Link to home
Start Free TrialLog in
Avatar of mohammad naji
mohammad naji

asked on

how to disable NLA

hi all,
I want to disable Network Level Authentication (NLA) on a server 2012 R2 so that I can use remote desktop service to access the server. the following error message appears when trying to access via remote desktop:




1. allow logon via remote desktop option enabled

2. "allow connection from only computers running remote desktop throw NLA" option is disabled

3. tried the following to disable NLA with no luck:

   
Remote Registry

Start > Run > Regedit. You may need to use "RunAs" to launch it using an account with admin priviliges on the target server.
File > “Connect Network Registry…”
Enter remote computer name and click OK.
Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Select “SecurityLayer” and change the value to 0.

Remote PowerShell

$TargetServer = "Server_with_NLA_Enabled"
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $TargetServer -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)

Group Policy

Create and apply GPO to the server(s) via the Group Policy Management Console.
Edit the GPO and navigate to the following setting:

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Set the policy ""Require user authentication for remote connections by using Network Level Authentication" to DISABLED
any solution please?
ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mohammad naji
mohammad naji

ASKER

thanks pete,
but as I mentioned in the threat, all these steps done and still getting the " require NLA" error message
Did you see the link on the page the advises the new GPO?
yes, I did the Group policy to disable NLA as mentioned in my question here in the thread, and restarted the effected machine to take effect, with no luck
Can I ask WHY you are trying to disable NLA?  I can't think of a valid reason to do so. It *severely* weakens security and there is rarely, if ever, a benefit.
?? Nope 'click the link' thats in that article I posted the policy is;

Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

P
hi Cliff,
I understand that NLA saving me from man-in-the-middle attacks.
However, sometimes I wish to disable it at the client level, usually for troubleshooting.

Anyways if you want to disable NLA, change the port number RDP uses

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

and just from my understanding, if the hacker wants to attack RDP, he can remotely disable NLA, and then do what he/she need
hi pete long,
I did not find a link that states policy ;

Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

sorry, I think I misunderstood you
Properly set, NLA cannot be remotely disabled, nor have I ever seen a rationale for disabling it as a troubleshooting step in the past. But to each their own.
Okay, now I'll try too.
hi,
thanks all for your comments,
the issue solved after uninstalling security update in KB 4093120, the link that Pete long provides helps me to solve this issue


thank you all again
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Pete Long (https:#a42572769)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

FireRunt
Experts-Exchange Cleanup Volunteer