Table of Contents



Purpose

Enhance Network Security by Ensuring RDP Sessions can be Initiated ONLY from NLA-capable Computers

During the initial setup of Windows servers and workstations, many administrators may have set a lower security setting, when allowing Remote Desktop Protocol (RDP) connections to the computer being built. This weaker setting will be shown during the configuration phase, and is under the “Remote” tab of “Computer Properties.” It is "Allow connections from computers running any version of Remote Desktop (less secure)":

As a point of security auditing and improving overall security posture, security auditors will issue a warning note, if they detect this less secure setting on any of your servers or workstations. By using this weaker setting, you are, in essence, allowing connections from older operating systems and older RDP versions, which do not offer nor require Network-Level Authentication (NLA).

As part of security remediation you, as a system, network or security administrator (admin), must visit each computer with this weaker setting and change it to the more secure setting of “Allow connections only from computers running Remote Desktop Protocol with Network Level Authentication (more secure):”

A labor-intensive and time-intensive problem arises when the administrator of a large number of computers and/or a large number of remote sites must remediate this setting. In such a situation, it is best to utilize a script, such as “enablenla.bat,” in order to expeditiously change the remote servers to recommended setting.

The "enablenla.bat" script was developed to enable the RDP NLA feature on a list of remote (target) computers, so that the target computers will require any connecting/controlling (source) computer to utilize NLA-capable RDP - i.e. Windows 7 or higher and Windows Server 2008 or higher (or older O/S with NLA-compliant RDP).

Notes

After making this setting change, to make the change take effect, the admin must, at some point, restart the target computer, since the registry key being changed is an HKLM (i.e., “Local Machine”) key.

After making this setting change, you no longer will be able to connect to the target system via systems that run Windows XP or older, or Windows Server 2003 or older, unless those systems have had RDP upgraded to NLA-capable RDP versions.


What the Script Does 

The script simply changes a registry key on the target computer so that, when the target computer is restarted, the requirement will be enforced to allow only NLA-capable RDP sessions to the remote computer. Following is a snippet (portion) of the “enablenla.bat” script – download the enablenla.bat full script for full code and functionality. 

@echo off
rem =================================================================================
rem - Script: enablenla.bat
rem -  How to Run this script:
rem -  1) Save this script as "c:\scripts\enablenla.bat"
rem -     a) To run against a single computer
rem -        Execute this script, passing the remote computer name as the only parameter, redirect output/errors to a log file
rem -         c:\scripts\enablenla.bat Server1 >> c:\scripts\nla-log.txt 2>&1
rem -           where Server1 is the remote computer needing RDP-NLA to be enabled
rem -     b) To run against multiple computers:
rem -        i. Make a wrapper "bat" file to 'call' this (enablenla.bat) script -
rem -           There is a "wrapper file" example in the "rem" statements at the end of this script
rem -       ii. In the "wrapper" file, place a series of "call" statements, each on a single line, for each remote computer
rem -           i.e. "call c:\scripts\enablenla Server1" (that runs this script against the remote computer "Server1")
rem -      iii. Once you've entered all the lines containing all the target remote computer names,
rem -           save that "wrapper" script as "c:\scripts\callnla.bat"
rem -       iv. Execute the "wrapper" file, redirecting output & errors to a log file:
rem -           c:\scripts\callnla.bat >> c:\scripts\nla-log.txt 2>&1
rem -     c) Examine log for successes and to troubleshoot any errors ("notepad  c:\scripts\nla-log.txt")
==========================================================================================================================
rem
echo.
echo "Adding NLA-ONLY key to remote computer %1"
echo.
[remotely add specific hklm key on remote computer]…
echo.
echo "Finished adding NLA key to remote computer %1"
[End of code snippet]

     

Download & Execute “enablenla.bat” script against a list of remote computers

1)   Save this script as "c:\scripts\enablenla.bat"

2)    Execute this script against individual or multiple remote computers

    a) To run against a single computer
       Execute this script, passing the remote computer name as the only parameter, redirecting output/errors to a log file
       c:\scripts\enablenla.bat Server1 >> c:\scripts\nla-log.txt 2>&1
       where Server1 is the remote computer needing RDP-NLA to be enabled

    b) To run against multiple computers:

       i. Make a wrapper "bat" file to 'call' this (enablenla.bat) script - 
          There is a "wrapper file" example in the "rem" statements at the end of this script

      ii. In the "wrapper" file, place a series of "call" statements, each on a single line, for each remote computer
          i.e. "call c:\scripts\enablenla Server1" (that would run this script against to modify the remote computer "Server1")

     iii. Once you've entered all the lines containing all the target remote computer names, 
          save that "wrapper" script as "c:\scripts\callnla.bat"

      iv. Execute the "wrapper" file, redirecting output & errors to a log file:
          c:\scripts\callnla.bat >> c:\scripts\nla-log.txt 2>&1

    c) Examine log for successes and to troubleshoot any errors ("notepad  c:\scripts\nla-log.txt")   

Assumptions  

1) You can create/save this script and a wrapper script to a c:\scripts folder

2) You have the necessary privileges and rights to modify the HKLM key on the targeted remote computers 


See Also 

The related “enablenla.bat” script

TechNet article on configuring RDP NLA