S 2.469 Orderly withdrawal from operation of components in a terminal server environment

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

If terminal servers, clients connected to terminal servers or infrastructure components of a terminal server environment are to be withdrawn from operation, it is essential to carefully plan the steps necessary.

Similar to safeguard S 2.320 Orderly withdrawal from operation of servers, it must be thus ensured that

• no important data are lost within the terminal server environment,
• no applications, clients or downstream services connected to the application servers are impaired and
• no sensitive data are left behind on the data media of the terminal server and client infrastructure.

It is therefore especially important to gain an overview of which data are stored at which location on the system and from where they are accessed. In the following, the aspects from S 2.320 Orderly withdrawal from operation of servers that are to be taken into account are thus specified in this safeguard in more detail with respect to terminal server environments.

• Scope of the data backup:
  The following information should be backed up at regular intervals:
  • User profiles,
  • Information stored on the license server,
  • Authentication information,
  • Configuration of the session database (Session Directory) if any,
  • Configuration of the Independent Management Architecture (IMA) data storage device for Citrix systems,
  • Administration tools used,
  • Any previously defined, tested and properly functioning system states of the terminal server,
  • Any previously defined, tested and properly functioning system states of the client.
• Backup system
  For the maintenance and disposal of terminal servers in a terminal server farm, it makes sense to define a standard architecture. This means that only similar server hardware with an identical software version is used within a terminal server farm. IT systems based on a standard architecture have the advantage that commercially available backup systems and replacement parts can be procured or purchased in advance. In the event of a defect, the defective device can be replaced at a reasonable price and promptly.
• Informing the users
  The users should be informed on how and when the terminal server is to be withdrawn from operation. If the users still have sessions open on the terminal server, they must be asked to terminate them beforehand.
• Removing references to the system
  In order to be able to shut down the terminal server, the users must be prevented in advance from logging on the system so that no session is terminated abruptly when switching off the system. If load balancers or other internal load distribution systems are used to distribute the load evenly to different terminal servers, the terminal server to be shut down should be removed from the available load distribution plans in advance.
• Deleting data on the system to be shut down
  In order to avoid sensitive information being readable by unauthorised persons, the following information should be deleted from the terminal server:
  • User profiles,
  • Authentication information,
  • Certificates.
• If not only individual terminal servers, but the entire terminal server environment is to be removed, the following information must be deleted:
• • Sensitive data in the session database,
  • Independent Management Architecture (IMA) data storage devices for Citrix systems,
  • Zone Data Collector (ZDC) for Citrix systems,
  • Any temporary files such as bitmaps on the clients and any caches.
• Erasing data backup media
  It is recommended to delete all data backup media after the withdrawal from operation. Data backups of terminal servers that are used redundantly or are equal to other terminal servers are an exception. In this case, it might be necessary under certain circumstances to restore the backed up information on the remaining terminal servers.
• Removal of other information
  Before a terminal server is disposed of, components such as USB sticks and memory cards should be removed and information that is not stored on the hard disks should be deleted. This includes, for instance, Preboot eXecution Environment (PXE) information and BIOS settings. Remote maintenance cards and labels should also be removed.

Review questions:

• Are there rules for the withdrawal from operation of the terminal server?
• Were the users instructed to terminate their sessions prior to the withdrawal from operation of terminal servers?
• If data of the users is on the terminal servers, was it previously backed up?
• Were the terminal servers to be disposed of removed from the load distribution plans?
• Was all confidential data on the data media destroyed prior to any disposal of the terminal servers?