*Cube-Host– full cloud services!!

get a consultation
WhatsApp Telegram
EN

Configuring Network Level Authentication

Configuring Network Level Authentication

Harden RDP before attackers reach the logon screen

RDP is one of the most scanned services on the internet. Network Level Authentication (NLA) reduces risk by forcing authentication before a full remote desktop session is created, which helps block anonymous probing and lowers resource abuse.

If you manage a Windows VPS, enabling NLA should be part of the “day‑1” hardening checklist — together with firewall restrictions provided by your VPS hosting environment.

What NLA is and why it matters

NLA requires the client to authenticate (typically via CredSSP) before Windows allocates a full interactive desktop session. Compared to legacy RDP behavior, this gives you:

  • Better security: fewer anonymous pre-auth sessions and less exposure to certain brute-force and session-abuse scenarios.
  • Lower load: the server spends fewer resources on unauthenticated connections.
  • Cleaner access control: policy + group membership checks happen earlier in the flow.

Enable NLA using the GUI (fastest method)

On the server (locally or via console):

  • Press Win + R → run SystemPropertiesRemote
  • In Remote Desktop, enable Remote Desktop if needed
  • Check: Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)

Also confirm that the user account is allowed for RDP (member of Remote Desktop Users or Administrators) and that the firewall allows RDP only from trusted IPs.

Enable NLA via PowerShell / registry (automatable)

NLA is controlled by the RDP-Tcp setting UserAuthentication. Run PowerShell as Administrator:

# Require Network Level Authentication (NLA)
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' `
  -Name 'UserAuthentication' -Value 1

Optional: verify the value:

Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' `
  -Name UserAuthentication

If you changed settings remotely, restarting the Remote Desktop Services service (or rebooting) may be required in some configurations.

Firewall + access scope: the part that actually blocks attacks

NLA is important, but it’s not a substitute for network restrictions. For an internet-facing server:

  • Allow RDP (TCP 3389 and sometimes UDP 3389) only from your office/VPN IPs.
  • Disable broad “Any” inbound rules for RDP.
  • Prefer VPN or RD Gateway for remote access at scale.

On a VPS hosting platform, combine Windows Firewall rules with provider firewall/ACLs where available.

Compatibility: why some clients fail after enabling NLA

The most common “it stopped working” case is an outdated client without proper CredSSP support. Typical symptoms include messages like “The remote computer requires Network Level Authentication…”.

  • Fix: update the RDP client (Windows updates, modern Microsoft Remote Desktop clients).
  • Fix: confirm system time is correct (time skew can break authentication and TLS negotiation).
  • Fix: verify the user has RDP permissions and is not blocked by policy.

How to test RDP reachability (quick diagnostics)

From your workstation (PowerShell):

Test-NetConnection 203.0.113.10 -CommonTCPPort RDP

If TcpTestSucceeded is false, the issue is usually firewall/ACL/routing — not NLA itself.

Emergency rollback (if you locked yourself out)

If an old client can’t authenticate and you can’t RDP in:

  • Use provider console (VNC/KVM) to access the server.
  • Temporarily disable NLA, log in, update clients, then re-enable it.

Disable NLA via PowerShell (temporary):

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' `
  -Name 'UserAuthentication' -Value 0

Important: Treat “NLA off” as a short troubleshooting state, not a permanent setting.

Recommended minimal security bundle for RDP on VPS

  • NLA enabled.
  • RDP limited to trusted IPs/subnets (Windows Firewall + hosting ACL).
  • Strong passwords and (where possible) MFA/VPN/RD Gateway.
  • Audit failed logons (so you see attacks) and alert on spikes.

For stable day-to-day administration, run RDP with NLA on a Windows VPS and keep the network perimeter tight at the VPS hosting level.

Prev

More articles: