2

I have been reading about RDP and Active Directories and I have gathered following understandings that I'm not sure are correct:

  1. Seems like RDP with Network Level Authentication works only (or most easily) with computers in Active Directory
  2. Active Directory is a service that runs on a computer making the computer a Domain Controller.
    1. Since Active Directory runs on a server machine, it can't be used to authenticate login to that same server machine. (chicken-egg problem)

Final understanding, and this is the most important one: If the only way to access the network from outside is through VPN, Network Level Authentication is only really useful in preventing unauthorized access to RDP allowed computers from same LAN network.

Am I understanding things correct? Can I just disable Network Level Authentication in RDP and go with less secure option if my home network is behind VPN and I trust all clients on LAN?

Shard
  • 121
  • 1
  • 1
  • 2
  • 1
    (3) is definitely wrong. You can log into a domain controller with an Active Directory account. In fact, you can *only* log into a domain controller with an Active Directory account. – Harry Johnston Oct 01 '18 at 02:54
  • to sum it up, NLA has nothing to do with AD, the purpose of NLA is to offload the huge overhead of RDP session initiation just for a password input..(and to add identify verification) – Sajuuk May 27 '19 at 09:16

2 Answers2

4

That is not accurate, and you are missing the point why NLA was created. Without NLA, a computer can establish a session to a remote desktop server before authenticating. It's trivial to create enough sessions to exhaust all resources on the server. That is straight from the Wikipedia page:

https://en.wikipedia.org/wiki/Network_Level_Authentication

It isn't required to authenticate the client to Active Directory, because NLA can be used to authenticate local accounts. Some people may argue that NLA on an internal network that is not accessible from the Internet is actually less secure, because it prevents blocking network access for some local accounts and creates a vulnerability where lateral movement may be used with local accounts.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Would you say that in my case where my home network is only accessible from a VPN, NLA is not worth getting additional hardware to run the AD on? – Shard Sep 30 '18 at 14:53
  • @Shard: Why are you asking about AD? – Greg Askew Sep 30 '18 at 14:59
  • My understanding is that NLA works best with AD set up. When I disable NLA I can RDP to my Hyper-V Server, if I enable NLA I can't remote to my Hyper-V Server. So I am currenly enabling RDP without NLA, but I'm concerned about security. – Shard Sep 30 '18 at 15:02
  • @Shard: Active Directory and Network Level Authentication have nothing to do with each other. Network Level Authentication performs one function, and it works exactly the same with or without Active Directory. – Greg Askew Sep 30 '18 at 15:10
  • So what this guy says in his tutorial video is technically false? https://www.youtube.com/watch?v=57Ijn7re8X8&feature=youtu.be&t=440 – Shard Sep 30 '18 at 15:21
0

You need to increase your understanding of Active Directory and domains. The server you install the AD role on becomes a Domain Controller, then you add client systems to the domain and create AD user accounts. You logon to a domain computer using domain credentials.

NLA uses CredSSP to front-load the credentials you'll be using to RDP. The session host checks these credentials and verifies them before offering the login prompt. Every security decision is a risk assessment. Obviously if you trust your network, then of course you can disable it. However, the industry has embraced an "assume-breach" posture, so I'd recommend using it.

spacenomyous
  • 1,319
  • 7
  • 15
  • So you are saying that it is worth buying another computer just to run Active Directory on it? (Since it is not recommended to run AD in VM). In other words the extra security it adds to a network behind VPN is worth the hassle? – Shard Sep 30 '18 at 13:45
  • Worth the hassle is a decision your security team needs to make. As far as AD being not recommended for virtualization, that is a dated concern considering the fact that Microsoft makes it's own hypervisor. The problem becomes if your virtualization environment uses AD to authenticate and you then host your AD infrastructure entirely inside that environment - that is truly a chicken-egg scenario. But if the virtualization authentication is outside AD or you have another DC outside of the environment (it can be in another host/cluster - or simply physical) you'll be fine. – spacenomyous Sep 30 '18 at 15:19
  • There is no security team, I'm talking about my home setup with Hyper-V. One guy, one server machine and one person that ever needs to access the Hyper-V host machine. My issue is just that whole non AD way of accessing Hyper-V host with Manager from Windows 10 Pro is a major pain. – Shard Sep 30 '18 at 16:34