S 4.367 Secure use of client applications for terminal servers

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Often, terminal server services are provided using client systems with a stand-alone operating system (fat client). In such an environment, the user is often potentially provided with options for changing the configuration or the client software. For example, the user may reduce the security of his/her own connection or disclose details about the internal structure of the information system to unauthorised third parties.

In order to prevent this, all connection parameters such as the depth of encryption and the procedure should be specified on the server side by the administrators, as far as possible. Even information channels such as the integration of local drives, printers, interfaces, or the clipboard should be controlled in this way. However, this cannot always be achieved in a central and user-related manner and for all settings within the terminal server solution used and furthermore the requirements of the users may vary strongly.

In terminal server environments with normal protection requirements, the user guidelines must specify that the user must under no circumstance send configuration data, e.g. from .ICA or .RDP files to unauthorised persons. Moreover, no specified settings must be modified or accesses to deviating server addresses must be tried. More information on the design of appropriate guidelines can be found in safeguard S 2.464 Drawing up a security policy for the use of terminal servers. In information systems with high and very high protection requirements, these organisational specifications alone are insufficient.

At this point, one possible alternative is the use of non-configurable client programs such as the so-called gray version of the Citrix Program Neighborhood. A prerequisite for this is that the client the terminal software is provided on is controlled entirely by the IT administration. Moreover, any write access to the files of the client software must be prevented efficiently.

However, developer systems where the connection establishment may be monitored or manipulated, e.g. with the help of software analysis tools (debuggers) or network monitors (sniffers), are not suitable for this procedure. In this way, automatic authentication (pass-through authentication) in particular may be bypassed easily.

If the local installation of the terminal software and its configuration on the users' computers are dispensed with, the security shortcomings mentioned above may be avoided. This can be implemented with the help of portal solutions, such as:

• Microsoft Terminal Server Web-Access
• Citrix Access Gateway
• NX-Builder for X-Window systems

Regarding a user authentication to a portal solution with the help of an insecure network, it is recommendable to use two-factor authentication.

When client software is delivered for terminal servers using web servers, restrictive specifications regarding the configurability of the client are not normally provided by default. Therefore, these must be specified administratively before commissioning the terminal server environment. Moreover, the corresponding safeguards from module S 5.4 Web server must be taken into consideration for the portal.

Review questions:

• Have all connection parameters such as the depth of encryption and the procedure been specified administratively for the terminal server?
• Have the users of the terminal servers been informed about their obligations regarding the protection of the confidentiality of the configuration data?
• Has special client software been designed for using the terminal server or are portal solutions used for systems with high or very high protection requirements?