Protocols for access
Three protocols are available for remote access: RDP, VNC, and SSH.
RDP (Remote Desktop Protocol)
RDP provides graphical remote access to Windows desktops and applications. It can also be used from non-Windows systems such as macOS or Linux, provided a compatible RDP client is installed. Microsoft provides the Windows App for macOS; on Linux, third-party clients such as Remmina or FreeRDP are available. You can configure the following encryption methods:
- Any – Automatically negotiates the highest supported encryption method between client and server. Recommended for maximum compatibility.
- NLA (Network Level Authentication) – Authenticates the user before the RDP session is established, using TLS via CredSSP. Since the system's login screen is never accessible to unauthenticated connections, NLA offers the strongest security and is the recommended option.
- TLS – Encrypts the connection at the transport layer. Authentication occurs after the connection is established, which means the login screen is visible before credentials are verified.
- RDP – Uses the protocol's built-in encryption. Intended for legacy environments where NLA or TLS are not supported.
NLA vs. TLS comparison
| NLA | TLS | |
|---|---|---|
| Focus | Authentication before session | Connection encryption |
| Auth timing | Before RDP session | During/after connection setup |
| Protection against attacks | High (reduces attack surface) | Medium (transport protection only) |
| Uses TLS | Yes (internally via CredSSP) | Yes (directly) |
VNC (Virtual Network Computing)
VNC enables platform-independent graphical remote access by transmitting screen content and input events over the network. Typically used for non-Windows systems.
SSH (Secure Shell)
SSH provides encrypted, text-based remote access to servers. All communication is encrypted by default, making it the standard protocol for command-line administration.