
	Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > How would you meet PCI requirement 2.3 when it comes to terminal service or RDP sessions?

Ask The Security Expert: Questions & Answers

EMAIL THIS

How would you meet PCI requirement 2.3 when it comes to terminal service or RDP sessions?

EXPERT RESPONSE FROM: Mike Rothman, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 04 March 2008
How would you meet PCI requirement 2.3 when it comes to terminal service or RDP sessions to critical systems? I've heard that built-in encryption that uses Microsoft Terminal Services still leaves usernames and passwords in the clear. I don't want to have to build an IPsec tunnel to a server every time I am connecting to it using a terminal service. Any suggestions or comments?

PCI DSS Requirement 2.3 reads:
"Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Web-based management and other non-console administrative access."

There are two main ways to address this issue. For non-Windows systems, most people use the Secure Shell (SSH) network protocol to gain access to their critical systems securely. SSH is available for Windows devices as well, so that is certainly an option. Also, the overhead in setting up SSH should present less of an issue than IPsec, given IPsec's complicated configuration and requirement for changes at the network level.

Other companies use VPN technology for almost everything. Enterprises establish a VPN connection with remote sites, so all of their traffic is encrypted; thus it's not an issue whether RDP or terminal services transmit the password and user ID in the clear or without encryption.

Finally, there are other commercial options, like Citrix Systems Inc.'s XenApp (formerly Presentation Server) that can establish a secure connection to a console running in the data center. In fact, any kind of terminal server (including Microsoft Terminal Server 2008 or other thin client solutions) provides this capability, since the application actually "runs" within the datacenter and the communications between terminal and host is encrypted. Again, the user ID and password would never leave the facility, and the connection to the server, which sends only the screen images to the device, is secure.

According to Kurt Roemer, Citrix's chief security strategist: "The Citrix ICA protocol encrypts the communication channel between the user and the application, giving encryption (and strong authentication, if required) to any type of application and console access. XenApp (formerly known as Presentation Server) also virtualizes and isolates the application from anything that may be running on the client, allowing even for control over local copy, paste, print, and local drive usage." This clearly meets the spirit of Requirement 2.3.

More information:

Learn about applying ISO 27002 to PCI DSS compliance.
How expensive are IPsec VPNs to set up? Read this security expert response.

BROWSE BY TAG

Expert Archive: Security Management, Security Audit, Compliance and Standards, PCI Data Security Standard, IPsec VPN Security, Secure VPN Setup and Configuration, Enterprise Network Security, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Expert Archive: Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	Using a QSA to write up a PCI DSS report on compliance (ROC)
	How can gap analysis be applied to the security SDLC?
	Comparing cheap security products and appliances to costly appliances
	What are some tips on protecting my security budget in a poor economy?
	What value do research firms provide to their subscribing enterprises?
	What certificate offers the best ROI for an IT project manager?
	Is insider activity or outsider activity a bigger enterprise threat?
	How does information security prevent fraud in the enterprise?
	Differences between an SAS 70 data center and a Tier III data center

PCI Data Security Standard

Chip and PIN adoption

Chip and PIN adoption serves lesson for U.S. payment industry

Heartland CIO is critical of First Data's credit card tokenization plan

Heartland CIO on end-to-end encryption, credit card tokenization

Heartland CIO on PCI, E3 project

Wireless network guidelines for PCI DSS compliance

Visa probes tokens, encryption for PCI card data protection

Feds push cybersecurity jobs, PCI DSS changes ahead.

Voltage, RSA spar over tokenization, data protection

Experts, vendors search for PCI's holy grail

IPsec VPN Security

Best Remote Access Products

How to set up a split-tunnel VPN in Windows Vista

What is the difference between a VPN and remote control?

A short enterprise VPN deployment guide

From the ground up: Creating secure WLANs

Can S/MIME, XML and IPsec operate in one protocol layer?

How to create a secure network through a shared Internet connection

What firewall controls should be placed on the VPN?

VoIP tools, attacks could increase threat

Best practices for processing financial data through remote servers

IPsec VPN Security Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

PCI DSS (Payment Card Industry Data Security Standard ) (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy