Network Level Authentication (NLA) is a feature of Remote Desktop Services. When enabled, NLA requires users to authenticate themselves before they can establish a connection to a remote computer. Allowing connections only from computers running Remote Desktop with NLA is a more secure authentication method that helps protect computers from malicious users and software. Enabling NLA remediates Nessus Plugin 58453.
USGS Policy and Best Practices
The DI – USGS Windows Remote Desktop NLA Enabled GPO is linked to regional organizational units in Active Directory and enables NLA on all Windows client and server systems joined to AD. COUAs should enable NLA on systems that are not AD-joined or are otherwise unable to receive policy settings from regionally-linked GPOs.
Manually Enabling NLA
In cases where NLA must be manually enabled, navigate to Settings > System > Remote Desktop > Advanced Settings, and check the box next to Require computers to use Network Level Authentication (recommended).
Deviation Requests
The DI – USGS Windows Approval Needed Deviation – Remote Desktop NLA Disabled GPO is filtered to the IGSGBWTST Deviation Computers – Disable Remote Desktop NLA security group and linked to regional OUs. COUAs may request a deviation by submitting a ticket to the Service Desk and having them route the request to BWTST. A valid business case will be required and COUAs will need to submit the name of the system(s) or AD security group that should be added to the security group. All approved deviations are subject to annual review.