Disable Remote Desktop Network Level Authentication using PowerShell
In today’s Ask the Admin, I’ll show you how to disable Remote Desktop Network Level Authentication with the help of Windows Management Instrumentation (WMI) and PowerShell.
Network Level Authentication (NLA) was introduced to improve security in Remote Desktop Protocol (RDP) 6.0 by requiring that users be authenticated to the host server before an RDP session is created, helping to reduce the risk of denial-of-service attacks. Initially NLA was only available for Windows Vista and Windows Server 2008, but later client support for Windows XP SP3 was added.
Although NLA is a welcome security enhancement that helps to make Remote Desktop safer, you might want to disable it in a dev environment for a couple of reasons:
- It’s not possible to log in to a domain member server using Remote Desktop unless a domain controller (DC) is available for authentication.
- Domain controllers must be booted before member servers are started, otherwise Remote Desktop access to member servers might be denied.
In production, the issues I’ve listed above should never be a reason to disable NLA. But in a dev environment, especially one where VMs are shut down regularly to reduce costs, it can be handy to disable NLA so that you don’t have to worry about the order in which VMs are booted, and work with member servers without necessarily needing to boot a DC. Remember that disabling NLA is not best practice, so you should always evaluate the risk in your own environment.
Disable Network Level Authentication
It’s easy to disable NLA using the GUI, but the reason to do it programmatically is to understand how to automate the task when deploying VMs in the cloud using PowerShell. The Remote Desktop NLA setting can be accessed under Advanced system settings in the System control panel.
In the example below, I use a variable, $ComputerName, to store the name of the server on which I want to disable NLA. The Get-WmiObject cmdlet is then used to return information about the current Remote Desktop settings, and all I need to do is specify the WMI class and namespace, which in the case of Remote Desktop is Win32_TSGeneralSetting and root\cimv2\terminalservices respectively.
You’ll notice that I’ve also added a filter to the command line so that only results for the RDP-tcp terminal are returned. By default in Windows Server, there is only one terminal configured, but in cases where there might be more than one, the filter comes in handy to return only the desired information. Make sure that you’re logged in to the server as a local administrator before running the commands below.
$ComputerName = 'contososrv1' Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter “TerminalName='RDP-tcp'”
If your server configuration hasn’t been changed from the default settings, you’ll notice in the results that UserAuthenticationRequired is set to 1, or true; meaning that NLA is enabled.
To narrow down the results and return just the UserAuthenticationRequired setting, use the command below:
(Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired
Finally to disable NLA, swap out UserAuthenticationRequired for SetUserAuthenticationRequired(0) as shown here:
(Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
Enable Network Level Authentication
To enable NLA, just replace the 0 after SetUserAuthenticationRequired with 1:
(Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(1)