S 4.368 Regular audits of the terminal server environment

Initiation responsibility: Head of IT

Implementation responsibility: Auditor, Administrator

All components of the terminal server infrastructure must be checked regularly as to whether all specified security safeguards have been implemented and are configured correctly. Along with the terminal servers themselves, this includes the administration services such as session databases and license servers, but also elements of the security infrastructure.

In particular, authentication servers and security gateways at the transition points between two networks which the terminal server environment is connected to should be audited regularly. This also refers to routers, firewalls, and switches forming VLANs. Here, web portals (see S 5.4 Web server) that may provide applications as intermediate links must also be taken into consideration.

Logged data of the individual components may provide important information about critical incidents. Logging usually generates very large amounts of entries so that reasonable evaluation is only possible using a tool.

When checking for possible security events, entries about login and logout procedures, as well as periods of use of users should be analysed. Moreover, sessions mirrored in an unauthorised manner should be taken into consideration.

The utilisation of resources such as storage, processor, and hard disc space, but also the bandwidth utilised in the network or the number of active sessions are important aspects regarding the availability of the terminal server environment. In order to be able to properly assess developments regarding this, corresponding analyses must be performed in advance (see S 2.465 Analysis of the required system resources of terminal servers and S 5.162 Planning the bandwidth when using terminal servers). This is the only way to draw reliable conclusions regarding bottlenecks in the individual terminal server environment.

Along with the information that can be taken from the logged data, it is absolutely necessary to check the secure basic configuration of the terminal servers. Here, the implemented safeguards for hardening the terminal server systems, their file systems, and the downstream services should be checked at least randomly.

Particular attention should be paid to forgotten temporary files that may be present after automatic installation, since these often contain critical information such as unencrypted login data.

Moreover, the client systems used to access terminal servers must be subject to regular audits. If there are numerous client systems, spot checks should be performed at a minimum. At first, the configuration of any client software installed locally must be checked for unauthorised modifications. If specialised printer drivers for terminal server operations are used, these should also be audited. Furthermore, the version status of the operating system, as well as the up-to-dateness and integrity of the client software and the anti-virus program must be checked for clients with a stand-alone operating system (fat client).

Along with the technical means for analysing the security, interviews with the users may result in the discovery of problems regarding the reliability or security incidents.

If any irregularities or vulnerabilities are found, these must be documented, including the way these are to be handled.

Along with the audits of the individual terminal server components, the policy governing the secure use of terminal servers should be audited regularly as well. Here, it should be assessed whether the safeguards implemented to secure the terminal server environment still correspond to the current state of the art in technology and whether the underlying protection requirements are still valid.

In addition, it should always be examined whether all users have been informed of the necessary and terminal server operations-relevant security safeguards and implement these safeguards.

Moreover, it must be defined who checks logs and audit data. Here, there must be an appropriate separation between the person causing the event and the person auditing the event (e.g. administrator and auditor). In particular, the legal requirements regarding data protection must be taken into consideration for all collected data.

Review questions:

© Federal Office for Information Security. All rights reserved.