TEXAS A&M UNIVERSITY
Network Level Authentication (NLA) Security
Audience: IT administrators, security engineers
Purpose: Understand NLA's role in RDP security and mitigation strategies when NLA must be disabled
Quick Reference
- NLA Required — Pre-session authentication prevents unauthorized RDP connections
- Disabling NLA — Significantly increases attack surface for brute force, MITM, and ransomware
- Mac Compatibility — See RDP from Mac to Windows for secure alternatives
- Alternatives — Consider Azure Virtual Desktop or RD Gateway instead of disabling NLA
Overview
Network Level Authentication (NLA) secures Remote Desktop Protocol (RDP) sessions by requiring authentication before a connection is fully established. Disabling NLA introduces significant security risks that must be carefully mitigated.
Threats When NLA is Disabled
1. Brute Force Attacks
Threat: Attackers repeatedly attempt to guess credentials via RDP.
| Mitigation | Implementation |
|---|---|
| Account Lockout | Enforce lockout after failed attempts via Intune Endpoint Security |
| IP Restrictions | Limit RDP access to known IP ranges via Windows Defender Firewall |
| Entra ID MFA | Require MFA via Conditional Access policies |
2. Credential Harvesting (MITM)
Threat: Attackers intercept credentials without proper certificate validation.
| Mitigation | Implementation |
|---|---|
| TLS 1.2+ | Require TLS encryption for all RDP traffic |
| User Education | Train users to reject certificate warnings |
| VPN Requirement | Require VPN for external RDP access |
3. RDP Vulnerabilities
Threat: Unpatched vulnerabilities like BlueKeep (CVE-2019-0708) and DejaBlue (CVE-2019-1181).
| Mitigation | Implementation |
|---|---|
| Patch Management | Enforce updates via Intune policies |
| Firewall Rules | Restrict RDP to internal networks only |
| Network Segmentation | Isolate RDP-accessible systems |
4. Denial-of-Service (DoS)
Threat: Connection floods cause resource exhaustion.
| Mitigation | Implementation |
|---|---|
| Firewall Rate Limiting | Block external IPs or limit connection rates |
| Elastic Monitoring | Detect anomalous traffic spikes |
| Load Balancing | Distribute RDP connection load |
5. Malware Deployment
Threat: Attackers with RDP access install ransomware or malware.
| Mitigation | Implementation |
|---|---|
| WDAC | Restrict unauthorized software execution |
| Elastic Monitoring | Detect abnormal process executions |
| MFA (Duo) | Add additional authentication layer |
Mac-to-Windows RDP Challenges
Mac users often require NLA to be disabled to connect to Entra ID-enrolled Windows devices via Microsoft Remote Desktop.
For a production-tested solution that does not require disabling NLA, see our guide:
Recommended Alternatives
Instead of disabling NLA, consider these secure alternatives:
| Alternative | Description |
|---|---|
| Azure Virtual Desktop (AVD) | Cloud-based remote desktop with full Entra ID integration |
| RD Gateway | Tunnels RDP over HTTPS with Entra authentication |
| Conditional Access | Risk-based access controls for RDP sessions |
| VPN + NLA | Require VPN connection before RDP access |
Security Summary
Disabling NLA significantly increases the attack surface. If disabling is required for compatibility:
- Implement all applicable mitigations
- Restrict access to internal networks only
- Enable comprehensive monitoring
- Plan migration to secure alternatives
Related Resources
- Intune Documentation — Endpoint security policies
- Windows Documentation — OS management
- Microsoft - Configure Windows Defender Firewall
- Microsoft - Conditional Access with MFA