Preface

I would like to welcome you to the first edition of Securing Microsoft Terminal Services. This book was developed to provide architects, project managers, consultants, and network and security administrators with guidance in order to secure Terminal Server environments using widely adopted industry standards. My goal with this book is to share what I’ve learned first hand about how organizations successfully secure their Terminal Server environments. Beginning with Chapter 4, I introduce policies that follow established methodologies, standards, and guidelines that demonstrate how to plan, build, run, and monitor a Terminal Server environment from an information security and regulatory compliance perspective. When applicable, regulatory compliance will be addressed in each chapter to provide guidance on how to comply with regulatory mandates, such as Sarbanes-Oxley, Health Insurance Portability and Accountability (HIPAA) or Gramm-Leach-Bliley (GLB) regulations.

 

Spending the last five years at Citrix Systems as Senior Enterprise Systems Engineer supporting Enterprise, SME, and SMB customers has given me an amazing opportunity to learn first hand how organizations successfully secure their Terminal Server environments. After a short time in the field, I realized that there was no single document, whitepaper, or book that presents a holistic approach to securing a Terminal Server environment. I still hear the same questions over and over, “Is there a book or whitepaper that explains how to secure my Terminal Server environment?” These inquiries inspired me to write this book.

 

It is often said that information security is a process, not a product. The information security (InfoSec) community agrees that information security must do more than employ technical controls, such as a firewall or anti-virus software, to protect against threats from misappropriate system use, intruders, bugs, exploits, viruses and worms. The goal of this book is to demonstrate how Terminal Server fits within an organization’s information security system, while identifying where and how to implement administrative and technical security controls. This book follows proven information security methodologies, leveraging widely adopted information technology management frameworks, standards, and guidelines that enable organizations of any size to maximize the return on investment (ROI) from IT and to achieve business objectives while significantly reducing risk. Beginning with Chapter 4, I will introduce example policies that map directly to security frameworks, standards, and guidelines such as ISO17799, CobIT, the National Security Agency (NSA) Guides, and Security Technical Implementation Guides (STIGS). The closing chapters will address compliance, monitoring, auditing, and conducting a vulnerability assessment.

 

The term "Enterprise" used throughout this book refers to organizations with multiple internal networks, diverse sets of PCs, numerous information systems and applications, various access requirements, and a diverse user population.