I have been reading about RDP and Active Directories and I have gathered following understandings that I'm not sure are correct:
- Seems like RDP with Network Level Authentication works only (or most easily) with computers in Active Directory
- Active Directory is a service that runs on a computer making the computer a Domain Controller.
- Since Active Directory runs on a server machine, it can't be used to authenticate login to that same server machine. (chicken-egg problem)
Final understanding, and this is the most important one: If the only way to access the network from outside is through VPN, Network Level Authentication is only really useful in preventing unauthorized access to RDP allowed computers from same LAN network.
Am I understanding things correct? Can I just disable Network Level Authentication in RDP and go with less secure option if my home network is behind VPN and I trust all clients on LAN?
Best Answer
That is not accurate, and you are missing the point why NLA was created. Without NLA, a computer can establish a session to a remote desktop server before authenticating. It's trivial to create enough sessions to exhaust all resources on the server. That is straight from the Wikipedia page:
https://en.wikipedia.org/wiki/Network_Level_Authentication
It isn't required to authenticate the client to Active Directory, because NLA can be used to authenticate local accounts. Some people may argue that NLA on an internal network that is not accessible from the Internet is actually less secure, because it prevents blocking network access for some local accounts and creates a vulnerability where lateral movement may be used with local accounts.