By default the NetTcpBinding uses Transport security, with the default characteristics you list.
Signing and encryption of messages in this context does not mean the same thing as in Message security. Rather it means that all the packets of data sent over the network transport are signed and encrypted. This does not rely on certificates. It is done by security providers installed in the operating system on the sending and receiving machines, invoked via SSPI (Security Support Provider Interface) - the same mechanism involved, for example, when a domain credential is used to access some resource such as a file on a different machine on the network.
Before any application data is sent on a connection, the binding orchestrates an SSPI handshake between the sender and receiver, specifying the Negotiate security package (this chooses either NTLM or Kerberos as the actual security protocol, depending on the capabilities of the respective host machines). Security tokens are exchanged over the connection as part of this handshake, at the end of which the two sides' security providers will have agreed session keys for use in the signing and encryption of the ensuing application messages.
