About Network Level Authentication
Network Level Authentication (NLA) is an authentication tool used in Remote Desktop Services (RDP Server) or Remote Desktop Connection (RDP Client), introduced in RDP 6.0 in Windows Vista. NLA is sometimes called front authentication as it requires the connecting user to authenticate themselves before a session can be established with the remote device.
Starting a remote session on a device (for example, a server) requires many processes to run in the background, which can use up CPU resources on the remote device. This can be prevented by requiring the connecting user to authenticate themselves first. Any failed attempt made by an unauthorized user will prevent a connection from being established and, consequently, will not use the device's CPU resources. Requiring user authentication before the remote session also offers a layer of defense against Denial of Service (DoS) attacks.
When a user attempts to establish a connection to a device with NLA enabled, NLA will delegate the user's credentials from the client through a client-side Security Support Provider to the server for authentication before creating a session. Only once the user authentication is successful will the connection be established.
NLA can be enabled or disabled on the target device by accessing one of the paths below:
- Settings app > System > Remote Desktop > toggle Enable Remote Desktop ON > click Confirm at the window that appears > Advanced Settings > select Require computers to use Network Level Authentication to connect (recommended)
- Start menu > Control Panel > System and Security > Allow remote access > Remote tab > Remote Desktop > select Allow remote connections to this computer and Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)
- Start menu > Control Panel > System and Security > System > Remote settings > Remote tab > Remote Desktop > select Allow remote connections to this computer and Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)
- Log in to the Agent Browser. Refer to Log in to the Agent Browser.
- Connect to a server. Refer to Connect to a device.
- Click Tools > Windows RDP or click the Remote Desktop Protocol icon .
- You will now be prompted to authorize yourself in order to establish the connection. Enter your Username and Password.
- Select Use Network Level Authentication.
NOTE The option to use NLA will be grayed out on incompatible devices.
- Select Remember passwords for this device if you want your password to be remembered for future RDP sessions.
- Click Log in to establish the connection.
- The connection will be established if the user authentication was successful.
NOTE The Agent Browser lets you save RDP credentials upon launching an RDP session to a device. When opting to Remember passwords for this device, the credentials are saved in a file under the current user profile. This file can only be used by the Datto RMM Agent and the local user profile that created it. Attempting to reuse this file under a different user profile on the same device or a different device will fail and may lead to Agent instability.
When stored, user credentials are encrypted. The encryption is coded within the Agent and it uses a combination of the following:
• Windows Data Protection API
• Password-based key derivation
• The password-derived key is used with Triple DES