This article describes how to configure RDP Security Mode for a Zero Trust RDP Application to a remote Windows instance, such as Windows Server 2016 / Windows 10.
Make sure you are familiar with the server's authentication methods (username and password or RDP keys) and that you have a tunnel connecting your network and the environment that hosts the Windows instance.
This mode dictates how data will be encrypted and what type of authentication will be performed if any. By default, a security mode is selected based on a negotiation process that determines what both the client and the server support.
Possible values are:
- any - Automatically select the security mode based on the security protocols supported by both the client and the server. This is the default.
- nla - Network Level Authentication, sometimes also referred to as "hybrid" or CredSSP (the protocol that drives NLA). This mode uses TLS encryption and requires the username and password to be given in advance. Unlike RDP mode, the authentication step is performed before the remote desktop session actually starts, avoiding the need for the Windows server to allocate significant resources for users that may not be authorized.
- nla-ext - Extended Network Level Authentication. This mode is identical to NLA except that an additional "Early User Authorization Result" is required to be sent from the server to the client immediately after the NLA handshake is completed.
- tls - RDP authentication and encryption implemented via TLS (Transport Layer Security). Also referred to as RDSTLS, the TLS security mode is primarily used in load-balanced configurations where the initial RDP server may redirect the connection to a different RDP server.
- vmconnect - Automatically select the security mode based on the security protocols supported by both the client and the server, limiting that negotiation to only the protocols known to be supported by Hyper-V / VMConnect.
- rdp - Standard RDP encryption. This mode is generally only used for older Windows servers or in cases where a standard Windows login screen is desired. Newer versions of Windows have this mode disabled by default and will only accept NLA unless explicitly configured otherwise.