Stack Exchange network consists of 175 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Visit Stack Exchange We run a Radius server (Windows Server 2008 R2 running NPS).
Cred SSP first establishes an encrypted channel between the client and the target server by using Transport Layer Security (TLS).
Since no packet will reach the RDP service until Cred SSP has finished negotiation of the connection it protects the servers from Do S and exploits.
NLA is present in the latest versions of Windows, for Server: NLA was introduced first with RDP 6.0 in Windows Vista and later on Windows XP SP3.
On a Windows 2008 environment we can install on a server the role of Active Directory Certificate Service to install a Enterprise CA accepting all defaults so it can provide Computer Certificates to the machines in the domain in an automated way using Group Policy.
In this example I will show how to configure a GPO for issuing a Certificate to each host in the Domain and Configure NLA authentication for RDP.
In a production environment you may wish to separate these or keep them in one policy depending on your AD design.