T 2.153 Improper protection of the transmission route in a terminal server environment

Terminal servers allow applications to be executed centrally on an IT system by physically remote clients. Depending on the requirements, the clients may access the terminal server via LAN or even using public networks such as the Internet. If the information required for this is transmitted without any protection between the clients and the servers, sensitive information may be tapped or entire sessions on the terminal server may be taken over, particularly when using public networks. If a session is taken over, an attacker could gain all user rights of the user without having to overcome the security barriers of every single service.

The following information transmitted between the terminal server and the clients may be tapped or modified:

• authentication information,
• user input sent from the clients to the terminal servers,
• display information output on the clients,
• data from the clipboard, and
• file transfers between the local client drives and the server.

Furthermore, information is also transmitted to devices of the terminal redirected to the server, e.g.

• audio devices,
• serial or parallel interfaces,
• USB devices, and
• printers.

Older terminal server services, e.g. the Microsoft Windows Terminal Server 2000, only use unidirectional, protocol-internal encryption for secure transportation of the user input in their default configuration. However, this information is received by the terminal server and returned to be displayed on the terminal in a graphical form without any encryption.

In Windows Server 2003 and higher, Microsoft uses bidirectional encryption in the default configuration. For this, an encryption method must be negotiated between the client and the server in advance. When using the "client compatible mode", the client defines the method to be selected, for example. If an insufficient method with encryption procedures deemed insecure or keys that are too short are selected, the communication between the client and the server may also be read or modified.

X-Window does not provide for any encryption between the server and the client. Without additional mechanisms such as SSH tunnelling or VPN the flow of data may also be manipulated or viewed.

Example:

An employee uses the ERP system of the company with the help of a terminal server client at her telecommuter workplace. The system administrator configured this workplace with bidirectional encryption, but the terminal server also permits connections with unidirectional cryptographic protection. Due to accidental operation, the employee deletes the configuration of her client, but is able to restore the connection since she knows the access information. In doing so, due to a lack of technical knowledge, she does not notice the insecure configuration of the return channel. An industrial spy manages to eavesdrop on the session via the internet resulting in the spy obtaining confidential figures from the company's balance sheet.