Configure Network Level Authentication for Terminal Services Connections
Applies To: Windows Server 2008
You can enhance terminal server security by providing user authentication earlier in the connection process when a client connects to a terminal server. This early user authentication method is referred to as Network Level Authentication.
Network Level Authentication is a new authentication method that completes user authentication before you establish a Remote Desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software. The advantages of Network Level Authentication are:
It requires fewer remote computer resources initially. The remote computer uses a limited number of resources before authenticating the user, rather than starting a full Remote Desktop connection as in previous versions.
It can help provide better security by reducing the risk of denial-of-service attacks.
To use Network Level Authentication, you need to meet all of the following requirements:
On the client computer, be using at least Remote Desktop Connection 6.0.
On the client computer, be using an operating system, such as Windows Vista, that supports the Credential Security Support Provider (CredSSP) protocol.
On the terminal server, be using Windows Server 2008.
Use the following procedure to configure Network Level Authentication for a connection.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To configure Network Level Authentication for a connection
Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
Under Connections, right-click the name of the connection, and then click Properties.
In the Properties dialog box for the connection, click the General tab.
Select the Allow connections only from computers running Remote Desktop with Network Level Authentication check box.
If the Allow connections only from computers running Remote Desktop with Network Level Authentication check box is selected and is dimmed, the Require user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled and has been applied to the terminal server.
The Network Level Authentication setting for a terminal server can also be set in the following ways:
During the installation of the Terminal Server role service in Server Manager, on the Specify Authentication Method for Terminal Server page in the Add Roles Wizard.
On the Remote tab in the System Properties dialog box on a terminal server.
If the Allow connections from computers running any version of Remote Desktop (less secure) is not selected and is dimmed, the Require user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled and has been applied to the terminal server.
To configure the Network Level Authentication setting by using the Remote tab in the System Properties dialog box on a terminal server, see Change Remote Connection Settings.
By applying the Require user authentication for remote connections by using Network Level Authentication Group Policy setting.
This Group Policy setting is located in Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that the Group Policy setting will take precedence over the setting configured in Terminal Services Configuration or on the Remote tab.
To determine whether a computer is running a version of Remote Desktop Connection that supports Network Level Authentication, start Remote Desktop Connection, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. Look for the phrase "Network Level Authentication supported" in the About Remote Desktop Connection dialog box.
For more information about security and Terminal Services, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkID=73931).
For more information about Group Policy settings for Terminal Services, see the Terminal Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).