In an era where remote work and cloud-based solutions are the norm, securing access to your computers and servers is more important than ever. Network Level Authentication (NLA) is a powerful security feature in Microsoft’s Remote Desktop Services that helps protect your network by requiring users to verify their identity before a remote session even begins.

Unlike traditional Remote Desktop connections, which expose your server to potential attacks as soon as a session starts, NLA authenticates users on the client side first, reducing the risk of unauthorized access and conserving server resources. In this blog, we will break down what is NLA, how it works, and why it is a must-have for anyone using Remote Desktop.

What is Network Level Authentication (NLA)?

Network Level Authentication explained

Let us start with the basics. Network-level authentication authenticates Remote Desktop services, such as Remote Desktop Connection (RDP Client) and Windows RDP. It is also referred to as front authentication because it requires the end user to enter their credentials to make the session work. NLA is a Remote Desktop Services (RDP Server) feature requiring the connecting user to authenticate themselves prior to a session being established with the server.

Before NLP, if a user opened a remote desktop session to a server, the login screen from the server for the user would load. This would use up precious resources on the server and was a potential weak spot for remote code execution attacks and denial of service. Not good. 

Enter NLA, which delegates the user's credentials from the client through a client-side security support provider, prompting the user to authenticate before establishing their session with the server. Much better for user experience and so much safer. 

NLA was first introduced in RDP 6.0 and supported initially in Windows Vista. It uses Security Support Provider CredSSP, which is available through SSPI in Windows Vista (remember Vista - or are you like us and trying to pretend that we went straight from XP to 7?). CredSSP was introduced with XP Service Pack 3, and that included RDP 6.1 client supported NLP; however, admins had to enable CredSSP in the registry first.

How does NLA work?

Network Level Authentication (NLA) secures Remote Desktop connections by requiring the user to authenticate before a full remote session is established. This pre-authentication process reduces server load and protects against unauthorized access or attacks.

The NLA authentication process can be broken down into two main stages:

Stage 1: Pre-authentication

  1. Client initiates connection: The user starts a Remote Desktop session by entering the target computer’s IP address or hostname.

  2. Server requests credentials: Before creating a full session, the server asks the client to provide credentials.

  3. CredSSP validation: The client uses CredSSP (Credential Security Support Provider) to securely encrypt and send credentials to the server.

  4. Server verifies identity: The server checks the credentials against Active Directory or the local user database. If valid, the process moves to Stage 2.

Stage 2: Session establishment

  1. Secure session initiation: After successful authentication, the server establishes the Remote Desktop session.

  2. Resource allocation: Only now does the server allocate resources for the full session, reducing unnecessary load.

  3. Encrypted communication: All communication between client and server is encrypted, ensuring the session remains secure.

This two-stage process ensures that unauthorized users never reach the full desktop session, making NLA much safer than traditional Remote Desktop connections.

What is NLA used for?

Network Level Authentication (NLA) is primarily used to secure Remote Desktop connections by ensuring that users authenticate before a session is established. Its main purposes include:

  • Enhancing security: NLA prevents unauthorized access by requiring credentials before a full remote session begins.

  • Reducing server load: Pre-authentication ensures that server resources are only used for legitimate users.

  • Protecting against attacks: By authenticating early, NLA reduces the risk of exploits, such as remote code execution or denial-of-service attacks.

  • Supporting Single Sign-On (SSO): NLA integrates with NT SSO, allowing users to access Remote Desktop Services seamlessly within enterprise networks.

  • Encouraging best practices for IT admins: It prompts system administrators and support technicians to consider security measures in routine tasks, making remote access safer.

In short, NLA is a simple but powerful way to make remote desktop sessions safer, more efficient, and easier to manage, especially in enterprise environments or systems exposed to the internet.

How to know if your computer supports Network Level Authentication?

To find out if your computer supports NLA:

  • Open Remote Desktop Connection from the Start menu.

  • Click on the About option in the top-left corner of the window.

  • In the About Remote Desktop Connection window, look for the option “Network Level Authentication supported”.

If your computer does not support NLA, you may need to update your Windows version or install the latest Remote Desktop client.

How to enable NLA?

As we discussed previously, NLA is not enabled by default, so here is how to switch it on. You can do this in multiple ways, including:

  • Remote Desktop Settings

  • System and Security Settings

How to enable NLA via Remote Desktop Settings?

Enabling Network Level Authentication (NLA) makes your remote connections more secure. It ensures that only authorized users can access your computer, protecting it from unauthorized access and potential security threats.

How to enable NLA via Remote Desktop Settings

  1. Open Settings from the Start menu.

  2. Search for Remote Desktop and open the settings page.

  3. Toggle Enable Remote Desktop to ON.

  4. Click Advanced Settings and ensure that NLA is enabled for the devices you want to connect to.

  5. Optionally, keep your PC awake and discoverable to allow connections

How to enable NLA via System and Security Settings?

Using System and Security settings to enable NLA ensures that only verified connections can access your computer. This extra layer of protection helps prevent unauthorized access and keeps your system secure.

How to enable NLA via System and Security Settings

  1. Open Control Panel and go to System and Security > System.

  2. Click Remote settings in the left-hand menu.

  3. Under Remote Desktop, select Allow connections only from computers running Remote Desktop with Network Level Authentication.

  4. Click Apply and OK to save your changes.

Different versions of Windows. Setting up for NLA can look slightly different depending on which version of Windows you're operating, for example:

  • Windows 10 Fall Creators update (1709) or above. You can use the above ways, and a separate downloadable app provides similar functionality for earlier versions of Windows. There’s also the option of using the legacy way of enabling Remote Desktop, but this method offers less functionality and validation.

  • Windows 7 and early versions of Windows 10. Download and run the Microsoft Remote Desktop Assistant, which will update your system settings to ensure your computer is awake for connections, to allow remote access, and to check that your firewall allows Remote Desktop connections. In short, it does all the heavy lifting for you!

  • Older version of Windows (aka the legacy method). To enable Remote Desktop using legacy system properties, you need to follow these instructions to connect to another computer using Remote Desktop Connection on the Microsoft support site.

Enabling NLA via settings

The first option you have is to go to Settings in your Start menu, search for Remote Desktop, then select Enable Remote Desktop radio button.

Click the Advanced Settings button to ensure the required computers for Network Level Authentication are checked. It is also recommended to keep the PC awake and discoverable to enable connections. Click Show settings to enable this. 

The control panel method. You can also enable NLA via the Control Panel of your machine. Fire up Control Panel, click System and Security, followed by the Allow Remote Access option. Click on Remote, Remote Desktop, and there you will see an option named Allow remote connections to this computer. Make sure you select the Allow connections only from computers running Remote Desktop with Network Level Authentication setting. 

Different versions of Windows. Setting up for NLA can look slightly different depending on which version of Windows you're operating, for example:

  • Windows 10 Fall Creators update (1709) or above. You can use the above ways, and a separate downloadable app provides similar functionality for earlier versions of Windows. There’s also the option of using the legacy way of enabling Remote Desktop, but this method offers less functionality and validation.

  • Windows 7 and early versions of Windows 10. Download and run the Microsoft Remote Desktop Assistant, which will update your system settings to ensure your computer is awake for connections, to allow remote access, and to check that your firewall allows Remote Desktop connections. In short, it does all the heavy lifting for you!

  • Older version of Windows (aka the legacy method). To enable Remote Desktop using legacy system properties, you need to follow these instructions to connect to another computer using Remote Desktop Connection on the Microsoft support site.

What are the benefits of NLA?

Benefits of NLA

NLA has several benefits, including:

  • It initially requires fewer remote computer resources by preventing the initiation of a complete remote desktop connection until the user is authenticated, which reduces the risk of denial-of-service attacks.

  • It helps to mitigate Remote Desktop vulnerabilities, which can only be exploited prior to authentication.

  • It allows NT Single Sign-On (SSO), extending to Remote Desktop Services.

  • It prompts techs and sysadmins to consider security when carrying out routine support tasks.

When to use NLA?

Network Level Authentication (NLA) is a powerful tool for securing Remote Desktop connections, but knowing when and where to use it ensures you get the most benefit.

Ideal situations for NLA

  • Enterprise networks: Protect sensitive organizational data by requiring users to authenticate before accessing remote systems.

  • Internet-exposed systems: Servers reachable from outside your local network benefit from NLA’s pre-authentication, reducing the risk of unauthorized access.

  • High-security environments: Any environment where security is a priority should use NLA to block potential attacks before a session even starts.

Exceptions: When legacy RDP may be needed

  • Older operating systems: Legacy Windows versions might not support NLA.

  • Older RDP clients: Some remote users may have outdated clients that cannot connect if NLA is enforced.

  • Compatibility requirements: Certain applications or high-quality network setups may require temporarily disabling NLA for smooth connectivity.

In general, NLA should be enabled whenever possible. Understanding the exceptions helps maintain compatibility while keeping your remote connections secure.

What are the limitations of NLA in modern infrastructure?

While Network Level Authentication (NLA) enhances security for Remote Desktop connections, it does have some limitations in modern IT infrastructures:

  • Older operating systems may not support NLA, which can prevent certain users from connecting remotely.

  • Troubleshooting connection issues can be more complicated when NLA is enabled, making IT support more challenging.

  • NLA has limited support in multi-cloud or hybrid environments, which can create compatibility problems.

  • Proper configuration is critical; incorrect settings on either the client or server can block access entirely.

  • Some legacy applications may not function correctly when NLA is enforced, requiring workarounds or exceptions.

  • The pre-authentication process may confuse end users, potentially impacting the overall user experience.

  • Certain system firmware or boot configurations, such as CSM/MBR setups, may not fully support NLA, limiting its deployment.

How to use Remote Desktop with NLA?

So, how do you use Remote Desktop with NLA? Here are our top 3 tips: 

  • Check the end user: First and foremost, check that the machine the end user is working on can support NLA, because if working in tech support for years has taught us anything, you just never know. The easiest way is to ask your user to start the Remote Desktop Connection in the way that is best for them. Our preferred way of asking is going, "OK, what you're going to do is hit the Windows key and type in the word remote. Something called Remote Desktop Connection will appear on your screen. Just click that and we can go from there." Once they have it open, look in the top left-hand corner of the RDC dialog box, and there will be an option that says About. In the About Remote Desktop Connection dialog box, there should be a mention of Network Level Authentication supported, which will confirm that NLA is supported on the device.

  • The end user experience: Once you've established that NLA is supported, tell the end user what to expect. You will need to explain that a message will pop up when the remote desktop connection is made so the user can authenticate before the connection is established. It is worth spending time explaining this because nothing spooks an end user like an unexpected message popping up. This authentication requirement provides additional security that will make the session safer - the client's credentials will be requested, and the session will only start once the credentials are approved.

  • Ace your prep work: To connect to a remote PC, the computer must be switched on with a network connection. Remote Desktop must be enabled, you need to have permission to connect, you need network access to the remote computer (potentially via the internet), and you have to be on the list of users for permission to connect. Before you initiate a connection, it is useful to look up the name of the computer that you are connecting to and to ensure Remote Desktop connections are allowed through its firewall

Frequently asked questions

1. What is the purpose of NLA?

Network Level Authentication (NLA) is designed to secure Remote Desktop connections by requiring users to authenticate before a full session is established. This reduces server resource usage and protects against unauthorized access or potential attacks.

2. How to fix a Network Level Authentication error?

NLA errors can occur due to outdated RDP clients, incompatible Windows versions, or misconfigured settings. To fix the issue, ensure both client and server support NLA, update Remote Desktop software, verify firewall settings, and confirm correct credentials.

3. What is Stage 1 NLA?

Stage 1 is the pre-authentication phase in NLA. During this stage, the client provides credentials to the server through CredSSP before a full Remote Desktop session is created, ensuring that only authorized users can connect.

4. How to check if NLA is enabled?

Open Remote Desktop Connection, click the About option, and look for the message “Network Level Authentication supported.” You can also check through Control Panel > System and Security > Remote Desktop to see if the NLA option is selected.

5. What causes NLA error?

Common causes include outdated operating systems, incompatible RDP clients, incorrect configuration settings, firewall restrictions, or network issues. Ensuring both client and server support NLA and are properly configured usually resolves the problem.

6. How to turn off NLA for RDP?

To disable NLA, go to Control Panel > System and Security > Remote Desktop, and uncheck the option “Allow connections only from computers running Remote Desktop with Network Level Authentication.” Keep in mind that turning off NLA reduces security, so only disable it when necessary.