Authentication Protocol of Windows Server 2016 when using remote desktop

Takahiko Itou(伊藤貴彦) 40 Reputation points
2023-09-01T06:22:46.28+00:00

Hello.

I am researching the influence of Microsoft's announcement of

vulnerability of NTLM protocol.

I would like to know the influence of the matter to using Windows Server 2016.

In my recognition, the protocol used when accessing through RDP is RDP.

Please give the idea for the influence of the change.

Also, I am not sure if the protocol switching to Kerberos matter to RDP access.

Thank you for reading this question.

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,484 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,504 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 44,221 Reputation points
    2023-09-01T09:32:32.5333333+00:00

    Hello,

    NT LAN Manager (including LM, NTLM v1, v2, and NTLM2) is enabled and active in Server 2016 by default, as its still used for local logon (on non-domain controllers) and workgroup logon authentication in Server 2016. You can restrict and/or disable NTLM authentication via Group Policy following the steps:

    Open the Group Policy Management Editor ( gpmc. msc ) and edit the Default Domain Controllers Policy. Go to the GPO section Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and find the policies:

    Network Security: LAN Manager authentication level: Send NTLMv2 response only. Refuse LM & NTLM

    Network Security: Restrict NTLM: NTLM authentication in this domain: Deny for Domain Accounts to Domain Servers.

    Network security: Restrict NTLM: Audit Incoming NTLM Traffic: Enable auditing for all accounts

    Regarding RDP, it will use NTLM as default is not blocked, but when blocked it will connect using Kerberos authentication as long the client supports it. By default Microsoft Remote Desktop app will support it, but bear in mind that other 3rd party RDP Clients may not support the use of Kerberos only.

    Other option would be to use the CredSSP protocol which would allow the delegation of local credentials into a second machine, also called "2nd Hop". I am adding the next article as reference for your information:

    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cssp/e36b36f6-edf4-4df1-9905-9e53b7d7c7b7

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.