S 3.305 Terminal servers
Description
Terminal servers provide central resources that several clients are able to use. These resources can be parts of the server operating system, standard applications or command lines. In this manner, applications can be provided without having to install them on the clients. Normally, several clients can simultaneously access the applications offered by the terminal server via the network.
Terminal servers are a particularly centralised scenario of a client/server architecture. Applications are installed on high-performance terminal servers which are started, controlled and presented by the clients. These inputs and outputs can be processed on relatively simply equipped workstation computers (fat clients) with the corresponding client software. In addition, there are solutions which function with dedicated terminals (thin clients).
This module illustrates a systematic method for creating a concept for the use of terminal servers in an organisation and how its implementation and integration can be ensured. It can be applied to any terminal server of the information system examined.
Scope of the module
This module only covers threats and safeguards specific to terminal servers. Therefore, module S 3.101 General server must also be taken into account. If an independent operating system is run on the terminal server client and if this has not been obtained from the server, module S 3.101 General server must also be taken into consideration. There are terminal server services for a large number of operating systems, for example Unix and/or Linux, Microsoft Windows and z/OS. The implementation in each individual case differs greatly in many aspects, for example in the
- usage of the transmission protocol used,
- requirements placed on the transmission rates of the network,
- requirements placed on the speed of the server,
- usage of the distributed resources and devices and
- different configuration and administration of the operating system operating under this service, in particular.
For the security of a terminal server, it is therefore absolutely necessary to also use modules describing the specific operating system.
Threat scenario
The following typical threats to the IT-Grundschutz of a network based on a terminal server are assumed to exist:
Force Majeure
| T 1.2 | Failure of the IT system |
Organisational Shortcomings
| T 2.7 | Unauthorised use of rights |
| T 2.32 | Inadequate line bandwidth |
| T 2.36 | Inappropriate restriction of user environment |
| T 2.153 | Improper protection of the transmission route in a terminal server environment |
| T 2.154 | Improper applications for the use on terminal servers |
Human Error
| T 3.9 | Improper IT system administration |
| T 3.16 | Incorrect administration of site and data access rights |
| T 3.38 | Errors in configuration and operation |
Technical Failure
| T 4.10 | Complexity of access possibilities to networked IT systems |
| T 4.12 | Lack of authentication possibilities between X server and X client |
| T 4.22 | Software vulnerabilities or errors |
| T 4.33 | Poor-quality or missing authentication |
| T 4.35 | Insecure cryptographic algorithms |
| T 4.81 | Extended rights due to program dialogues on terminal servers |
| T 4.82 | Failed or unavailable terminal servers |
Deliberate Acts
| T 5.19 | Abuse of user rights |
| T 5.23 | Malicious software |
| T 5.112 | Manipulation of ARP tables |
| T 5.161 | Falsified responses to XDMCP broadcasts on terminal servers |
| T 5.162 | Redirecting X-Window sessions |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A series of safeguards must be implemented to set up a terminal server successfully, starting with the design and purchasing and continuing through operation of the server. The steps to be followed in this case as well as the safeguards to be implemented in each phase are listed in the following.
Planning and design
When planning a terminal server, a host of general conditions must be taken into consideration. As a first step, the general security policy should be supplemented by a detailed policy for terminal servers (see S 2.464 Drawing up a security policy for the use of terminal servers). The rules and objectives documented in writing therein must reflect the individual conditions and requirements of a secure terminal server environment. When migrating an existing client/server architecture to a terminal server-supported environment, it must be checked carefully before implementation whether the applications to be migrated are suitable for this at all (S 2.466 Migration to a terminal server architecture).
Within multi-user environments, e.g. terminal server systems, separating the users from each other and from risky system functions is of critical importance. In order to guarantee smooth operations and to protect the confidentiality of the data processed in the individual user sessions, the rights must be granted restrictively (see S 5.163 Restrictive granting of access rights on terminal servers).
Terminal servers can be used to ensure that clients can access contents in insecure networks, for example web sites with active contents. Instead of the client, the terminal server communicates via the insecure network; the client is only sent the contents. A terminal server accessing the insecure network instead of the client is referred to as graphical firewall (see safeguard S 4.365 Use of a terminal server as graphical firewall).
Purchasing
If applications hitherto used in a client/server-based network architecture are to be provided centrally on a terminal server, agreements relevant from a licensing law point of view must be reviewed prior to the migration and, if necessary, new software is to be purchased (see S 2.468 Licensing software in terminal server environments).
Implementation
Administration of the terminal server infrastructure must be explained in some points to both administrators and users without any previous experience. All persons working with a terminal server system should thus receive corresponding training (see S 3.81 Training on the secure use of terminal servers).
Operation
Users must be prevented from changing the user environment on the terminal servers and must only be able only access those resources which they are allowed to access (see S 4.367 Secure use of client applications for terminal servers). If the connection between the terminal servers and their clients is established via an insecure network, precautions must be taken to ensure that communication cannot be listened in on, modified or impaired (see S 5.164 Secure use of a terminal server from a remote network).
Disposal
If terminal servers, clients connected to terminal servers or infrastructure components of a terminal server environment are to be withdrawn from operation, safeguard S 2.469 Orderly withdrawal from operation of components in a terminal server environment should be taken into consideration.
Contingency Planning
As a large number of users can be affected by the failure of a terminal server environment in most cases, safeguards must be taken so that the damage is reduced in the event of a failure. By means of terminal server systems, high availability requirements can also be met (see S 6.142 Use of redundant terminal servers).
If a terminal server client fails, the applications on the terminal server are no longer available to the user affected. Thus, replacement machinery could be kept available when using terminals without a separate operating system (thin clients) (S 6.143 Provision of terminal server clients from depot maintenance).
If the applications are installed both on the terminal server and on the client PCs as a precaution, emergency operations can be maintained temporarily in the event of a failure (S 6.144 Configuration of terminal server clients for dual use as normal client PCs).
The bundle of safeguards for the "Terminal servers" module is presented in the following.
Planning and design
| S 2.464 | (A) | Drawing up a security policy for the use of terminal servers |
| S 2.465 | (A) | Analysis of the required system resources of terminal servers |
| S 2.466 | (A) | Migration to a terminal server architecture |
| S 2.467 | (C) | Planning regular restart cycles of terminal servers |
| S 4.250 | (Z) | Selection of a central, network-based authentication service |
| S 4.365 | (Z) | Use of a terminal server as graphical firewall |
| S 5.64 | (Z) | Secure Shell |
| S 5.162 | (A) | Planning the bandwidth when using terminal servers |
| S 5.163 | (A) | Restrictive granting of access rights on terminal servers |
Purchasing
| S 2.468 | (Z) | Licensing software in terminal server environments |
Implementation
| S 3.81 | (C) | Training on the secure use of terminal servers |
| S 4.9 | (A) | Use of the security mechanisms of X Windows |
| S 4.106 | (A) | Activation of system logging |
| S 4.366 | (B) | Secure configuration of moving user profiles in terminal server environments |
| S 5.72 | (A) | Deactivation of unnecessary network services |
Operation
| S 2.273 | (A) | Prompt installation of security-relevant patches and updates |
| S 4.3 | (A) | Use of virus protection programs |
| S 4.367 | (B) | Secure use of client applications for terminal servers |
| S 4.368 | (B) | Regular audits of the terminal server environment |
| S 5.164 | (B) | Secure use of a terminal server from a remote network |
Disposal
| S 2.469 | (A) | Orderly withdrawal from operation of components in a terminal server environment |
Contingency Planning
| S 6.142 | (Z) | Use of redundant terminal servers |
| S 6.143 | (C) | Provision of terminal server clients from depot maintenance |
| S 6.144 | (Z) | Configuration of terminal server clients for dual use as normal client PCs |