S 2.464 Drawing up a security policy for the use of terminal servers

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

When using terminal server systems, suitable security policies must be drawn up. The rules and objectives documented in writing therein must reflect the individual conditions and requirements of a secure terminal server environment. The general security concept, the security policy, as well as the security policies derived thereof constitute the framework, within which the terminal server-specific extensions should integrate consistently. The policies must be checked regularly to ensure they are up to date and modified, if necessary. The terminal server-specific rules can be added to the existing policies or can be collected in a separate document.

The policies should contain the following items, amongst other things:

• The minimum requirements the clients must meet in order to be used for accessing the terminal server.
• The environment these clients are allowed to access. In particular, critical access options, e.g. at a telecommuter workplace, from an internet café, or using a notebook in an insecure WLAN (see also S 2.389 Secure use of hotspots), should be addressed.
• Additional devices that may be connected to clients (printers, USB sticks, other terminal devices).
• The internal and/or external networks the terminal server environment may be connected to.
• The information or downstream services that may be accessed using terminal server systems and who is allowed to access these.
• Security safeguards and a default configuration should be defined for all terminal server components.
• When security problems are suspected, the IT Security Officer must be informed so that additional steps can be taken (see also S 1.8 Handling of security incidents).
• Administrators, but also the users of terminal servers should be informed and/or receive training on the threats entailed by the use of the terminal server architecture and the security safeguards to follow.
• The correct implementation of the security safeguards described in the security policies should be checked regularly.

User guidelines for terminal server environments

In order to prevent overloading users with too many details, it may make sense to create separate user guidelines for terminal server environments. These user guideline should briefly describe particularities of using terminal servers, for example:

• Which internal and/or external networks may be used to access the terminal server system?
• What are the general conditions for the users to be allowed to log in to the environment?
• May third party clients be used and if so, how?
• What are the steps to be taken if the terminal server or the client has (presumably) been compromised. Who must be informed?

It is also important to clearly describe how to handle security solutions on the clients. This includes, for example, rules stating the following:

• No security-relevant configurations must be changed or sent to third parties and
• only expressly approved software versions of the terminal software must be used.

When accessing terminal servers using a remote network, it must be ensured that

• an anti-virus scanner is enabled at all times,
• an existing personal firewall may not be disabled (see also S 5.91 Use of personal firewalls for clients ), and
• a verification of the client's authenticity by a security gateway must be agreed to by user, since no normal or only limited access will be granted otherwise.

Terminal server sessions can be disconnected during use deliberately or by the connection being interrupted. Applications that have already started normally continue to run and the session can be continued at a later point in time. In order to not impair maintenance work on the servers and to avoid losses of data due to regular restart cycles, behaviour for secure handling of the user guidelines must therefore be defined.

• Sessions interrupted due to disrupted connections should be continued as soon as possible.
• Users should be made aware of the maximum duration of their terminal server session.
• No later than at the end of the time of use, the user must close the remotely executed programs and log out of terminal server sessions properly.

Furthermore, the guidelines should contain specifications, especially regarding the use of classified information such as classified materials, of which data may be used via terminal server systems and is permitted to be transmitted to the client. The users' awareness for terminal server threats and for the contents and consequences of the terminal server policy should be raised.

Guidelines for administrators

In addition, terminal server-specific guidelines for administrators should be drawn up which can be used as the basis for administrator training. It should specify who is responsible for administrating the different terminal server components, which interfaces are available between the responsible administrators, and when which information must be exchanged between the persons in charge. It is quite common that one organisational unit is responsible for operating the terminal server farm, while a different organisational unit is responsible for supporting the clients or for identity and authorisation management or perimeter protection.

The terminal server guidelines for administrators should also contain the essential core aspects of the operation of a terminal server infrastructure, for example:

• specification of a secure terminal server configuration and definition of secure default configurations for client systems
• configuration of any present administration servers for terminal servers
• procedures for the administrative implementation of individual authorisations of users for accessing files and application
• procedures for the administrative implementation of individual authorisations of users for accessing downstream services (backends) and networks
• selection and configuration of encryption procedures when establishing terminal server sessions using insecure networks
• handling of session interruptions
• regulations of restart cycles for prevention of storage leakages, processor issues, and for performing maintenance windows
• regular evaluation of log files
• performance of tests and monitoring of the network and system utilisations
• initial operation of replacement systems
• safeguards for compromised terminal servers

When terminal servers are used, administrators are often provided with the option of mirroring sessions (shadowing). Data protection-related requirements must be taken into account in this case. For example, when sessions are monitored without express consent this is a violation of the personal rights of the user. Therefore, the use of this function must be regulated in the administrator guidelines.

All terminal server users, regardless of whether general users or administrators, should confirm with their signature that they have read the content of the security policy and will follow the instructions defined in it. No one should be allowed to use these systems without this written confirmation. The signed declarations should be kept in a suitable location, for example in the personnel file.

Review questions:

• Have security policies been drawn up for the terminal server administrators and users?
• Are the policies governing the use of terminal servers checked for up-to-dateness and adapted regularly, if required?
• Are all users and administrators required to confirm that they have read the terminal server security policy and that they received the instructions defined in it?