Home » Securing Microsoft Terminal Services First Web Edition

Chapter 1: Terminal Server and Enterprise Security

Posted April 30th, 2008 by roddyr

Chapter 1: Terminal Server and Enterprise Security

Chapter Overview:
This chapter begins with a high level overview of Terminal Server, Terminal Server security considerations, and an introduction to Enterprise Architecture. It continues with a brief introduction to the written policies in this book and concludes with a high level overview of the Control Frameworks and Management Standards that are referenced throughout this book. The goal of this chapter is to introduce Terminal Server in the context of an Enterprise Architecture and introduce Control Frameworks and Management Standards.

Terminal Server is the de facto Server Based Computing solution for Microsoft environments that offers organizations a cost effective way to centrally host, manage and secure Windows desktops, Windows applications and data. Terminal Server reduces complexity, enhances security, and simplifies regulatory compliance by moving applications and data from PCs to a centrally managed Terminal Server environment. Application access, application updates, operating system service packs, and security hotfixes are centrally managed on the Terminal Servers and not on each individual PC. The centralization of computing resources is called the Server Based Computing model.
 
Access to a Terminal Server environment is enabled by using a small piece of client software commonly referred to as the remote desktop client (RDC) or remote desktop protocol client (RDP). Terminal Server offers organizations a way to reduce the amount of client software supported on each PC from an entire desktop application portfolio to a single piece of client software, the RDC client. RDC is pre-installed on Microsoft operating systems and is widely available on non-Windows operating systems, such as Apple, Linux, and UNIX.
 
Server Based Computing offers inherent security advantages over other computing models by providing centralized control of the entire desktop environment (i.e., centralization of the Windows desktop environment, Windows applications, data and information, and centralization of network traffic). Server Based Computing, in conjunction with Enterprise Security Architecture design principles, offers extreme flexibility in implementing the appropriate security controls to protect internal or confidential applications and data. For example, one Terminal Server silo (a group of Terminal Servers) can be used to gain access to internal office productivity applications and data, while another Terminal Server silo can be used to access confidential financial or human resource applications and data. This flexibility allows organizations to implement the appropriate security controls based on the critically or sensitivity of an application or data. Access to applications and data from Terminal Servers can be logged and filtered via group membership with timestamps in order to provide non-repudiation. These capabilities provide a cost effective solution that allows organizations to secure their applications and data and to meet business objectives and regulatory mandates.
 
Terminal Services provide the flexibility for organizations to host a single application or an entire desktop application portfolio on one or many Terminal Servers. Desktop applications are installed, managed, and executed on Terminal Servers that sit as close as possible to the data, thereby shortening the distance data travels over the network and effectively centralizing network traffic and data management. Client sessions use the highly efficient RDP protocol to communicate to a Terminal Server, which in turn communicates directly to supporting information systems located on the same or adjacent network.
 
Server Based Computing has demonstrable security and performance advantages over other computing models because of the centralization of applications and network traffic. When a client-server application, such as a mail client, runs on a PC, it communicates directly to a mail server. This communication traverses the entire network from the PC all the way to the mail server. Client-server traffic characteristically uses substantially more bandwidth then RDP and requires a wide variety of open communication ports between workstations and servers, which increases the attack surface between networks.
 
Terminal Server users interact with applications and data from a virtualized Terminal Server desktop that is presented to end users via an RDP client. Terminal Server desktops are identical to PC desktops in appearance and functionality and can be displayed in full screen, predefined sizes, or a percentage of the local monitor. This shifts the security focus from PC desktops to the Terminal Server environment and supporting backend information systems.
 
Securing a Terminal Server environment presents challenges due in part to the characteristics of Server Based Computing because user sessions move from PCs to Terminal Servers. Terminal Servers are characteristically placed as close as possible to the data, in many cases on the same network as the data. This model moves the security controls from the PCs and their network to the Terminal Server desktop environment and the data center network. Because Terminal Servers might be located on the same network as supporting information systems, a compromised Terminal Server could be used as a hacking vector to other systems. This emphasizes the need to employ layered security controls through the Enterprise to effectively secure the Terminal Servers and supporting back-end systems. Security controls are employed using industry standard frameworks and standards to develop an Enterprise Architecture (EA). An Enterprise Architecture enables organizations to create an organizational wide blueprint that can be used to achieve business objectives, while maximizing the business value of information technology.
 
Organizations turn to Enterprise Architecture to understand how a Terminal Server solution fits with their entire information system. An Enterprise Architecture is a “blueprint” that describes an organization’s strategic direction, business requirements, information technology portfolio, processes, and security measures used to implement and support technologies. An Enterprise Architecture is articulated in diagrams and written policies that define organizational standards and best practices to plan, build, run, and monitor technologies.
 
Enterprise Architecture has well defined principles and processes and an approach that generates a comprehensive, layered policy infrastructure used to communicate management’s goals, principles, instructions, appropriate procedures, and response to laws and regulatory mandates. A policy infrastructure consists of written tier 1, tier 2, and tier 3 policies that encompass people, systems, data, and information. Policies are broken down into high level policies and lower level standards, procedures, baselines, and guidelines.
 
Written policies are either tier 1, tier 2, or tier 3. Tier 1 policies sit at the top of policy infrastructure addressing broad organizational wide issues, vision, and direction. Most organizations develop and support a dozen tier 1 policies. Tier 2 policies are typically vendor agnostic and describe high level business and technical requirements. Tier 3 policies are vendor, technology, and procedural specific.
 
Terminal Server policies typically fall within the layered policy infrastructure of the platform architecture domain, which is reviewed in Chapter 4. Platform architecture policies are the foundation used to manage the entire lifecycle of a Terminal Server environment.
 
Table 1.1 lists the security policies and chapters that are reviewed in this book.
 
Table 1.1

Policy
Explanation
Chapter
Platform Architecture Policy
A Platform Architecture Policy is a tier 2 policy that defines high level computing platform requirements.
Chapter 4
Network Architecture Policy
A Network Architecture Policy is a tier 2 policy that defines network architecture requirements and describes how information processing resources are interconnected.
Chapter 4
Data/Information Classification and Categorization Standard 
A Data/Information Classification and Categorization Standard is a tier 2 policy that defines classifications and security levels for all forms of data/information and information systems across the Enterprise.
Chapter 4
Terminal Server Application Software Policy
A Terminal Server Application Software Policy is a tier 3 policy that defines the application software life cycle for a Terminal Server environment. 
Chapter 4
Terminal Server Anti-Virus Software Guidelines
A Terminal Server Anti-Virus Software Guidelines is a tier 3 policy that shows how an organization uses a guideline to suggest best practices in order to acquire, implement, and configure anti-virus software for Terminal Server.
Chapter 4
Change Management Policy 
Change Management Policy is a tier 2 policy that defines the change management procedures for hardware, software, firmware, and documentation.
Chapter 4
Enterprise Security Policy
An Enterprise Security Policy is a tier 2 policy that is used to bridge a gap between technical and administrative security controls used to instruct employees and business partners on how to securely access systems and consume data securely.
Chapter 5
Risk Assessment Policy
A Risk Assessment Policy is a tier 2 policy that defines an organization’s security Risk Assessment (RAs) strategy.
Chapter 5
IT Server Room Security Policy
An IT Server Room Security Policy is a tier 2 policy that defines the security controls employed to protect a server room against unauthorized access, environmental threats, and manmade disasters.
Chapter 6
Password Policy
A Password Policy is a tier 2 policy that defines a standard for creating strong passwords, the protection of those passwords, and the frequency of password changes.
Chapter 7
Windows Terminal Server Standards
Windows Terminal Server Standards is a tier 3 policy that defines organizational Terminal Server standards and requirements from a plan, build, run, and monitor perspective. 
Chapter 8
Windows Server Security Policy
A Windows Server Security Policy is a tier 3 policy that defines an organization’s Windows server security and minimum server standards.
Chapter 9
Terminal Server Installation Baseline
A Terminal Server Installation Baseline is a tier 3 policy that provides employees with an approved procedure to install Terminal Server.
Chapter 10
Terminal Server Security Baseline
A Terminal Server Security Baseline is a tier 3 policy that defines the process to implement security controls for a terminal Server environment.
Chapter 11
Software Restriction Policy Baseline
A Software Restriction Policy Baseline is a tier 3 policy that defines an organization’s approved configuration standard for Microsoft Software Restriction Policies.
Chapter 12
Session Directory Configuration Baseline
A Session Directory Configuration Baseline is a tier 3 policy that defines an organization’s approved installation and configuration standard for Microsoft Session Directory. 
Chapter 13
Terminal Server Session Directory Group Policy Configuration Baseline
A Terminal Server Session Directory Group Policy Configuration Baseline is a tier 3 policy used to define an approved configuration standard for Terminal Servers that participate in a Terminal Server Session Directory environment.
Chapter 13
Terminal Server Network Load-Balancing Configuration Baseline
A Network Load-Balancing Configuration Baseline is a tier 3 policy that defines an approved installation and configuration standard for Microsoft Network Load- Balancing for Terminal Server.
Chapter 14
Log Management Policy
A Log Management Policy is a tier 2 policy that defines log management practices and requirements.
Chapter 16
Incident Response Policy
An Incident Response Policy is a tier 2 policy that defines how an organization responds to security incidents.
Chapter 17
Audit Vulnerability Scan Policy
An Audit Vulnerability Scan Policy is a tier 2 policy that defines the agreement to perform network security scanning.
Chapter 18

This section will review the Control Frameworks and Management Standards that are referenced throughout this book. I will highlight Cobit, ISO/IEC 17799, National Institute of Standards and Technology (NIST) Computer Security Division Publications, National Security Agency (NSA) Guides, and the Security Technical Implementation Guides (STIGS).
 
Regulatory compliance has managed to accomplish what age old, common sense arguments based on economics and efficiency could not: they have compelled organizations to consider and fund the development of strategies to manage and secure their information systems. There has always been a solid business case for information technology management based on cost-savings and risk reduction. Unfortunately, these arguments often fell on deaf ears, until Sarbanes-Oxley, Health Insurance Portability and Accountability (HIPAA) and Gramm-Leach-Bliley (GLB), and others re-focused attention on this need. Regulatory compliance helps move organizations from their current typically ad hoc security state to a recommended compliant state. Organizations turn to Control Frameworks and Management Standards to help develop strategies to reach a recommended compliant state.
 
Figure 1.1 shows current vs. recommended security state.
 
Figure 1.1
 
In terms of information security and compliance, there are many widely adopted frameworks, standards, and guidelines that provide recommendations and best practices on information security management, service management, and compliance. Typically, organizations mix and match frameworks and standards to meet their specific business objectives and regulatory needs. This strategy allows an organization to employ proven, widely adopted frameworks and standards in order to develop an Enterprise Architecture to manage and audit the entire life cycle of their technology investments.
 
Many frameworks and standards are developed by committees of volunteers from members of industry, governments, and the public. This methodology allows large groups of industry professionals to collaboratively develop, approve, and publish their work. An excellent example is the International Organization for Standardization (ISO), which has issued over 10,000 international standards. The International Organization for Standardization leverages more than 20,000 experts from all over the world who share in the development of ISO standards.
 
Control Frameworks and Management Standards share a common theme: they provide a comprehensive management layer around the entire life cycle of information technology.
 
CobIT is a mature, control framework, first released in 1996 by the Information Systems Audit and Control Association (ISACA). Since its origin, it has evolved with a second edition in 1998, a third in 2000, and a fourth in November 2005. CobIT is maintained by the IT Governance Institute (ITGI) and Information Systems Audit and Control Association (ISACA). ISACA describes CobIT as a "framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks" (ref: ISACA). CobIT has become the de facto standard for auditors and Sarbanes-Oxley compliance, thereby significantly increasing its visibility and use. CobIT has been widely mapped against the “big three” standards: COSO, ITIL, and ISO 17799.
 
CobIT is comprised of six documents. List 1.2 shows the six documents.
  • Management Guidelines
  • Implementation ToolSet
  • Executive Summary
  • Framework
  • Control Objectives
  • Audit Guidelines
 
From a structural perspective, CobIT consists of a set of 215 Control Objectives for information technology, intended to enable auditing. The Control Objectives are used for guidance, in that they describe what should be accomplished.
 
CobIT can be downloaded at no cost from http://www.isaca.org/cobit/
 
ISO/IEC 17799 is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO and the IEC are international standards organizations with members that include the standards bodies from many countries. ISO/IEC 17799 provides guidance for security policy, staff security awareness, business continuity planning, and legal requirements.
 
ISO/IEC 17799 was originally published by a government department in the United Kingdom as a Code of Practice (CoP) for Information Security. From there it was re-branded and published in 1995 as BS 7799 by the British Standards Institute (BSI). In December 2000, it was re-published as the ISO 17799 by ISO. In December 2005 it was revised and published as ISO/IEC 17799. ISO/IEC 17799 is expected to be renamed to ISO/IEC 27002 in the future.
 
BS 7799, ISO 17799, and ISO/IEC 17799 have received broad international acceptance across many industries as a framework for managing information security. ISO/IEC 17799 is complementary to frameworks and standards from other organizations and is often used in conjunction with the National Institute of Standards and Technology (NIST), Special Publication 800-53 and CobIT.
 
From a structural perspective, ISO/IEC 17799 contains 11 security control clauses that contain 39 primary security categories and one introductory clause on risk assessment and treatment.
 
List 1.3 shows the eleven clauses.
  1. Security Policy
  2. Organizing Information Security
  3. Asset Management
  4. Human Resources Security
  5. Physical and Environmental Security
  6. Communications and Operations Management
  7. Access Control
  8. Information Systems Acquisition, Development, and Maintenance
  9. Information Security Incident Management
  10. Business Continuity Management
  11. Compliance
 
ISO/IEC 17799 is available in PDF format from http://www.iso.org/ for CHF 200.00 (Swiss Franks).
 
NIST Computer Security Division Publications
Founded in 1901, NIST is an agency within the U. S. Commerce Department's Technology Administration. The mission of NIST is “to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” In terms of information technology security, NIST is responsible for developing standards, guidelines, and minimum information security requirements for information systems used within the U. S. Federal Government. The Computer Security Division (CSD) is the division within NIST that is tasked with developing publications that present the results of NIST studies and research on information technology security. The publications are available publicly at no cost and are issued as Drafts, Special Publications, Federal Information Processing Standards Publications (FIPS PUBS), ITL Bulletins, and Interagency Reports. The publications represent the standards, guidelines, and minimum information security requirements to deploy information systems within the U. S. Federal Government.
 
NIST publications have become widely adopted in the public sector by providing organizations with best practices to secure information and information systems.
 
List 1.4 highlights key NIST Standards and Guidelines.
  • FIPS Publication 199 (Security Categorization)
  • FIPS Publication 200 (Minimum Security Requirements)
  • NIST Special Publication 800-18 (Security Planning)
  • NIST Special Publication 800-30 (Risk Management)
  • NIST Special Publication 800-37 (Certification & Accreditation)
  • NIST Special Publication 800-53 (Recommended Security Controls)
  • NIST Special Publication 800-53A (Security Control Assessment)
  • NIST Special Publication 800-59 (National Security Systems)
  • NIST Special Publication 800-60 (Security Category Mapping)
 
NIST publications provide a wide rage of information technology security standards and guidelines that organizations of any size can use in the development and implementation of their information security systems. The NIST publications are available at http://csrc.nist.gov/publications/index.html.
 
The Security Technical Implementation Guides (STIGS) and the NSA Guides are the configuration standards for the U. S. Department of Defense (DoD) Information Assurance (IA) and Information Assurance-enabled devices and systems. They are developed by the  U. S. Defense Information Systems Agency (DISA) for the U. S. Department of Defense.
 
The IA Document Library contains STIGS that cover over 20 topics. Examples of the STIGS topics are: Active Directory, Ports and Protocols, Application Security, Database Guidance, Desktop Application Guidance, VM Guidance, and Windows 2003 Guidance.
 
The NSA Guides are vendor specific security configuration guides covering Applications, Database Servers, Operating Systems, Routers, Supporting Documents, Switches, VoIP and IP Telephony, Vulnerability Technical Reports, Web Servers, and Browsers and Wireless.
 
The STIGS and NSA Guides have become widely adopted in the public sector providing organizations with best practices to implement and secure technologies.
 
This chapter began with a discussion about Terminal Server, followed by Terminal Server security considerations, and an introduction to Enterprise Architecture and Control Frameworks and Management Standards.
 
Terminal Server
  • Terminal Server is the de facto Server Based Computing solution for Microsoft environments.
  • Server Based Computing allows centralized management of desktops, applications, data, and network traffic.
  • Terminal Server dramatically reduces bandwidth utilization over traditional computing models.
  • Terminal Server reduces the amount of client software on each desktop to a single piece of client software, the RDC client.
  • The RDP client is supported on Windows and Apple, Linux and UNIX.
 
Terminal Server Security
  • Terminal Server centralizes security management of an organization’s entire desktop environment, user data and network traffic.
  • Server Based Computing moves the security controls from the PC desktop to centrally managed Terminal Server Desktop and the data center networks.
  • Enterprise Security Architecture design principles provide a way to leverage Terminal Server to implement granular security controls.
 
Enterprise Architecture
  • An Enterprise Architecture is an organizational wide blueprint used to achieve business objectives while maximizing the business value of information technology.
  • An Enterprise Architecture consists of diagrams and a policy infrastructure.
  • A policy infrastructure consists of tier 1, tier 2 and tier 3 policies.
  • Tier 1 policies address broad organizational wide issues, vision and direction.
  • Tier 2 policies are typically vendor agnostic that describe high level requirements.
  • Tier 3 policies are vendor and procedural specific.
  • Terminal Servers policies are managed in the platform architecture domain.
     
Control Frameworks and Management Standards
  • Organizations turn to Control Frameworks and Management Standards to help develop information technology strategies that comply with regulatory mandates.
  • Frameworks, standards, and guidelines provide recommendations and best practices on information security management, service management, and compliance.
  • CobIT is a "framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks." (ref: ISACA)
  • CobIT has become the de facto standard for auditors and Sarbanes-Oxley compliance and has been widely mapped against the “big three” standards: COSO, ITIL, and ISO 17799.
  • ISO/IEC 17799 is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and provides guidance on security policy, staff security awareness, business continuity planning, and legal requirements.
  • NIST is responsible to develop standards, guidelines, and minimum information security requirements for information systems used within the U. S. federal government.
  • The Computer Security Division (CSD) is the division within NIST that is tasked with developing publications and presenting the results of NIST studies and research on information technology security.
  • NIST publications are available publicly at no cost and are issued as Drafts, Special Publications, Federal Information Processing Standards Publications (FIPS PUBS), ITL Bulletins and Interagency Reports.
  • The Security Technical Implementation Guides (STIGS) and the NSA Guides are the configuration standards for the U. S. Department of Defense (DoD) Information Assurance (IA) and Information Assurance-enabled devices and systems.
  • The IA Document Library contains STIGS that cover over 20 topics.

 

‹ PrefaceupChapter 2: Terminal Server Technical Review ›