host with Manager from Windows 10 Pro is a major pain.