PCI-DSS Compliance for RDP Connections

This is a common problem that you’ll see from PCI-DSS compliance audits for customers which process credit cards on their PC network. In many cases simply disabling external RDP access is the answer, but when external RDP access is required, here is the proper way to address the following two errors:

  • Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness (CVE-2005-1795)
  • Terminal Server Encryption Level is not FIPS-140 compliant

What I have seen other companies do is simply restrict RDP to a specifc set of WAN IP’s, which will appear solve the problem from the PCI audit report because they cannot access the RDP port open due to the firewall rules, however this is still a violation of PCI because the vulnerabilities still exist. The protocol needs to be properly secured, and the process is relatively simple.

1)      Create a self-signed SSL certificate (if one doesn’t already exist; of course a publicly signed SSL is better, but not needed for PCI compliance)

2)      Open Terminal Services Configuration

3)      Edit the properties of the RDP-Tcp  Connection

4)      Start from the bottom and work up

  1. Click Edit and add the self-signed SSL certificate
  2. Set the encryption level to FIPS compliant
  3. Click APPLY
  4. Set the Security layer to SSL (you will not see this as an option if the SSL cert is not configured and you haven’t applied the changes)
  5. Click APPLY again then OK

5)      Close all windows and all active RDP sessions

Simply have the PCI Compliance company run a new audit and you should be all set.

Wyse terminal running VNC

The majority of Wyse Thin Clients run a version of VNC to permit remote administrators to interact with the otherwise Thin operating system. This is important since traditional remote control tools such as RDP or perhaps a remote access too such as Kayesa or N-Able cannot install an agent.

You can perform a “shadow” operation while using the Wyse Device Manager (WDM), however the underlying access is VNC. All you need to know is the IP address and password. The following is the default passwords. Obviously, it should be on your priority list to change this:

1 series terminals (WTOS/Blazer) password or Password
3 Series terminals (Windows CE) password or Password
5 Series terminals (Linux) winterm, password or Password
8 Series terminals (Windows NTe) Administrator
9 Series terminals (Windows XPe) Wyse

RDP Multi-monitor support

dual lcd displaysBasic dual monitor support is available under the Remote Desktop Protocol / Terminal Services. You must be running the RDP Client v6 or higher. You must run the command from either the RUN or CMD line interfaces. For frequent use you could always create a batch script which you can run from the desktop.

command:> Mstsc /span

 

For more information, see: http://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=en

Powered by WordPress.com.

Up ↑