Problem solve Get help with specific problems with your technologies, process and projects.

How would you meet PCI requirement 2.3 when it comes to terminal service or RDP sessions?

What's the best way to comply with PCI DSS without having to create a secure IPsec tunnel with every connection to critical systems? Security management expert Mike Rothman gives his advice.

How would you meet PCI requirement 2.3 when it comes to terminal service or RDP sessions to critical systems? I've...

heard that built-in encryption that uses Microsoft Terminal Services still leaves usernames and passwords in the clear. I don't want to have to build an IPsec tunnel to a server every time I am connecting to it using a terminal service. Any suggestions or comments?

PCI DSS Requirement 2.3 reads:
"Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Web-based management and other non-console administrative access."

There are two main ways to address this issue. For non-Windows systems, most people use the Secure Shell (SSH) network protocol to gain access to their critical systems securely. SSH is available for Windows devices as well, so that is certainly an option. Also, the overhead in setting up SSH should present less of an issue than IPsec, given IPsec's complicated configuration and requirement for changes at the network level.

Other companies use VPN technology for almost everything. Enterprises establish a VPN connection with remote sites, so all of their traffic is encrypted; thus it's not an issue whether RDP or terminal services transmit the password and user ID in the clear or without encryption.

Finally, there are other commercial options, like Citrix Systems Inc.'s XenApp (formerly Presentation Server) that can establish a secure connection to a console running in the data center. In fact, any kind of terminal server (including Microsoft Terminal Server 2008 or other thin client solutions) provides this capability, since the application actually "runs" within the datacenter and the communications between terminal and host is encrypted. Again, the user ID and password would never leave the facility, and the connection to the server, which sends only the screen images to the device, is secure.

According to Kurt Roemer, Citrix's chief security strategist: "The Citrix ICA protocol encrypts the communication channel between the user and the application, giving encryption (and strong authentication, if required) to any type of application and console access. XenApp (formerly known as Presentation Server) also virtualizes and isolates the application from anything that may be running on the client, allowing even for control over local copy, paste, print, and local drive usage." This clearly meets the spirit of Requirement 2.3.

More on this topic


This was last published in March 2008

Dig Deeper on PCI Data Security Standard