Home > Tech Tip Tuesday > PCI-DSS Compliance for RDP Connections

PCI-DSS Compliance for RDP Connections


This is a common problem that you’ll see from PCI-DSS compliance audits for customers which process credit cards on their PC network. In many cases simply disabling external RDP access is the answer, but when external RDP access is required, here is the proper way to address the following two errors:

  • Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness (CVE-2005-1795)
  • Terminal Server Encryption Level is not FIPS-140 compliant

What I have seen other companies do is simply restrict RDP to a specifc set of WAN IP’s, which will appear solve the problem from the PCI audit report because they cannot access the RDP port open due to the firewall rules, however this is still a violation of PCI because the vulnerabilities still exist. The protocol needs to be properly secured, and the process is relatively simple.

1)      Create a self-signed SSL certificate (if one doesn’t already exist; of course a publicly signed SSL is better, but not needed for PCI compliance)

2)      Open Terminal Services Configuration

3)      Edit the properties of the RDP-Tcp  Connection

4)      Start from the bottom and work up

  1. Click Edit and add the self-signed SSL certificate
  2. Set the encryption level to FIPS compliant
  3. Click APPLY
  4. Set the Security layer to SSL (you will not see this as an option if the SSL cert is not configured and you haven’t applied the changes)
  5. Click APPLY again then OK

5)      Close all windows and all active RDP sessions

Simply have the PCI Compliance company run a new audit and you should be all set.

About these ads
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 549 other followers

%d bloggers like this: