Table of Contents
Purpose
Enhance Network Security by Ensuring RDP Sessions can be Initiated ONLY from NLA-capable Computers
During the initial setup of Windows servers and workstations, many administrators may have set a lower security setting, when allowing Remote Desktop Protocol (RDP) connections to the computer being built. This weaker setting will be shown during the configuration phase, and is under the “Remote” tab of “Computer Properties.” It is "Allow connections from computers running any version of Remote Desktop (less secure)":
As a point of security auditing and improving overall security posture, security auditors will issue a warning note, if they detect this less secure setting on any of your servers or workstations. By using this weaker setting, you are, in essence, allowing connections from older operating systems and older RDP versions, which do not offer nor require Network-Level Authentication (NLA).
As part of security remediation you, as a system, network or security administrator (admin), must visit each computer with this weaker setting and change it to the more secure setting of “Allow connections only from computers running Remote Desktop Protocol with Network Level Authentication (more secure):”
A labor-intensive and time-intensive problem arises when the administrator of a large number of computers and/or a large number of remote sites must remediate this setting. In such a situation, it is best to utilize a script, such as “enablenla.bat,” in order to expeditiously change the remote servers to recommended setting.
The "enablenla.bat" script was developed to enable the RDP NLA feature on a list of remote (target) computers, so that the target computers will require any connecting/controlling (source) computer to utilize NLA-capable RDP - i.e. Windows 7 or higher and Windows Server 2008 or higher (or older O/S with NLA-compliant RDP).
Notes
After making this setting change, to make the change take effect, the admin must, at some point, restart the target computer, since the registry key being changed is an HKLM (i.e., “Local Machine”) key.
After making this setting change, you no longer will be able to connect to the target system via systems that run Windows XP or older, or Windows Server 2003 or older, unless those systems have had RDP upgraded to NLA-capable RDP versions.
What the Script Does
The script simply changes a registry key on the target computer so that, when the target computer is restarted, the requirement will be enforced to allow only NLA-capable RDP sessions to the remote computer. Following is a snippet (portion) of the “enablenla.bat”
script – download the enablenla.bat full script for full code and functionality.
@echo offrem =================================================================================rem - Script: enablenla.batrem - How to Run this script:rem -
1) Save this script as
"c:\scripts\enablenla.bat"rem - a) To run against a single computerrem - Execute this script, passing the remote computer name as the only parameter, redirect output/errors to a
log filerem - c:\scripts\enablenla.bat Server1
>> c:\scripts\nla-log.txt 2>&1rem - where Server1
is the remote computer needing RDP-NLA to be enabledrem - b) To run against multiple computers:rem - i. Make a wrapper
"bat" file to
'call' this (enablenla.bat) script -rem - There is a
"wrapper file"
example in the "rem"
statements at the end of this scriptrem - ii. In the
"wrapper" file, place a series of
"call" statements, each on a single line, for each remote computerrem - i.e.
"call c:\scripts\enablenla Server1"
(that runs this script against the remote computer "Server1")rem - iii. Once you've entered
all
the lines containing all
the target remote computer names,rem - save that
"wrapper" script as
"c:\scripts\callnla.bat"rem - iv. Execute the
"wrapper" file, redirecting output & errors to a log file:rem - c:\scripts\callnla.bat >> c:\scripts\nla-log.txt
2>&1rem - c) Examine log for successes and to troubleshoot any errors ("notepad c:\scripts\nla-log.txt")==========================================================================================================================remecho.echo
"Adding NLA-ONLY key to remote computer %1"echo.[remotely add specific hklm key on remote computer]…echo.echo
"Finished adding NLA key to remote computer %1"[End of
code
snippet]Download & Execute “enablenla.bat” script against a list of remote computers
1) Save this script as "c:\scripts\enablenla.bat"
2) Execute this script against individual or multiple remote computers
a) To run against a single computer
Execute this script, passing the remote computer name as the only parameter, redirecting output/errors to a log file
c:\scripts\enablenla.bat Server1 >> c:\scripts\nla-log.txt 2>&1
where Server1 is the remote computer needing RDP-NLA to be enabled
b) To run against multiple computers:
i. Make a wrapper "bat" file to 'call' this (enablenla.bat) script -
There is a "wrapper file" example in the "rem" statements at the end of this script
ii. In the "wrapper" file, place a series of "call" statements, each on a single line, for each remote computer
i.e. "call c:\scripts\enablenla Server1" (that would run this script against to modify the remote computer "Server1")
iii. Once you've entered all the lines containing all the target remote computer names,
save that "wrapper" script as "c:\scripts\callnla.bat"
iv. Execute the "wrapper" file, redirecting output & errors to a log file:
c:\scripts\callnla.bat >> c:\scripts\nla-log.txt 2>&1
c) Examine log for successes and to troubleshoot any errors ("notepad c:\scripts\nla-log.txt")
Assumptions
1) You can create/save this script and a wrapper script to a c:\scripts folder
2) You have the necessary privileges and rights to modify the HKLM key on the targeted remote computers
See Also
The related “enablenla.bat” script
TechNet article on configuring RDP NLA