Q

How would you meet PCI requirement 2.3 when it comes to terminal service or RDP sessions?

What's the best way to comply with PCI DSS without having to create a secure IPsec tunnel with every connection to critical systems? Security management expert Mike Rothman gives his advice.

How would you meet PCI requirement 2.3 when it comes to terminal service or RDP sessions to critical systems? I've heard that built-in encryption that uses Microsoft Terminal Services still leaves usernames and passwords in the clear. I don't want to have to build an IPsec tunnel to a server every time I am connecting to it using a terminal service. Any suggestions or comments?

PCI DSS Requirement 2.3 reads:
"Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Web-based management and other non-console administrative access."

There are two main ways to address this issue. For non-Windows systems, most people use the Secure Shell (SSH) network protocol to gain access to their critical systems securely. SSH is available for Windows devices as well, so that is certainly an option. Also, the overhead in setting up SSH should present less of an issue than IPsec, given IPsec's complicated configuration and requirement for changes at the network level.

Other companies use VPN technology for almost everything. Enterprises establish a VPN connection with remote sites, so all of their traffic is encrypted; thus it's not an issue whether RDP or terminal services transmit the password and user ID in the clear or without encryption.

Finally, there are other commercial options, like Citrix Systems Inc.'s XenApp (formerly Presentation Server) that can establish a secure connection to a console running in the data center. In fact, any kind of terminal server (including Microsoft Terminal Server 2008 or other thin client solutions) provides this capability, since the application actually "runs" within the datacenter and the communications between terminal and host is encrypted. Again, the user ID and password would never leave the facility, and the connection to the server, which sends only the screen images to the device, is secure.

According to Kurt Roemer, Citrix's chief security strategist: "The Citrix ICA protocol encrypts the communication channel between the user and the application, giving encryption (and strong authentication, if required) to any type of application and console access. XenApp (formerly known as Presentation Server) also virtualizes and isolates the application from anything that may be running on the client, allowing even for control over local copy, paste, print, and local drive usage." This clearly meets the spirit of Requirement 2.3.

More on this topic

 

This was first published in March 2008

Dig deeper on PCI Data Security Standard

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close