Quick Summary
RDP Without Network Level Authentication (NLA) is a security misconfiguration where the Remote Desktop Protocol (RDP) service allows connection attempts without requiring pre-authentication at the transport layer. When NLA is disabled, the server allocates system resources before user authentication, increasing exposure to brute-force attacks, credential harvesting, and denial-of-service conditions.
Vulnerability Classification
| Field | Value |
|---|---|
| Vulnerability Type | RDP Security Misconfiguration |
| CWE ID | CWE-287 – Improper Authentication |
| CVE ID | N/A (Configuration Issue) |
| CVSS 4.0 Base Score | 8.1 (High) |
| CVSS Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L |
| OWASP Category | A05:2021 – Security Misconfiguration |
| Attack Surface | Internal / External Network |
Affected Asset / Environment
- Service: Remote Desktop Protocol (RDP)
- Default Port: 3389
- Platforms: Windows Server, Windows Workstations
- Testing Method: Black-box Network Assessment
- Tools Used: Nmap, xfreerdp, Hydra
Description
The assessor observed that the RDP service running on the target system does not enforce Network Level Authentication (NLA). When NLA is disabled, the RDP service allows a full RDP session negotiation before validating user credentials.
Network Level Authentication requires users to authenticate before a remote desktop session is created. Without NLA, attackers can attempt credential-based attacks and consume system resources during repeated login attempts.
If exposed to the internet or accessible internally without restriction, this configuration significantly increases the attack surface.
Root Cause
The issue occurs due to improper RDP configuration where NLA is not enabled in system settings.
Common root causes include:
- NLA disabled in Remote Desktop settings
- Legacy compatibility requirements
- Misconfigured Group Policy settings
- Failure to apply secure baseline configuration
Business Impact
Exploitation of this vulnerability may allow attackers to conduct brute-force or password spraying attacks against RDP. Successful credential compromise may result in unauthorized remote access to production systems.
In enterprise environments, compromised RDP access may lead to data exfiltration, ransomware deployment, lateral movement, and service disruption. Publicly exposed RDP services without NLA are frequently targeted by automated attack tools.
Technical Impact
An attacker can:
- Perform brute-force authentication attempts
- Conduct password spraying attacks
- Consume system resources through repeated connections
- Attempt exploitation of RDP-related vulnerabilities
- Gain remote desktop access if credentials are compromised
Disabling NLA reduces the security posture of remote administration services.
Proof of Concept (PoC)
Step1: Identify RDP Service
nmap -sV -p 3389 <target-ip>
If port 3389 is open and service is identified as ms-wbt-server, proceed with NLA detection.
Step2: Detect NLA Status Using Nmap
nmap -p 3389 --script rdp-enum-encryption <target-ip>
If output indicates that NLA is not required or CredSSP is not enforced, the system may be vulnerable.
Step3: Attempt RDP Connection Without NLA
xfreerdp /v:<target-ip>
If connection proceeds directly to login prompt without CredSSP negotiation requirement, NLA may be disabled.
Step4: Test for Brute-force Exposure (Authorized Testing Only)
hydra -L users.txt -P passwords.txt rdp://<target-ip>
If login attempts are processed without transport-level authentication enforcement, exposure is confirmed.
Exploitation Prerequisites
- Network access to port 3389
- RDP service enabled
- NLA disabled
- Weak or exposed credentials
Remediation
It is recommended that Network Level Authentication be enabled immediately on all RDP-enabled systems.
Recommended actions:
- Enable “Allow connections only from computers running Remote Desktop with Network Level Authentication”
- Enforce NLA via Group Policy
- Restrict RDP access to trusted IP addresses
- Implement strong password policies
- Enable multi-factor authentication for remote access
- Monitor and limit failed login attempts
Detection and Monitoring
- Monitor Windows Event Logs for repeated failed logins
- Alert on unusual RDP connection attempts
- Restrict exposure of port 3389 via firewall
- Conduct regular port scanning and configuration reviews