Announcement

Collapse
No announcement yet.

Questions about Network Level Authentication and Remote Desktop

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Questions about Network Level Authentication and Remote Desktop

    Hi!

    I have a basic understanding of what Network Level Authentication is, thanks to the internet. We have a LAN setup with some Windows 10 Enterprise systems and want to connect via Remote Desktop to some of these machines (on the same network).

    Network Level Authentication seems like a good idea. It should prevent people on another network from connecting.

    We're connected the AzureAD, but no on premises domain controller. Would we need some sort of domain controller to successfully use NLA or is there some other method to authenticate on the network that I don't know?

    This is the error message we receive when attempting to connect from one Windows 10 Enterprise machine to another:
    Code:
    The remote computer that you are trying to connect to requires network level 
    authentication (NLA), but your windows domain controller cannot be 
    contacted to perform NLA. If you are an administrator on the remote 
    computer, you can disable NLA by using the options on the remote tab of the 
    System properties dialog box.
    That pretty much says we need to be connecting to a domain, but isn't AzureAD an off-site domain controller? We authenticate against AzureAD. If we change a user password in the Admin portal, our password on the client machines are updated....


    So to summarize, we are attempting to use AzureAD to authenticate for RDP sessions. Is that currently possible or no?

    Thanks!
    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

    #2
    Re: Questions about Network Level Authentication and Remote Desktop

    so what's wrong with VNC ??
    why you want a bunch of scumbags in the loop??
    i mean it could be worse, it could be teamviewer - so called because they have a team viewing what you do!! (read the license!!)

    Comment


      #3
      Re: Questions about Network Level Authentication and Remote Desktop

      Shouldn't make a difference whether AD is on or off premise or hybrid.

      Have a look here https://www.darkoperator.com/blog/20...n-for-rdp.html

      Comment


        #4
        Re: Questions about Network Level Authentication and Remote Desktop

        Originally posted by diif View Post
        Shouldn't make a difference whether AD is on or off premise or hybrid.

        Have a look here https://www.darkoperator.com/blog/20...n-for-rdp.html
        Thank you. We noticed it used to work, then it didn't, and while I couldn't get off the couch, my wife was trying to handle a lot of what my job is. I noticed last night, the MDM had to be changed to Intune (which it should be anyway), and I believe that was the issue, I have to finish setting up the workstation, but I believe it'll work as expected at that time.

        I knew something was wrong when I couldn't see any devices what's so ever in Intune! Then I started reading the messages, and the way we had it setup, that stopped working on the August 30th, 2018, and we had to make the switch. I guess she read the message but didn't understand, so didn't do anything. I'm going to read the rest of them just to see if there might be something else she missed.

        Thanks!
        -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

        Comment


          #5
          Re: Questions about Network Level Authentication and Remote Desktop

          Originally posted by stj View Post
          so what's wrong with VNC ??
          why you want a bunch of scumbags in the loop??
          i mean it could be worse, it could be teamviewer - so called because they have a team viewing what you do!! (read the license!!)
          Remote Desktop is built into the Windows OS, and there's no extra fees we need to pay to use it. VNC is yet another piece of software to maintain. We were looking into third part VNC clients and I couldn't seem to find one that could be used for free in a business environment. They could be used for personal use, but not for corporate use.

          Figured until we get the Linux company owned devices up and running, remote desktop would be best right now. I had attempted to connect to the Windows machines via my personal Linux box, but failed, because of NLA I suspect. Was wondering if there was a way to authenticate against the AzureAD in Linux.

          I see people are making progress with supporting some of the Microsoft business stuff in Linux, like Skype for Business or OneDrive for Business, etc.

          I know with Azure, we have options to create various Linux VMs, but I believe that costs money, albeit there's a free trial (30 days, 200$ or something). I think you're charged based on use.

          What's a good VNC client / server that you'd recommend that could be used in a business / production environment without having to pay? It'd be nice if we had secure connections from Linux to Windows. We use SSH extensively, but a GUI is sometimes necessary.

          Thanks!
          -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

          Comment


            #6
            Re: Questions about Network Level Authentication and Remote Desktop

            a lot of people are looking to get away from azure as fast as possible actually,
            after the GAB incident last week where m$ outright threatened to destroy gab's azure space/data if they didnt delete a bunch of posts and users within 48hours!!!!

            Comment


              #7
              Re: Questions about Network Level Authentication and Remote Desktop

              Originally posted by stj View Post
              a lot of people are looking to get away from azure as fast as possible actually,
              after the GAB incident last week where m$ outright threatened to destroy gab's azure space/data if they didnt delete a bunch of posts and users within 48hours!!!!
              Yeah, I guess like lots of people, Microsoft takes issue with far right racist views that incite violence which are not protected by the First Amendment.
              I'm pretty sure those sorts aren't appreciated by AWS or Google either.
              http://uk.businessinsider.com/micros...emitism-2018-8

              The continued growth of Azure suggests the leavers are small/insignificant if they are leaving at all.
              Last edited by diif; 09-01-2018, 05:09 PM. Reason: Added a link.

              Comment


                #8
                Re: Questions about Network Level Authentication and Remote Desktop

                Once again, M$ is a private company, they are allowed to choose what they want to do. Anything posted on their sites is not only a representation of the poster, but the site itself (Anyone remember CNN allowing comments on their site for a few months, and now...where'd it go?)

                If the far right or whoever wants to prevent M$ and other companies from removing their posts, they need to ... oh no ... make a new law, make bigger government - exactly the opposite what they really want!

                ... Else make their own Google, M$, amazon, whatever... They are free and encouraged to do so. It will make an interesting issue with the top level network providers however, but we're not at that point yet, and I don't think we'll ever get to that point.

                Comment


                  #9
                  Re: Questions about Network Level Authentication and Remote Desktop

                  it's actually the equiv of the phone company threatening to disconnect you because of who you call or what you say.
                  what people store on azure is none of m$ concern regardless of ownership.
                  they are providing storage, they are not supposed to be inspecting it's content.

                  Comment


                    #10
                    Re: Questions about Network Level Authentication and Remote Desktop

                    However if you use Azure to host racist shit and get a complaint then they as they did will ask you to remove it.
                    The racist threats of violence were public. They didn't need inspecting.

                    Comment


                      #11
                      Re: Questions about Network Level Authentication and Remote Desktop

                      slippery slope.

                      GAB dropped azure over that bs, not the posts btw.

                      Comment


                        #12
                        Re: Questions about Network Level Authentication and Remote Desktop

                        Originally posted by stj View Post
                        it's actually the equiv of the phone company threatening to disconnect you because of who you call or what you say.
                        what people store on azure is none of m$ concern regardless of ownership.
                        they are providing storage, they are not supposed to be inspecting it's content.
                        Was the data actually kept private, or was it publicly accessible?

                        Comment


                          #13
                          Re: Questions about Network Level Authentication and Remote Desktop

                          private, it was the database of the GAB instant messenger system. the content is a condensed version of public/private messages.
                          https://gab.ai/

                          it's also worth pointing out that the posts in question are from Patrick Little,
                          who is a 2020 Democratic Presidential Candidate.
                          so it could be seen as interfering with someones election campaign.
                          Last edited by stj; 09-02-2018, 09:27 AM.

                          Comment


                            #14
                            Re: Questions about Network Level Authentication and Remote Desktop

                            So you're saying it's the data backend for a web service that anyone can read? Sounds publicly readable to me, so it makes sense. If it were an "exclusive members only" deal then it's different.

                            Comment


                              #15
                              Re: Questions about Network Level Authentication and Remote Desktop

                              no, i'm saying it's both.
                              people can message to "public", "group" or individual people.

                              Comment


                                #16
                                Re: Questions about Network Level Authentication and Remote Desktop

                                If the general public can read them, with a free account or not, then it's justified.
                                If the general public cannot read them with an account or not, then they should not have removed it.

                                Comment


                                  #17
                                  Re: Questions about Network Level Authentication and Remote Desktop

                                  Originally posted by diif View Post
                                  Yeah, I guess like lots of people, Microsoft takes issue with far right racist views that incite violence which are not protected by the First Amendment.
                                  I'm pretty sure those sorts aren't appreciated by AWS or Google either.
                                  http://uk.businessinsider.com/micros...emitism-2018-8

                                  The continued growth of Azure suggests the leavers are small/insignificant if they are leaving at all.
                                  From what we've seen, people that use Microsoft services are moving towards Azure and away from on-premise Microsoft services.

                                  I believe Microsoft will probably stop making on premise software. I've seen Microsoft documents about upgrading to server 2016, and they show upgrade paths, but all end with the CSP, sooner or later. They offer incentives to switch as well, which makes it financially feasible to switch.

                                  We wanted on-premise originally, like Active Directory, Windows Server, Exchange, but it's ridiculously high, whereas with the CSP stuff, we don't pay much at all, but we have to pay monthly. In the long run though, with Microsoft's EOL for the various softwares, the online services seem to be the way to go.

                                  We love Linux, don't get me wrong, but we also need Windows because of certain software. I noticed the Linux community is starting or trying to implement some of the Microsoft business stuff with the various Linux distros, like Onedrive for Business, etc.

                                  Once I can start working full time on this again, I wanted to setup a Samba server and see if I could somehow link that to the Azure Active Directory services, where we'd be using the Samba server for credential verification, etc, and the Samba server would be connecting to the Azure Active Directory occasionally, but I haven't looked into it yet to see if it's doable.
                                  -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                                  Comment


                                    #18
                                    Re: Questions about Network Level Authentication and Remote Desktop

                                    Originally posted by stj View Post
                                    it's actually the equiv of the phone company threatening to disconnect you because of who you call or what you say.
                                    what people store on azure is none of m$ concern regardless of ownership.
                                    they are providing storage, they are not supposed to be inspecting it's content.
                                    I wouldn't quote me on this, I'd have to go and look at the 15 page contract (or there about) that we signed for the Microsoft CSP services, but if I'm not mistaken, I remember a claus somewheres prohibiting the storage or creation of sites that contain illegally obtained software (pirated), music, videos, racist, violent posts, etc.

                                    I believe all that was outlined in the contract we signed. Is it possible that GAB just signed up for the Azure services without actually reading the contract?

                                    I used to do that, but then I worked for a corporation. The corporation I worked for dealt with social security numbers, credit card numbers, banking info, and people's financial information, including their addresses, where they worked, etc.

                                    Very few people where allowed cameras, papers, or pens into the building. I was one of the few. We had cameras everywheres except in the offices (like mine) and in the server room. We didn't record the keypad code to get into the server room or anything that went on in the server room for security purposes.

                                    Some employee had managed to sneak in some smiley face add-on for AOL Instant Messenger. We had a Jabber server setup for communications and I had to write up an SOP saying that only the Jabber server was allowed. There was some sort of AIM add-on that we would enable for a supervisor so she could communicate with her husband, who was in the military and deployed. I guess it was hard for him to know when he'd have time to communicate with her, so we made an exception for her.

                                    Anyway, long story short, the smiley face AIM thing, the EULA was something like 60 pages!!!! and I read through all of it! And buried deep inside was a clause saying if you used the program, you gave the company the right to take screen shots of your desktop so they could look at what you where viewing, along with networking traffic, etc, to target ads towards you.

                                    That was a huge security breach and we closed that very quick like. But yeah, I read all the fine print now but I think a lot of people just click Accept without reading it or don't fully understand it.
                                    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                                    Comment


                                      #19
                                      Re: Questions about Network Level Authentication and Remote Desktop

                                      Originally posted by eccerr0r View Post
                                      So you're saying it's the data backend for a web service that anyone can read? Sounds publicly readable to me, so it makes sense. If it were an "exclusive members only" deal then it's different.
                                      If the Service Level Agreement (SLA) or End User License Agreement (EULA) prohibited that type of information being stored on Microsoft's servers, then it wouldn't matter if it was publicly view-able or not, right?

                                      I just pulled our agreement, and we have an agreement with our distributor, but on the end page, it also says we must agree to Microsoft's SLA. The Service Level Agreement for Microsoft Online Services and the Service Level Agreement for Azure Services.

                                      I downloaded the 68 page consolidated SLA for the Microsoft Services and searched for keywords like racism and racist but didn't return any queries, but my guess is somewhere in one of the agreements, it says you can't use the Microsoft servers for that kind of stuff.

                                      I know the agreements say we are responsible for breach of contract, and let's say someone hacks into our account and uses it to do something illegal...I guess we can get in trouble if we didn't take certain safe guards to protect our info. We also can get in trouble if we know about a breach and don't report it.

                                      I'd imagine anything illegal wouldn't be allowed, regardless of whether it was a publicly available or not, unless there was a legit reason for it (ie, a government agency storing child pornography to try and track it back to the people who took the images, or to use it in court as evidence).
                                      -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                                      Comment


                                        #20
                                        Re: Questions about Network Level Authentication and Remote Desktop

                                        Originally posted by eccerr0r View Post
                                        If the general public can read them, with a free account or not, then it's justified.
                                        If the general public cannot read them with an account or not, then they should not have removed it.
                                        Isn't racist stuff illegal? I thought that fit somewhere along the line of hate crimes. I guess that's like what Stj said, a slippery slope. We got the freedom of speech, but I don't think it was necessarily put in place to allow things like racism or hate. Just to allow people to speak up of injustices in the government (corruption, etc, without the fear of being punished by that government).

                                        If I were a big company like Microsoft, I'd probably play it safe and ask someone to remove racist comments...but than we'd have to look at how we defined racist comments. Not always black and white I guess.

                                        It's like the law about saying you're going to assassinate the President. It's a felony to threaten the United States President, under United States Code Title 18, Section 871, however, it's you can say things like assassinate the President legally, if you use it in the sentenced I used it in.

                                        Racism can be a hate crime but I don't think it always is, something like that.
                                        -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                                        Comment

                                        Working...
                                        X