PCI DSS Requirement 2.3 reads:
"Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Web-based management and other non-console administrative access."
There are two main ways to address this issue. For non-Windows systems, most people use the Secure Shell (SSH) network protocol to gain access to their critical systems securely. SSH is available for Windows devices as well, so that is certainly an option. Also, the overhead in setting up SSH should present less of an issue than IPsec, given IPsec's complicated configuration and requirement for changes at the network level.
Other companies use VPN technology for almost everything. Enterprises establish a VPN connection with remote sites, so all of their traffic is encrypted; thus it's not an issue whether RDP or terminal services transmit the password and user ID in the clear or without encryption.
Finally, there are other commercial options, like Citrix Systems Inc.'s XenApp (formerly Presentation Server) that can establish a secure connection to a console running in the data center. In fact, any kind of terminal server (including Microsoft Terminal Server 2008 or other thin client solutions) provides this capability, since the application actually "runs" within the datacenter and the communications between terminal and host is encrypted. Again, the user ID and password would never leave the facility, and the connection to the server, which sends only the screen images to the device, is secure.
According to Kurt Roemer, Citrix's chief security strategist: "The Citrix ICA protocol encrypts the communication channel between the user and the application, giving encryption (and strong authentication, if required) to any type of application and console access. XenApp (formerly known as Presentation Server) also virtualizes and isolates the application from anything that may be running on the client, allowing even for control over local copy, paste, print, and local drive usage." This clearly meets the spirit of Requirement 2.3.
This was first published in March 2008