Ask the Expert

How would you meet PCI requirement 2.3 when it comes to terminal service or RDP sessions?

How would you meet PCI requirement 2.3 when it comes to terminal service or RDP sessions to critical systems? I've heard that built-in encryption that uses Microsoft Terminal Services still leaves usernames and passwords in the clear. I don't want to have to build an IPsec tunnel to a server every time I am connecting to it using a terminal service. Any suggestions or comments?

    Requires Free Membership to View

PCI DSS Requirement 2.3 reads:
"Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Web-based management and other non-console administrative access."

There are two main ways to address this issue. For non-Windows systems, most people use the Secure Shell (SSH) network protocol to gain access to their critical systems securely. SSH is available for Windows devices as well, so that is certainly an option. Also, the overhead in setting up SSH should present less of an issue than IPsec, given IPsec's complicated configuration and requirement for changes at the network level.

Other companies use VPN technology for almost everything. Enterprises establish a VPN connection with remote sites, so all of their traffic is encrypted; thus it's not an issue whether RDP or terminal services transmit the password and user ID in the clear or without encryption.

Finally, there are other commercial options, like Citrix Systems Inc.'s XenApp (formerly Presentation Server) that can establish a secure connection to a console running in the data center. In fact, any kind of terminal server (including Microsoft Terminal Server 2008 or other thin client solutions) provides this capability, since the application actually "runs" within the datacenter and the communications between terminal and host is encrypted. Again, the user ID and password would never leave the facility, and the connection to the server, which sends only the screen images to the device, is secure.

According to Kurt Roemer, Citrix's chief security strategist: "The Citrix ICA protocol encrypts the communication channel between the user and the application, giving encryption (and strong authentication, if required) to any type of application and console access. XenApp (formerly known as Presentation Server) also virtualizes and isolates the application from anything that may be running on the client, allowing even for control over local copy, paste, print, and local drive usage." This clearly meets the spirit of Requirement 2.3.

More information:

This was first published in March 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: