Server 2008 Terminal Services Part 2: NLA – Network Level Authentication
From a security perspective, the original design of how clients connect to a Terminal Server is actually backwards from what is considered good security design.
Think about when you connect to a pre-W2008 Terminal Server. You enter the name of the server and a connection is initiated to its logon screen. Then, at that logon screen you attempt to authenticate. From a security perspective, this isn’t a good idea. Because by doing it in this manner, you’re actually getting access to a server prior to authentication – the access you’re getting is right to a session on that server – and that is not considered a good security practice.
NLA, or Network Level Authentication, reverses the order in which a client attempts to connect. If you’ve used...
...the new RDC 6.0 client you’ve seen how it asks you for your username and password before it takes you to the logon screen. If you’re attempting to connect to a pre-W2008 server, a failure in that initial logon will fail back to the old way of logging in. I’ll bet you’ve found this new feature actually a little annoying when connecting to old servers.
Where it shines is when connecting to Windows Vista computers and W2008 servers with NLA configured. Here, it is a good idea to prevent the failback authentication from ever occurring, which prevents the bad guys from gaining accessing your server without a successful authentication.
You can set this up in Vista and W2008 by right clicking on Computer and choosing Properties, then selecting Remote Settings. Under Remote Desktop, ensure Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure).
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine