question

WtorkiewiczPawel-1530 avatar image
0 Votes"
WtorkiewiczPawel-1530 asked BillWang-6629 edited

Azure VMs and disabling NLA on domain level.

Hello Team,

I'd like to ask if NLA is required for VMs in Azure? We want to disable it by using Group Policy Objects (GPOs).

Thanks!

azure-virtual-machines-networking
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Our environment are using CIS images (https://www.cisecurity.org/insights/blog/cis-hardened-images-now-in-microsoft-azure-marketplace)

when run these commands, the last one made trouble



REM both commands are same. 

REM ommand from @Sumarigo-MSFT 
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fAllowSecProtocolNegotiation /t REG_DWORD /d 0 /f

REM command from Run Command "DisableNLA"
Set-ItemProperty -Path $path -Name fAllowSecProtocolNegotiation -Type DWord -Value 0 Write-Output 'Restart the VM for the change to take effect.'

So if you "Run Command" with "DisableNLA", you will be locked out from this VM, whatever with local account, AzureAD account or Domain account. You can't login via RPD any more.

Be noted about this issue.

0 Votes 0 ·
SumanthMarigowda-MSFT avatar image
2 Votes"
SumanthMarigowda-MSFT answered WtorkiewiczPawel-1530 commented

@WtorkiewiczPawel-1530 Welcome to Microsoft Q&A, Thank you for posting your query!

The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.

There is an easy method to disable NLA via the Azure portal. You can navigate the Operation---Run command---select the DisableNLA script, then click Run button after finishing the run command script, restart your Azure VM for the change to take effect. See here

Alternatively, you also could invoke run command with PowerShell or Azure CLI.

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command

  • You can use Serial Console Feature. Open an administrative CMD instance and regain access to the VM by disabling NLA:

REM Disable the Network Level Authentication
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fAllowSecProtocolNegotiation /t REG_DWORD /d 0 /f

Adding more information: Network Level Authentication (NLA) was conceived to improve the security in Remote Desktop Protocol by requiring that users be authenticated to another party (a host server or Domain Controller) before a RDP session is created, helping to reduce the risk of denial-of-service attacks and enhancing the OS security.

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.


Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Sumarigo-MSFT

Thank you so much for this prompt answer.

I've already seen this workaround and the process is quite clear for me. The main question here is, if the Azure VMs, by design, require the NLA to be enabled, for example: to connect with the portal, to collect some data, allow monitoring or any other reason, or can we proceed with disabling it on all servers (via GPOs)?

Appreciate your help!

0 Votes 0 ·
WtorkiewiczPawel-1530 avatar image
0 Votes"
WtorkiewiczPawel-1530 answered

Hello,

Still following up. Can you confirm if above settings can be disabled and should not have any impact for Azure VMs?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SumanthMarigowda-MSFT avatar image
0 Votes"
SumanthMarigowda-MSFT answered SumanthMarigowda-MSFT edited

@WtorkiewiczPawel-1530 Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.
Technically it would be possible but I don't think that would be recommend keeping security in aspects
- Disabling via GPO is possible

Appreciate your time and patience!

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.


Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WtorkiewiczPawel-1530 avatar image
0 Votes"
WtorkiewiczPawel-1530 answered WtorkiewiczPawel-1530 commented

Hello @Sumarigo-MSFT thanks for the answer.

Can you explain it a bit more as it's not clear enough for me yet. I know it's technically possible but we wonder if this will not break the Azure VMs - I'm talking about core VMs requirements not some specific application which might running on it.

So we just need to know if below settings are not some kind of prerequisites to allow Azure VMs running/reporting/etc.

We plan to disable the NLA and NCSI active/passive probes as described in the reference article:
https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/internet-explorer-edge-open-connect-corporate-public-network

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Sumarigo-MSFT, can you kindly advice on above queries?

0 Votes 0 ·
WtorkiewiczPawel-1530 avatar image
0 Votes"
WtorkiewiczPawel-1530 answered

@Sumarigo-MSFT may I ask for the confirmation if above assumption is correct and we can safely disable the settings described in the reference article?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NelsonGiovanniOrellanaCortez-5961 avatar image
0 Votes"
NelsonGiovanniOrellanaCortez-5961 answered

Good afternoon, I have some client machines that I stuck to the domain controller server, there are three, but to generate the first policy, the 3 were disconnected from the RDP and do not let me enter, only with the administrator user to have stuck to the AD start. tells me that the LNA does not let me and I did everything qu qu you explain and does not let me enter with the domain administrator user or password, only with the original, although they are still in the domain.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.