How to Disable Network Level Authentication (NLA) on an Azure Virtual Machine Using Azure Run Command

In some situations, administrators may need to disable Network Level Authentication (NLA) on Azure Virtual Machines (VMs), especially when troubleshooting Remote Desktop Protocol (RDP) access issues or enabling compatibility with older systems that do not support NLA. While NLA is a key security feature designed to require users to authenticate before establishing a session with the server, it may occasionally need to be turned off temporarily.

In this blog post, we’ll walk through how to disable NLA on an Azure VM using the Azure Run Command feature, a method that allows you to run scripts directly on your Azure VMs from the Azure portal.

What is Network Level Authentication (NLA)?

Network Level Authentication improves security by requiring users to authenticate with the RDP server before a full connection session is established. This helps prevent unauthorized access and lowers the risk of denial-of-service attacks. However, in some cases, you may need to disable NLA, for example, to support older clients or during certain types of troubleshooting.

Disabling NLA using Azure Run Command

Azure’s Run Command feature allows you to run commands on your virtual machine directly from the Azure portal without needing direct RDP access, making it ideal for scenarios where NLA is blocking access to the VM.

Step-by-Step Guide

Open Azure Portal and Access the VM
- First, log in to the Azure Portal.
- Navigate to Virtual Machines and select the VM where you want to disable NLA.
Go to Run Command
- In the left-hand navigation pane, under the Operations section, click on Run Command.

- From the list of available options, select RunPowerShellScript. This will allow us to run a PowerShell script to disable NLA.

Run the PowerShell Script to Disable NLA
- In the PowerShell script text box, paste the following command:

# Disable Network Level Authentication (NLA) on RDP service

$RDPServiceKey = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"

Set-ItemProperty -Path $RDPServiceKey -Name "UserAuthentication" -Value 0

# Restart the RDP service to apply changes

Restart-Service -Name TermService -Force

# Disable Network Level Authentication (NLA) on RDP service

$RDPServiceKey = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"

Set-ItemProperty -Path $RDPServiceKey -Name "UserAuthentication" -Value 0

# Restart the RDP service to apply changes

Restart-Service -Name TermService -Force

This script sets the UserAuthentication registry key to 0, which disables NLA for the Remote Desktop Protocol. The second command restarts the RDP service (TermService) to apply the changes.

Execute the Script
- Once the script is pasted into the Run Command window, click Run. The script will execute within the VM.
Verify the Change
- After the script runs successfully, try connecting to the VM using RDP. The NLA requirement should be disabled, allowing you to establish a connection without needing network-level authentication.

Considerations and Best Practices

While disabling NLA can be helpful in some scenarios, it’s essential to keep the following considerations in mind:

Security Implications: Disabling NLA can expose your VM to security risks, as it allows unauthenticated users to establish RDP sessions. It’s important to secure your VM by limiting RDP access through network security groups (NSGs), IP restrictions, or by using Azure Bastion, which allows secure RDP and SSH connections without exposing public IPs.
Use as a Temporary Measure: Ideally, NLA should only be disabled temporarily, such as during troubleshooting. After resolving the issue, it is recommended to re-enable NLA by reversing the steps and setting the UserAuthentication registry value back to 1.
Alternative Solutions: If you’re disabling NLA to allow access to older clients that don’t support NLA, consider upgrading those clients or exploring alternative access methods like using a Remote Desktop Gateway or Azure Bastion.

Re-Enabling NLA

Once you have completed your work or troubleshooting, you should re-enable NLA by following these steps:

Access Run Command again in the Azure Portal.
Run the following PowerShell script to re-enable NLA:

$RDPServiceKey = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"

Set-ItemProperty -Path $RDPServiceKey -Name "UserAuthentication" -Value 1

Restart-Service -Name TermService -Force

$RDPServiceKey = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"

Set-ItemProperty -Path $RDPServiceKey -Name "UserAuthentication" -Value 1

Restart-Service -Name TermService -Force

Execute the script to re-enable Network Level Authentication.

Final Thoughts

Azure Run Command is a powerful feature for managing your VMs without direct access to the operating system. Disabling NLA using this method can help resolve connectivity issues, but it should be done cautiously with an understanding of the security risks involved. If you need to troubleshoot RDP issues or allow older clients to connect temporarily, this solution can be very useful.

However, remember to keep your environment secure by implementing strong passwords, locking down RDP access using NSGs or Azure Bastion, and re-enabling NLA as soon as possible.

Have you encountered scenarios where you had to disable NLA? Let me know in the comments below or reach out if you have any questions about securing your Azure environment!

Author: Shaun Hardneck
Microsoft Cloud Security Specialist
For more insights and tips, visit my blog at That Lazy Admin

Post Views: 990

How to Disable Network Level Authentication (NLA) on an Azure Virtual Machine Using Azure Run Command