Microsoft Terminal Server security may be enhanced by providing user authentication earlier in the connection process when a client connects to a Terminal Server. This early user authentication method is referred to as Network Level Authentication. This is a new authentication method that completes user authentication before you establish a Remote Desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software. The advantages to Network Level Authentication are:
• Requires fewer remote computer resources initially. The remote system uses a limited number of resources before authenticating the user, rather than starting a full Remote Desktop connection as in previous versions
• Provides better security by reducing the risk of denial of service attacks
Requirements to use Network Level Authentication:
• The client computer must be running at least Remote Desktop Connection 6.0
• The client computer must be using an operating system that supports the new Credential Security Support Provider
• The Terminal Server must be running Windows Server 2008
Requirements to access a Network Level Authentication Terminal Server
To access RemoteApp programs through TS Web Access, the client computer must be running RDC 6.1. RDC 6.1 is included with the following operating systems:
• Windows Server 2008
• Windows Vista with Service Pack 1
• Windows XP with Service Pack 3 (SP3)
What happens if you have an unsupported client?
Well, start up your Remote Desktop Client in the normal fashion (Start>Run>"mstsc /console") which is shown below (applies for XP builds)
Now try to enter the name of the server into the Address box and click connect then once you have entered your credentials you get this error:
How to tell if your Terminal Services Client is not supported with NLA
Start your client in the normal fashion and click on the icon in the upper left hand corner of the application and click on About as shown below:
<img src="data/phoo/2008_04_24/medium/nordp2.JPG" class="image"
/>
When the dialogue appears you will notice that your client will probably say "Network Level Authentication Not Supported"
If you wish to connect to this server via Remote Desktop then you will require your RDP client to say "Network Level Authentication Supported" like this one below:
How do I Enable/Disable NLA on my Terminal Servers
If you want to enable NLA (Network Level Authentication) then obviously you need to be an Administrator on the server you are updating
Please note that Citrix does not support NLA at the moment....but with TSGateway you really do not need it...anyway DO NOT login to your server and follow these instructions blindly only enable it if you require such features......
A. If you have the stupid user Start Menu and "no icons" on your Desktop the click on Start and right click on Computer and choose Properties...
B. If you have the Classic Start Menu and icons on your Desktop then right click on the Computer icon on your Desktop and choose properties...
Either way you should be looking at the screen below:
Click on the "Remote Settings" text on the left hand side and the following dialogue box will appear:
Ensure that you have the radio button in the last box click Apply and OK.....you now have a NLA Terminal Server.....Congratulations :-)
• Requires fewer remote computer resources initially. The remote system uses a limited number of resources before authenticating the user, rather than starting a full Remote Desktop connection as in previous versions
• Provides better security by reducing the risk of denial of service attacks
Requirements to use Network Level Authentication:
• The client computer must be running at least Remote Desktop Connection 6.0
• The client computer must be using an operating system that supports the new Credential Security Support Provider
• The Terminal Server must be running Windows Server 2008
Requirements to access a Network Level Authentication Terminal Server
To access RemoteApp programs through TS Web Access, the client computer must be running RDC 6.1. RDC 6.1 is included with the following operating systems:
• Windows Server 2008
• Windows Vista with Service Pack 1
• Windows XP with Service Pack 3 (SP3)
What happens if you have an unsupported client?
Well, start up your Remote Desktop Client in the normal fashion (Start>Run>"mstsc /console") which is shown below (applies for XP builds)
Now try to enter the name of the server into the Address box and click connect then once you have entered your credentials you get this error:
How to tell if your Terminal Services Client is not supported with NLA
Start your client in the normal fashion and click on the icon in the upper left hand corner of the application and click on About as shown below:
<img src="data/phoo/2008_04_24/medium/nordp2.JPG" class="image"
/>
When the dialogue appears you will notice that your client will probably say "Network Level Authentication Not Supported"
If you wish to connect to this server via Remote Desktop then you will require your RDP client to say "Network Level Authentication Supported" like this one below:
How do I Enable/Disable NLA on my Terminal Servers
If you want to enable NLA (Network Level Authentication) then obviously you need to be an Administrator on the server you are updating
Please note that Citrix does not support NLA at the moment....but with TSGateway you really do not need it...anyway DO NOT login to your server and follow these instructions blindly only enable it if you require such features......
A. If you have the stupid user Start Menu and "no icons" on your Desktop the click on Start and right click on Computer and choose Properties...
B. If you have the Classic Start Menu and icons on your Desktop then right click on the Computer icon on your Desktop and choose properties...
Either way you should be looking at the screen below:
Click on the "Remote Settings" text on the left hand side and the following dialogue box will appear:
Ensure that you have the radio button in the last box click Apply and OK.....you now have a NLA Terminal Server.....Congratulations :-)
Tags
Terminal Services