Key Points
- Network level authentication (NLA) requires users to authenticate before a Remote Desktop Protocol (RDP) session is established, not after.
- NLA uses the CredSSP protocol to encrypt and forward credentials to the server for verification.
- Modern Windows versions enable NLA by default and it can also be enforced via Group Policy.
- NLA reduces attack surface and server resource exposure, but it cannot assess device health or user behavior.
- Certificate-based authentication and 802.1X extend beyond NLA to enforce identity and device trust continuously.
Remote and hybrid work are now common, with one-third of U.S. employees working remotely and 52% working in hybrid roles in 2026.
As a result, managing network security has become increasingly challenging for organizations.
While many rely on Remote Desktop Protocol (RDP) with network-level authentication to enable secure remote access, it is important to understand what protections they have in place and where those protections end.
In this blog, we explain what Network Level Authentication (NLA) is, how it works, its key benefits, and how to enable it.
We also explore how SecureW2 certificate-based authentication solutions can further strengthen remote access security.
What Is Network-Level Authentication?
Network level authentication (NLA) is a network security feature used with Remote Desktop Services (RDP Server). NLA requires the user to authenticate themselves before establishing a remote session with the server.
Authentication can use passwords, smartcards, or biometrics.
Prior to NLA, users would open a remote desktop session and gain immediate access to the RDP server login screen.
That meant the server had already allocated resources and exposed the session layer before any identity check occurred.
Attackers could exploit that window to run code, launch password attacks, or flood the server with connection requests.
NLA closes that window by requiring authentication first.
How Does Network Level Authentication Work?
The following is the process of establishing an RDP connection with NLA enabled:
1. Initiation
The client device initiates an RDP connection to the remote server, typically through TCP port 3389, and requests access to a remote session.
2. Negotiation
The server responds with the authentication methods it supports, including NLA. The client then chooses NLA to continue the connection process securely.
3. User credential transmission
NLA relies on the Credential Security Support Provider (CredSSP) protocol to securely transmit encrypted user credentials between the client and the server. This helps prevent exposure of sensitive information.
4. Verification
Before establishing a remote desktop session, the server validates the user’s credentials. If authentication succeeds, the server allows the connection to proceed. If authentication fails, the server rejects the request without allocating session resources.
5. Session establishment
After successful authentication, the server establishes the remote desktop session and grants the user access to the remote system.
How to Enable Network Level Authentication
Most modern Windows installations enable NLA by default, but system administrators can verify and enforce it manually.
Enabling NLA via System Properties
- Open System Properties (right-click “This PC” and select “Properties,” then click “Remote settings”).
- Under the Remote tab, select “Allow connections only from computers running Remote Desktop with Network Level Authentication.”
- Click Apply.
Enforcing NLA via Group Policy
Administrators managing a domain environment can enforce NLA organization-wide through Group Policy.
The relevant path is:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
Set “Require user authentication for remote connections by using Network Level Authentication” to Enabled.
NLA is enabled by default on Windows Vista and later client versions, and on Windows Server 2008 and later.
If your environment includes older systems, verify NLA compatibility before enforcing it via policy, as legacy clients may not support CredSSP.
Benefits of Network Level Authentication
NLA delivers several measurable security and operational advantages over pre-authentication RDP connections.
| Benefit | Description |
|---|---|
| Reduced attack surface before session creation | Because NLA authenticates users before the remote session is established, unauthenticated traffic never reaches the session layer. Attackers cannot interact with the login screen or the underlying OS until they have valid credentials. |
| Brute-force attack mitigation | Failed authentication attempts are rejected at the network layer before a session is created. This makes sustained brute-force and credential-stuffing attacks significantly harder to execute because each failed attempt consumes far fewer server resources. |
| Server resource savings | Without NLA, the server allocates memory and processing overhead for every inbound connection, regardless of whether the user authenticates successfully. With NLA, resources are only allocated after the authentication exchange completes, reducing load from opportunistic scanning and failed connections. |
| CredSSP encryption of credentials in transit | NLA uses CredSSP to encrypt credentials before they leave the client machine. Those credentials travel to the server over an encrypted channel, reducing the risk of credential interception during transit. |
| Compliance alignment | Many regulatory frameworks, including those referencing NIST and CIS Controls, recommend or require pre-authentication controls for remote access. Enabling NLA is a low-friction step toward meeting those requirements. |
Limitations of Network Level Authentication in Modern Infrastructure
NLA has several limitations that are listed in the table below:
| Limitation | Description |
|---|---|
| Validates credentials only | NLA validates credentials only and cannot assess device security posture, certificate validity, user behavior after login, or ongoing trust during an active session. Once a user authenticates successfully, NLA’s role ends. A compromised device with valid credentials will pass NLA without issue. |
| Single protocol security | NLA only protects RDP sessions. Other protocols, such as SSH, are outside its protection scope. |
| Administrative overhead | Deploying and managing NLA across servers, users, and sessions adds administrative overhead for IT teams. |
| Compatibility constraints | NLA primarily supports Windows-based systems and may not integrate seamlessly across hybrid, multi-cloud, or non-Windows environments. |
Strengthen Remote Access With the SecureW2 JoinNow Platform
NLA is a valuable first layer, but organizations facing modern threats need authentication that goes further.
The SecureW2 JoinNow platform combines identity-based access models with 802.1X authentication and certificate-based methods to optimize network security.
This layered approach enforces least-privilege access, enables ongoing verification, and aligns with continuous trust principles for comprehensive remote access protection.
By replacing passwords with device-bound certificates, SecureW2 certificate-based authentication eliminates credential theft risks.
Certificates are issued to specific devices, tied to verified identities, and can be revoked automatically when a device falls out of compliance.
Dynamic PKI automates certificate issuance and lifecycle management across an organization, so each device carries a valid, uniquely-issued certificate without manual provisioning.
Paired with a cloud RADIUS server that evaluates certificate attributes at the moment of access, organizations can enforce granular policies that NLA alone cannot support.
If your team is evaluating how to move beyond NLA toward continuous trust remote access model, schedule a demo to see how we can help.
Frequently Asked Questions
What is network level authentication?
Network level authentication is a Remote Desktop Services feature that requires a user to authenticate before a remote desktop session is created.
It uses the CredSSP protocol to validate the user’s credentials against Active Directory or local accounts before the server allocates session resources.
What does CredSSP do in NLA?
The Credential Security Support Provider (CredSSP) protocol handles the authentication exchange in NLA. It encrypts the user’s credentials on the client side and transmits them securely to the remote server for verification.
This prevents credentials from being sent in plaintext during the connection process.
Should I disable network level authentication?
No. Disabling NLA removes a meaningful layer of protection from Remote Desktop connections. Without NLA, unauthenticated users can reach the server’s login screen, which increases exposure to brute-force attacks, code execution vulnerabilities, and denial-of-service attempts.
NLA should remain enabled unless there is a specific compatibility requirement that forces it off, and even then, compensating controls should be in place.
How does NLA compare to certificate-based authentication?
NLA and certificate-based authentication operate at different layers and serve different purposes. NLA authenticates a user before an RDP session opens, using passwords, smartcards, or biometrics.
Certificate-based authentication verifies both the user’s identity and the device’s identity using cryptographic certificates, and it can be continuously evaluated throughout a session.
Certificate-based methods eliminate the password entirely, removing the main credential theft vector that NLA is designed to contain.
