2

I use Chrome Remote Desktop pretty much every day. However, the thought that someone might be sitting in front of the client machine watching (or worse, hijacking) what I'm doing is a serious concern. Almost prohibitively so.

I found the solution called "curtain mode." It makes Chrome Remote Desktop more like MS-RDP (which only shows the login screen while you are accessing it). Via Google, there are many step-by-step instructions on how to achieve curtain mode. Indeed, one of them is straight from google: https://support.google.com/chrome/a/answer/2799701?hl=en.

In particular, I am concerned with step 2 of this process:

Steps for all Windows installations:

  1. Using Regedit, set HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\RemoteAccessHostRequireCurtain to 1.
  2. Enable RDP connections to the machine by unchecking Control Panel\System and Security\System > Remote settings > "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)".

The step calls for removing what seems to be a critical security layer around the Microsoft RDP apparatus. I am not entirely sure what it means or the consequences of unchecking the box.

What is "Network Level Authentication" ? Does it make the machine more hackable if removed?

Improve this question

1 Answer 1

Reset to default
0

just came across this thread and I've had my challenges with NLA, so even though this is an older issue, I thought I'd offer an answer. Per wikipedia:

Network Level Authentication (NLA) is a feature of Remote Desktop Services (RDP Server) or Remote Desktop Connection (RDP Client) that requires the connecting user to authenticate themselves before a session is established with the server.

Originally, if a user opened an RDP (remote desktop) session to a server it would load the login screen from the server for the user. This would use up resources on the server, and was a potential area for denial of service attacks as well as remote code execution attacks (see BlueKeep).

That explains pretty well what NLA means. Now, in terms of real world security risks, I'm generally hesitant to disable it on a laptop, where I could potentially be accessing internet on an open wifi connection. If your PC is behind a firewall, on secured wifi, or on a VPN, a hacker would have to get into that network to be able to even try to access your machine. However, on an open network, it's easy to get on and sniff for IPs try and exploit. Even then it only gets you as far as the windows logon screen, so it's still not a free pass, but there are some risks if you happened to encounter someone pretty malicious that knows what they're doing.

One thing worth noting, is that NLA is a windows security construct, so other operating systems or third party tools for RDP are hit or miss on whether it's supported.

So my general rule of thumb, because I happen to really like Chrome Remote Desktop, is to disable NLA on relatively stationary machines that are on secure networks. As for a laptop I carry around with me, that I'm likely not going to need to remote into anyway, I leave NLA on for that. Hope that helps!

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .