question

WtorkiewiczPawel-1530 avatar image
0 Votes"
WtorkiewiczPawel-1530 asked ·

Azure VMs and disabling NLA on domain level.

Hello Team,

I'd like to ask if NLA is required for VMs in Azure? We want to disable it by using Group Policy Objects (GPOs).

Thanks!

azure-virtual-machines-networking
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sumarigo-MSFT avatar image
0 Votes"
Sumarigo-MSFT answered ·

@WtorkiewiczPawel-1530 Welcome to Microsoft Q&A, Thank you for posting your query!

The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.

There is an easy method to disable NLA via the Azure portal. You can navigate the Operation---Run command---select the DisableNLA script, then click Run button after finishing the run command script, restart your Azure VM for the change to take effect. See here

Alternatively, you also could invoke run command with PowerShell or Azure CLI.

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command

  • You can use Serial Console Feature. Open an administrative CMD instance and regain access to the VM by disabling NLA:

REM Disable the Network Level Authentication
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fAllowSecProtocolNegotiation /t REG_DWORD /d 0 /f

Adding more information: Network Level Authentication (NLA) was conceived to improve the security in Remote Desktop Protocol by requiring that users be authenticated to another party (a host server or Domain Controller) before a RDP session is created, helping to reduce the risk of denial-of-service attacks and enhancing the OS security.

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.


Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Sumarigo-MSFT

Thank you so much for this prompt answer.

I've already seen this workaround and the process is quite clear for me. The main question here is, if the Azure VMs, by design, require the NLA to be enabled, for example: to connect with the portal, to collect some data, allow monitoring or any other reason, or can we proceed with disabling it on all servers (via GPOs)?

Appreciate your help!

0 Votes 0 ·
WtorkiewiczPawel-1530 avatar image
0 Votes"
WtorkiewiczPawel-1530 answered ·

Hello,

Still following up. Can you confirm if above settings can be disabled and should not have any impact for Azure VMs?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sumarigo-MSFT avatar image
0 Votes"
Sumarigo-MSFT answered ·

@WtorkiewiczPawel-1530 Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.
Technically it would be possible but I don't think that would be recommend keeping security in aspects
- Disabling via GPO is possible

Appreciate your time and patience!

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.


Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WtorkiewiczPawel-1530 avatar image
0 Votes"
WtorkiewiczPawel-1530 answered ·

Hello @Sumarigo-MSFT thanks for the answer.

Can you explain it a bit more as it's not clear enough for me yet. I know it's technically possible but we wonder if this will not break the Azure VMs - I'm talking about core VMs requirements not some specific application which might running on it.

So we just need to know if below settings are not some kind of prerequisites to allow Azure VMs running/reporting/etc.

We plan to disable the NLA and NCSI active/passive probes as described in the reference article:
https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/internet-explorer-edge-open-connect-corporate-public-network

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Sumarigo-MSFT, can you kindly advice on above queries?

0 Votes 0 ·
WtorkiewiczPawel-1530 avatar image
0 Votes"
WtorkiewiczPawel-1530 answered ·

@Sumarigo-MSFT may I ask for the confirmation if above assumption is correct and we can safely disable the settings described in the reference article?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.