CSI software and Terminal Services


Important information

This document explains some potential security risks in using CSI with terminal services products. It is not an exhaustive list of all security risks. Please seek advice from a computer security expert before using CSI with your terminal services product.

The Tax Office gives no express or implied warranties (and to the full extent of the law excludes all statutory warranties) in relation to the recommendations in this document (including as to their performance or fitness for a particular purpose), and will not be liable in any way for any loss or damage (including special, indirect or consequential) arising from or in connection with those recommendations or their use or performance.


Using CSI with terminal services

CSI has been designed to operate securely with most popular Internet browsers, and some other applications, when installed and run on a single computer. However, it has not been designed to provide the same levels of security when operating with terminal services products.

Some common terminal services products are Microsoft Terminal Services, Citrix Metaframe, Citrix Presentation Server, Jetro CockpIT, Jetro BoostIT, Tarantella New Moon Canaveral IQ, Virtual Networking Computing (VnC), and DAT Panther server.

Even though CSI may function with a terminal services product, you should carefully consider potential security risks before deciding to use CSI with that product.


Determine if your system is using terminal services

To determine whether your system is using terminal services, download the terminal services tester program. Save the file to your desktop and double click to run.


Potential attacks and recommendations

Honey Pot attacks

Computers running a terminal services product contain the certificate stores for many, perhaps all, of the organisation's users. This creates a 'Honey Pot' where an attacker can gain access to many certificate stores.

The risk is greater if remote connections are enabled, especially if the remote connections use the Internet. In this situation an attacker may be able to access the honey pot from anywhere in the world.


How to reduce Honey Pot attacks
  • immediate installation of operating system and application security patches
  • minimising the number of applications on the computer
  • minimising the number of users who can log into the computer
  • limiting physical access to the computer
  • limiting administrative access to the computer to only trusted personnel
  • automatically recording the computer's activities
  • frequently reviewing recorded activities to check for inappropriate use, and
  • installation and active use of firewall, virus checking and malware scanning software.

If remote connections are required you should consider using a Virtual Private Network (VPN), configured so users are authenticated with cryptographic tokens/keys rather than weaker methods e.g. username and password authentication.


Man in the Middle attacks

Man in the middle attacks involve an attacker gaining access to information sent between two computers using impersonation.

The attacker makes the source computer believe they are the destination computer and vice versa. This allows the attacker to access, and change, all the information sent between the two computers without you knowing.

When you use CSI with terminal services an attacker can potentially access and change information you send. The attacker may also gain access to passwords used to restrict access to certificates held within the certificate store.

This gives them the ability to impersonate you and fraudulently conduct business on your behalf. 


How to reduce Man in the Middle attacks

To reduce the likelihood of your computer (running the terminal services product) being impersonated by an attacker, consider configuring Secure Sockets Layer (SSL) with at least 1024 bit asymmetric keys and 3DES or AES encryption. This allows your computer to be more securely authenticated by other computers.


Snooping

Snooping is similar to man in the middle attacks; however the attacker does not need to use impersonation. If an attacker can gain access to your computer network, either physically or through the use of applications, they may be able to listen to information as it travels through your network.

When you use CSI with terminal services every image displayed on the computer screen and every key typed on the keyboard (including your password) is sent across the computer network to the computer running the terminal services product. In a similar way to man in the middle attacks this may allow the attacker to access your password and the information you send.

This gives them the ability to impersonate you and fraudulently conduct business on your behalf.


How to reduce snooping threats

You should consider configuring Secure Sockets Layer (SSL) with at least 1024 bit asymmetric keys and 3DES or AES encryption. In this situation, configuring SSL allows information sent to and from the computer running the terminal services product to be encrypted, reducing the risk of an attacker being able to read the information that is sent across the computer network.


Shared access attacks

Many terminal services products allow for a configuration where all users access the computer running the terminal services product with the same user profile. This causes all users to have the same settings and home directory.

When you use CSI with terminal services all users will be able to see and access all certificates. This is due to the certificate store being kept in the home directory.


How to reduce shared access attacks

We recommend configuring your terminal services product so each user has their own private home directory and user profile.