Windows Server 2008: Network Level Authentication and Encryption

Today, we're going to look at Terminal Server security in Windows Server 2008 - specifically Network Level Authentication and Encryption. Terminal Server security may be enhanced by providing user authentication earlier in the connection process when a client connects to a Terminal Server.  This early user authentication method is referred to as Network Level Authentication.  […]

Today, we're going to look at Terminal Server security in Windows Server 2008 - specifically Network Level Authentication and Encryption.

Terminal Server security may be enhanced by providing user authentication earlier in the connection process when a client connects to a Terminal Server.  This early user authentication method is referred to as Network Level Authentication.  This is a new authentication method that completes user authentication before you establish a Remote Desktop connection and the logon screen appears.  This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software.  The advantages to Network Level Authentication are:

  • Requires fewer remote computer resources initially.  The remote system uses a limited number of resources before authenticating the user, rather than starting a full Remote Desktop connection as in previous versions
  • Provides better security by reducing the risk of denial of service attacks

There are specific requirements to use Network Level Authentication:

  • The client computer must be running at least Remote Desktop Connection 6.0
  • The client computer must be using an operating system (such as Windows Vista) that supports the new Credential Security Support Provider (CredSSP) protocol
  • The Terminal Server must be running Windows Server 2008

The Terminal Server can be configured to only support connections from clients running Network Level Authentication.  This setting can be configured in a couple of different ways:

  • During the installation of the Terminal Server role service in Server Manager, on the Specify Authentication Method for Terminal Server page in the Add Roles Wizard
  • On the Remote Tab in the System Properties dialog box on a Terminal Server
  • On the General tab of the Properties dialog box for a connection in the Terminal Services Configuration tool by selecting the Allow connections only from computers running Remote Desktop with Network Level Authentication check box
  • By applying the Require user authentication for remote connections by using Network Level Authentication Group Policy setting.  If the Allow connections from computers running any version of Remote Desktop (less secure) option is not selected and is grayed out in the dialogs mentioned above, then the Require user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled for the Terminal Server.

To determine if a system is running a version of Remote Desktop Connection software that supports Network Level Authentication, start the Remote Desktop Connection client application, click the icon in the upper-left corner of the Remote Desktop Connection dialog box and click About.  Look for the phrase, "Network Level Authentication" in the About window as shown below.

Full Article

Microsoft, WS2008, Windows Server 2008, Network, Authentication, Encryption, Security, Terminal Server, Architecture, Knowledgebase