SYS.1.9 Terminal Server

Description

Introduction

A terminal server is a server on which client applications (applications for short) are executed directly and which only forwards their graphical interface (user interface) to the clients. Terminal server software is used for this purpose. The terminal server is then the underlying IT system on which this software runs. Inputs at the client — for example via keyboard and mouse — are transmitted to the terminal server software, which then passes these inputs to the terminal server. In the application provided on the terminal server, the actions triggered by the inputs are then executed, and the terminal server determines the new (possibly changed) user interface. This user interface is then transmitted from the terminal server software to the client.

In a terminal server-based environment, clients typically connect to the terminal server software on the terminal server using appropriate terminal client software. Communication takes place via terminal server protocols over which inputs and outputs are transmitted. Examples include the Remote Desktop Protocol (RDP), Independent Computing Architecture (ICA), PC-over-IP (PCoIP), and Virtual Network Computing (VNC).

The type of applications provided in this way is in principle unrestricted and can include, for example, productive applications such as web browsers, office applications, or financial software, but also administration tools such as SSH clients or management tools.

In a typical deployment scenario, a terminal server centrally provides applications to multiple clients that cannot or should not be run locally on those clients for organizational or technical reasons. One example of this is administration tools that should not be run directly on the clients of administrators. Another example is software with special technical requirements regarding the underlying hardware of the clients, such as specific graphics cards that are not present on all clients.

In a terminal server-based environment, clients can be so-called fat clients or thin clients. Fat clients are equipped with a full client operating system. Thin clients, on the other hand, can only be used to connect to and operate the terminal server.

On a terminal server, multiple persons can work simultaneously on the same operating system and use the same or several different applications in parallel.

Objective

The objective of this building block is to protect information that is stored, processed, and transmitted when terminal servers are used. Special requirements are placed on the applications, IT systems, and networks involved.

Scope and Modeling

The building block SYS.1.9 Terminal Server is to be applied both to the terminal server itself and to the accessing fat clients and thin clients with terminal client software. For servers and clients, both software and hardware components must be taken into account.

To create an IT-Grundschutz model for a specific information domain, the totality of all building blocks must generally be considered. As a rule, multiple building blocks must be applied to a given topic or target object.

This building block addresses the following content:

• A terminal server within the meaning of this building block is any IT system on which applications are centrally provided in the manner described above. In this case, the connection must be initiated directly from the client.
• The building block SYS.1.9 Terminal Server is to be applied when a terminal client software exclusively transmits user inputs to the terminal server.
• This building block contains specific requirements for the networks used to secure communication between clients and the terminal server.

The following content is also relevant and is addressed elsewhere:

• For the terminal server and the clients, the building blocks SYS.1.1 General Server and SYS.2.1 General Client respectively, as well as the specific building blocks for the server or client operating systems where applicable, must be applied.
• For the terminal server software, the building block APP.6 General Software General Application and any other relevant building blocks in the APP Applications layer must be applied.
• For the applications provided via the terminal server, the building block APP.6 General Software General Application and the corresponding specific building blocks in the APP Applications layer must additionally be applied.
• The building block NET.1.1 Network Architecture and Design must be applied to secure the networks used for communication between clients and the terminal server.

This building block does not address the following content:

• Remote maintenance tools are not terminal servers within the meaning of this building block. To secure these tools, the building block OPS.1.2.5 Remote Maintenance is to be implemented.
• When an IT system to be administered is accessed via terminal server protocols, this does not constitute use of the terminal server within the meaning of this building block.
• This building block does not address the case where clients directly access other clients via terminal server protocols or collaboration tools.
• If the terminal server service is provided via additional security components such as Application Delivery Controllers (ADC, see Chapter 4 Additional Information), these additional components are to be considered separately.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to describe the threat landscape. The following specific threats and vulnerabilities are of particular significance for building block SYS.1.9 Terminal Server.

Degraded Quality of Application Provisioning

An application provided by the terminal server is used in real time. Since the user interface is prepared on the terminal server and transmitted to the clients, work can only proceed smoothly if the terminal server’s response to an input reaches the clients without noticeable time delay and is clearly visible. If clients receive the terminal server’s responses with a delay, usability may be impaired to such an extent that this amounts to a service outage. Both a consistently high delay and frequent, unpredictable spikes can cause this effect.

An excessively high delay can be caused by excessive latency in transmission paths or network components. If communication is secured via additional security components such as VPN gateways that may be insufficiently dimensioned, the delay can be further increased. This can result in the application being usable only to a limited extent.

If the terminal server is heavily loaded, it can only respond with a delay. For example, if the CPU or working memory is insufficiently dimensioned, the terminal server can quickly become overloaded and ultimately only respond with a delay. A similar situation arises when the terminal server is used by too many persons simultaneously.

If the screen content is not clearly discernible, the terminal server can no longer be used efficiently. For example, text or mouse pointers may be difficult to recognize due to compression artifacts when insufficient line capacity is available.

All of this can result in users being unable to use the terminal server at all or only in a severely restricted manner.

Failure of Application Provisioning

In a terminal server-based environment, applications are executed centrally and their output is transmitted to the corresponding clients. If the terminal server is unavailable, no inputs can be processed and the applications provided by the terminal server immediately fail. If clients obtain their entire user interface from the terminal server, the IT system fails completely from the perspective of users.

If the client fails, it is no longer possible to access the applications provided by the terminal server via that client, even if they are available there. A similar situation arises when the connection between client and terminal server is disrupted.

Outages of the network or terminal server typically affect not just individual clients. In many cases, numerous or even all clients in an institution depend on the terminal server. If the terminal server fails, a large number of clients are affected simultaneously.

Inadequate Network Separation for Terminal Servers

Terminal servers typically provide applications that function as clients. As a result, a terminal server resembles a client rather than a server in terms of trustworthiness.

If this is not adequately taken into account in network separation, unauthorized access to further server applications may be possible via the terminal server — for example via a web browser. This can allow the terminal server to be misused as a starting point for attacks on other IT systems and applications.

Due to the inputs at the client, a high degree of interaction with the terminal server is to be expected. This makes it easier to exploit potential vulnerabilities. This is particularly relevant when a terminal server provides applications to user groups assigned to different network segments. In such a case, unauthorized access to further applications in those network segments could be made from the terminal server.

Inadequate Protection of Sessions on the Terminal Server

Terminal servers can provide dedicated application instances to different clients, all running on the same operating system. These applications share, among other things, common libraries, the kernel, and the required resources of the terminal server (e.g., CPU or RAM).

Due to misconfigurations or software vulnerabilities, individual application instances may be able to communicate with one another in ways not originally intended. For example, if sessions on terminal servers are executed with overly broad permissions, it may be possible to access arbitrary parts of the file system from within an application. This can be exploited, for example, via program dialogs for saving or opening files, through which unintended areas of the hard disk can be written to or read from.

Another example is so-called RDP session hijacking, which is based on the sessions of the terminal server itself. If users remain logged in after their sessions on the terminal server have ended, this can lead to problems. If attackers are equipped with appropriate rights — obtained, for example, through inadequate rights management or by exploiting software vulnerabilities — they may be able to take over an existing session from another session. In this case, attackers can continue the session in the context of the user.

If the operating system is shared by multiple applications or application instances, sessions of other users may potentially be influenced via CPU or RAM. For this purpose, the relevant applications must contain corresponding security vulnerabilities through which the necessary malicious code can be executed. For example, special malicious software can then read passwords from RAM. Even without software vulnerabilities, hardware vulnerabilities (e.g., Meltdown) can allow attackers to read arbitrary sensitive data from other sessions.

Inadequate Protection of the Terminal Server Protocol

Many terminal server protocols offer the possibility of authenticated and encrypted communication. However, this capability is not always sufficient to secure the communication. If the terminal server protocol uses outdated and vulnerable mechanisms, or if important security functions are disabled through misconfigurations, communication between clients and the terminal server can be intercepted. Information transmitted between the terminal server and the clients that may be intercepted or modified includes in particular:

• Authentication information and user inputs sent from clients to the terminal servers,
• Screen information displayed on the clients,
• Clipboard data,
• File transfers between local drives of the client and the server, as well as
• Information from redirected client devices (e.g., audio devices, serial or parallel interfaces, USB devices, and printers).

However, even if the protocol mechanisms generally secure the communication sufficiently, the implementation of the protocol within a terminal server or terminal client software may contain vulnerabilities. This can result in the terminal server being directly attackable without needing to intercept the communication.

Unauthorized Use of Shared Accounts

If multiple persons want to use an application on a terminal server at different times, shared accounts are often set up. However, this may conflict with internal policies or the license conditions of the software provided via the terminal server.

The use of shared accounts also prevents the actions executed on the terminal server from being attributed to specific persons. As a result, it is no longer possible to trace who did what. This can represent a legal risk in particular when there are statutory requirements for traceability — for example, when personal data is processed on the terminal server.

Inappropriate Restriction of User Access Rights

A terminal server can simultaneously function both as a server and, with regard to the applications running on it, also as a client. This can lead to errors in the assignment of access rights.

Secure configurations of IT systems and applications generally provide for access rights that are as restrictive as possible. This applies in particular to terminal servers as well. However, if the permissions for using a terminal server are restricted too severely, users can only use the provided applications in a very limited manner. This can result from either an overly strict policy or a misconfiguration.

If work is made too difficult by such restrictions — for example, by completely prohibiting write access to local drives — this can have undesired consequences. For example, users might resort to unintended workarounds and process data in inappropriate locations, such as exporting data and then processing it via data exchange platforms.

Applications Not Suitable for Use on Terminal Servers

Not all applications can be provided on arbitrary terminal servers. For example, if necessary functions of the Graphics Processing Unit (GPU) are not supported in the emulated graphics unit, 3D applications cannot be used via a terminal server, or can only be used to a limited extent. A similar situation arises when inputs from application-specific or industry-specific peripheral devices are not supported by the terminal server, the terminal client software, or the terminal server protocol.

If individual application functions or the connection of peripheral devices are not tested, or only insufficiently tested, prior to procurement, these limitations may only be identified during ongoing operation. This can significantly impair the availability of the application and the terminal server may not be deployable as intended. In some cases, it may even need to be replaced entirely.

Requirements

The following are the specific requirements of building block SYS.1.9 Terminal Server. The Information Security Officer (ISO) is responsible for ensuring that all requirements are fulfilled and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.

Additional roles are defined in the IT-Grundschutz Compendium. They should be filled insofar as this is sensible and appropriate.

Exactly one role should be Primarily responsible. In addition, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many persons should fill these roles.

Basic Requirements

The following requirements MUST be fulfilled as a priority for this building block.

SYS.1.9.A1 Creation of a Security Policy for the Use of Terminal Servers (B)

A security policy MUST be created for the use of terminal servers. When creating the security policy, at minimum the following points MUST be taken into account:

• Applications that may be provided on terminal servers,
• Applications that may be provided together on terminal servers,
• Security requirements for clients on which the terminal client software runs,
• Physical environment in which the clients may be deployed,
• Networks from which communication connections to the terminal servers may be initiated,
• Networks to which applications on the terminal servers may communicate,
• Communication protocols permitted between clients and terminal servers,
• Encryption mechanisms and authentication methods to be used between clients and terminal servers,
• Ways in which files and application data beyond screen output may be transmitted via the terminal server protocol, as well as
• Peripheral devices that may be connected to the client in addition to input and output devices.

SYS.1.9.A2 Planning the Deployment of Terminal Servers (B)

For the applications to be provided on a terminal server, the functional requirements (requirements profile) MUST be identified. For all required functions, it MUST be ensured that these can in fact also be accessed via the terminal server. In addition, it MUST be tested whether the applications fundamentally meet the requirements when provided via the terminal server.

The total number of users to be set up MUST be estimated. All applications to be provided on the terminal server MUST be counted in this estimate.

The number of users who could potentially use the terminal server simultaneously MUST be estimated. These estimates MUST cover the planned deployment period of the terminal server.

Depending on the estimated number of users and the requirements of the provided applications, the performance requirements (e.g., with regard to CPU and working memory) for the terminal server MUST be determined. The terminal server MUST be dimensioned and equipped based on these performance requirements.

The license scheme of the applications in use MUST be reviewed to determine whether it is suitable for deploying these applications on terminal servers.

SYS.1.9.A3 Definition of Roles and Permissions for the Terminal Server (B)

Shared accounts MUST NOT be used on terminal servers if this violates internal policies or license conditions. When defining roles and permissions for the use of the terminal server, all applications provided on the terminal server MUST be equipped with sufficient permissions to fulfill their requirements.

Roles and permissions MUST be assigned in such a way that communication between terminal server sessions is only possible to the extent required for the functionality of the application. At minimum, permissions MUST be defined for the following activities:

• Executing applications in a foreign context (in particular as “root”),
• Access to operating system-specific functions,
• Access to the file system of the terminal server,
• Access to interfaces and file system of the accessing client,
• Access of applications provided on the terminal server to downstream services,
• File and object transfer between clients and terminal servers (e.g., for printing at the client), as well as
• Connection of peripheral devices at the client.

SYS.1.9.A4 Secure Configuration of the Terminal Server (B)

Depending on the security and functional requirements of the provided applications, specifications for the configuration of terminal servers MUST be created. These specifications MUST be fully implemented and documented.

It MUST be checked whether the company that manufactures the terminal server provides specifications or recommendations for secure configuration or hardening. If this is the case, these MUST be taken into account appropriately when creating the configuration specifications. Both the configuration specifications and their implementation MUST be regularly reviewed and adjusted if necessary.

At minimum, the following points MUST be taken into account for the configuration specifications:

• Roles and permissions
• Scope of encryption of the terminal server protocol
• Required authentication functions of the terminal server protocol
• Possibility of viewing the output of other sessions
• Communication between applications in the terminal server sessions and applications on other servers
• Communication between the terminal server and other servers

SYS.1.9.A5 Planning the Clients and Terminal Client Software Used (B)

It MUST be specified via which terminal client software the terminal server may be accessed. In addition, it MUST be specified on which clients this software may be run to connect to the terminal server. At minimum, the following points MUST be taken into account:

• Use of thin clients or fat clients,
• Hardware configuration of the accessing clients, as well as
• Operating system of the accessing clients.

It MUST be specified which software, in addition to the terminal client software, is permitted on the clients. In addition, it MUST be specified whether a client may simultaneously use applications on different terminal servers.

SYS.1.9.A6 Planning the Networks Used (B) [Planners]

The networks over which clients communicate with terminal servers MUST be planned and adjusted as necessary based on the requirements of the provided applications. At minimum, the following points MUST be taken into account:

• Expected number of simultaneous terminal server sessions,
• Required transmission capacity,
• Maximum acceptable packet loss,
• Maximum acceptable jitter, as well as
• Maximum tolerable network latency.

SYS.1.9.A7 Secure Access to the Terminal Server (B)

It MUST be specified via which networks communication between the accessing client and the terminal server may take place. In addition, it MUST be specified how the communication should be secured. It MUST be specified whether and how encryption should be applied using the terminal server protocol. If the terminal server protocol does not provide sufficient encryption in this case, the communication MUST be additionally secured.

If the clients and the terminal server communicate via insufficiently trustworthy networks, both the users and the terminal server MUST authenticate themselves when establishing the connection.

SYS.1.9.A8 Secure Assignment of the Terminal Server to Network Segments (B)

The terminal server MUST be positioned in dedicated network segments or in client network segments. Within client network segments, terminal servers MUST be identifiable.

An existing network separation MUST NOT be able to be bypassed via a terminal server.

SYS.1.9.A9 Raising User Awareness (B)

All users of terminal servers MUST be made aware of the secure use of terminal servers. Users MUST be informed of at minimum the following content:

• Basic functionality and the effects of latency and available bandwidth on usability
• Permitted and possible storage locations for data
• Permitted means of exchanging information between the client operating system and the terminal server (e.g., clipboard)
• Impact of one’s own resource consumption on the resources available to other users
• Established roles and permissions for terminal server access
• Authentication and authorization used for users with regard to the provided applications
• Maximum session duration and automatic logout processes

Standard Requirements

Together with the basic requirements, the following requirements reflect the state of the art for this building block. They SHOULD generally be fulfilled.

SYS.1.9.A10 Use of a Central Identity and Authorization Management System for Terminal Servers (S)

A central identity and authorization management system SHOULD be used for the use of terminal servers.

SYS.1.9.A11 Secure Configuration of Profiles (S)

Users SHOULD NOT be able to change their specific settings (user profiles) in such a way that information security or the use of the terminal server is impaired. An appropriate maximum size SHOULD be defined for user profiles. When clusters of terminal servers are used, user profiles SHOULD be stored centrally.

SYS.1.9.A12 Automatic Termination of Inactive Sessions (S)

Inactive sessions on terminal servers SHOULD be terminated after a predefined period. The period during which a session may remain active at most SHOULD be defined depending on the respective user group. If a session is automatically terminated, those affected SHOULD be notified of this. When a session is terminated, the user SHOULD also be automatically logged off from the operating system of the terminal server, provided the session is not still required at the operating system level for ongoing applications.

SYS.1.9.A13 Logging at Terminal Servers (S)

For terminal servers, a decision SHOULD be made as to which events should be transmitted to a central logging infrastructure (see OPS.1.1.5 Logging). At minimum, the following specific events at terminal servers SHOULD be logged:

• Connection of peripheral devices of accessing clients via the terminal server protocol,
• Actions on the terminal server by accessing clients that require elevated privileges, as well as
• Configuration changes affecting the terminal server service.

SYS.1.9.A14 Monitoring of the Terminal Server (S)

The terminal server SHOULD be centrally monitored. At minimum, the following parameters SHOULD be monitored:

• Resource utilization of the terminal server,
• Network interface utilization of the terminal server,
• Available and used bandwidth of connected clients, as well as
• Latency at connected clients, taking the respective requirements profiles into account.

For monitoring purposes, the respective threshold values SHOULD be determined in advance (baselining). These threshold values SHOULD be regularly reviewed and adjusted as necessary.

SYS.1.9.A15 Hardening of the Terminal Server (S)

Unnecessary applications on the terminal server SHOULD be removed. If this is not possible, their execution SHOULD be prevented.

Access from a session to peripheral devices SHOULD be restricted to the required devices.

SYS.1.9.A16 Optimization of Compression (S)

The degree of compression in the transmission of data to and from the terminal server SHOULD be optimized according to the requirements of the respective application with regard to graphical quality. The requirements of the provided applications with regard to the accuracy of graphical elements, color fidelity, and the frame rate necessary for use SHOULD be taken into account.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the protection level corresponding to the state of the art. The proposals SHOULD be considered in the case of high protection needs. The specific determination is made within the framework of an individual risk analysis.

SYS.1.9.A17 Encryption of Transmission (H)

All communication between client and terminal server SHOULD be appropriately encrypted. Secure protocols in accordance with BSI TR-02102 SHOULD be used.

SYS.1.9.A18 Use of Thin Clients (H)

Physical thin clients SHOULD be used. ONLY thin clients that the company manufacturing the terminal client software has certified as compatible SHOULD be used.

SYS.1.9.A19 Extended Monitoring of the Terminal Server (H)

It SHOULD be continuously monitored for the terminal server whether the events described in SYS.1.9.A13 Logging at Terminal Servers occur.

If a Security Information and Event Management (SIEM) system is used, the terminal server SHOULD be integrated into it. In the SIEM, the monitored events SHOULD be automatically analyzed for anomalies, including attack patterns.

The terminal server SHOULD be regularly checked for vulnerabilities.

SYS.1.9.A20 Separate Terminal Servers for Different Groups of Users or Business Processes (H)

Users of terminal servers SHOULD be grouped based on similar permissions and required applications. A terminal server SHOULD NOT be made available to multiple groups of users. If this is not possible, dedicated terminal servers per business process SHOULD be used.

SYS.1.9.A21 Use of High-Availability IT Systems (H)

The terminal server SHOULD be operated with high availability. To this end, the terminal server and its network connection SHOULD be designed redundantly. The terminal servers used SHOULD be operated in a cluster. Replacement devices SHOULD be kept available for the accessing clients.

SYS.1.9.A22 Prohibition of Transfer of Application Data Between Client and Terminal Server (H)

The transfer of application data between the client and the terminal server SHOULD be deactivated. The transfer of clipboard contents SHOULD also be deactivated.

Additional Information

Good to Know

The Federal Office for Information Security (BSI) provides guidance on the application of cryptographic procedures in the document “Cryptographic Mechanisms: Recommendations and Key Lengths: BSI TR-02102”.

The Federal Office for Information Security (BSI) provides guidance on the secure use of Application Delivery Controllers in the document “Recommendations for the Secure Use of Application Delivery Controllers (ADC)”.