Enforce NLA on RDP to Require Credentials Before the Remote Desktop Session Loads
Without NLA, anyone can reach the Windows login screen over RDP and attempt brute force — NLA forces authentication before the session is established, blocking pre-auth exploits and reducing the attack surface.
✓ Tested on WS2022·Rollback included
Without NLA, an attacker can connect to RDP and attempt unlimited password guessing against the login screen without any pre-authentication. Internet-facing RDP servers without NLA are continuously scanned and attacked by automated tools. Additionally, pre-auth vulnerabilities like BlueKeep only affect servers without NLA.
Remote Desktop Protocol (RDP) without Network Level Authentication allows any network-accessible client to initiate a full RDP session and reach the Windows login screen. This exposes the login interface to brute-force attacks, credential stuffing, and pre-authentication RDP vulnerabilities such as BlueKeep (CVE-2019-0708). NLA requires the connecting client to authenticate at the network layer before any desktop session is created, significantly reducing the attack surface.
Probably yes if any of these apply:
Affected OS versions
RDP brute force is one of the most common initial access vectors for ransomware. Automated scanners continuously probe the internet for port 3389, and servers without NLA that use weak passwords are compromised within hours. Enabling NLA ensures that only already-authenticated users can reach the login interface.
Fix-Windows-Server-Rdp-Nla-Enforced-Hardening.ps1
4.0 KBRollback-Windows-Server-Rdp-Nla-Enforced-Hardening.ps1
1.7 KBSHA-256: d4b07636d870e3b139d95af6ee7dd7e3aa7a97801eeef75c25ea48ed0ffc8a55
Run interactively
.\Fix-Windows-Server-Rdp-Nla-Enforced-Hardening.ps1
Run silently (SCCM / Intune)
.\Fix-Windows-Server-Rdp-Nla-Enforced-Hardening.ps1 -Silent -OutputPath C:\Logs
Manual fallback (no script)
⏱ 10 minutesCheck Current NLA Status
$ts = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CimV2\TerminalServices
Write-Host "UserAuthentication: $($ts.UserAuthentication)"
if ($ts.UserAuthentication -eq 1) {
Write-Host "SECURE: NLA is required" -ForegroundColor Green
} else {
Write-Host "VULNERABLE: NLA is not required" -ForegroundColor Red
}
Enable NLA Requirement
# Method 1: WMI
$ts = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CimV2\TerminalServices
$ts.SetUserAuthenticationRequired(1)
# Method 2: Registry
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 1 -Type DWord
Verification
(Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp').UserAuthentication
# Must return 1
Notes
Verify after patching
Confirm the patched version is running:
# Expect: NLA required (UserAuthentication = 1) or later
Script details · parameters · exit codes↓
Tested On
—
Reboot
No RebootSCCM
✓ Compatible
Est. Time
10 minutes
Parameters
How to Run
Interactive — see output in console
.\Fix-Windows-Server-Rdp-Nla-Enforced-Hardening.ps1
Silent mode — for SCCM / automation
.\Fix-Windows-Server-Rdp-Nla-Enforced-Hardening.ps1 -Silent
With custom log path
.\Fix-Windows-Server-Rdp-Nla-Enforced-Hardening.ps1 -OutputPath "C:\Logs"
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success — fix applied or already patched |
| 1 | Failure — check log file |
| 3010 | Success — reboot required to complete |
Fix, idempotency, and rollback verified on
⚠ Rollback available. If this fix causes issues, run Rollback-Windows-Server-Rdp-Nla-Enforced-Hardening.ps1 to restore the previous state.