Network Level Authentication

NLA — Network Level Authentication.

RDP server without NLA when connected draws this login interface:

Windows login interface

Windows login interface

If on RDP server NLA is turned on, then server won't show any interface before password check. Then client should draw interface. WTware login interface:

WTware login interface

By default since Windows 2012 Server NLA is turned on. Advantages of NLA:

  • + NLA is safer. Without NLA server communicates about graphics compression, allows to open COM-ports, connect smartcards to any connected by TCP/IP client. The more communication between client and server, the higher hacking probability. With NLA server doesn't communicate with client before password check.

Disadvantages of NLA:

  • - There's no way to change expired password. You are to change password in some other interface, not by RDP connection.
  • - There's no on-screen keyboard in login interface.
  • - No error diagnostics. Without NLA Windows will explain what is the problem with login or password. With NLA server just disconnects without explanations.

To turn off NLA run on server Local Group Policy Editor (for domain server you may use domain policies):

turn off NLA

Change only one setting:

turn off NLA