Meeting CobIT Control Objectives with Microsoft Terminal Services

Meeting CobIT Control Objectives 
with Microsoft Terminal Services
Last Update 05-05-2010
Authors: 
Roddy Rodstein, CISSP, CEH, MCSE, CCA
Joe Szelong
roddy.rodstein@itnewscast.com
This article contains information protected by copyright. This article may not be duplicated in any way without the express written consent of the publisher, except in the form of brief excerpts or quotations for the purpose of review. The information contained herein is for the personal use of the reader and may not be incorporated in any commercial programs, other books, databases, or any kind of software without the written consent of the publisher. Making copies of this article or any portion for any purpose other than your own is a violation of United States copyright laws.
Warning and Disclaimer
Every effort has been made to make this article  as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an "as is" basis. The authors and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this e-Book. The information found in this document was gathered from many different sources in the computing world. It is provided for informational purposes only. Use common sense in applying these concepts and tips. 
 
© 2008 Roddy Rodstein
http://itnewscast.com
All rights reserved.
Trademarks
Trademarked names appear throughout this article.  Rather than listing the names and entities that own the trademarks or include a trademark symbol with each mention of the trademark name, the publisher states that he is using the name for editorial purposes only and to the benefit of the trademark owner, with no intention of infringing upon that trademark.
Table of Contents:
Meeting CobIT 4.1 Control Objectives with Microsoft Terminal Services
Detailed responses to CobIT audit points
Planning and Organization
PO4.6 Roles and Responsibilities
PO4.11 Segregation of Duties
Response to PO4.6 and P04.11
PO6                 Communicate Management Aims and Direction
PO6.2 Enterprise IT Risk and Internal Control Framework
Response to PO6.2
PO7 Manage IT Human Resources
PO7.4 Personnel Training
Response to PO7.4
Acquisition and Implementation
AI1            Identify Automated Solutions
AI1.1 Definition and Maintenance of Business Functional and Technical Requirements
AI1.2 Risk Analysis Report
Response to AI1.1 and Al1.2
AI2            Acquire and Maintain Application Software
AI2.3 Application Control and Auditability
AI2.4 Application Security and Availability
Response to AI2.3 and AI2.4
AI3            Acquire and Maintain Technology Infrastructure
AI3.1 Technological Infrastructure Acquisition Plan
AI3.2 Infrastructure Resource Protection and Availability
AI3.3 Infrastructure Maintenance
AI6.1 Change Standards and Procedures
AI7.3 Implementation Plan
Response to 3.1, 3.2, 3.3, AI6.1, and AI7.3
AI7 Install and Accredit Solutions and Changes
AI7.1 Training
Response to AI7.1
AI7.11 Recording and Tracking of Changes
Response to AI7.11
AI6.5 Change Closure and Documentation
AI7.9 Software Release
AI7.10 System Distribution
Response to AI6.5, AI7.9, and AI7.10
Delivery and Support
DS4            Ensure Continuous Service
DS4.3 Critical IT Resources
DS4.8 IT Services Recovery and Resumption
DS4.9 Offsite Backup Storage
Response to DS4.3, DS4.8, and DS4.9
DS5            Ensure Systems Security
DS5.3 Identity Management
Response to DS5.3
DS5.4 User Account Management
DS5.5 Security Testing, Surveillance and Monitoring
Response to DS5.4 and DS5.5
DS5.9 Malicious Software Prevention, Detection and Correction
Response to DS5.9
DS5.10 Network Security
Response to DS5.10
DS5.11 Exchange of Sensitive Data
Response to DS5.11
DS6                 Identify and Allocate Costs
DS6.2 IT Accounting
DS6.3 Cost Modelling and Charging
DS6.4 Cost Model Maintenance
Response to DS6.2, DS6.3 and DS6.4
DS8 Manage Service Desk and Incidents
DS8.1 Service Desk
Response to DS8.1
DS9            Manage the Configuration
DS9.1 Configuration Repository and Baseline
Response DS9.1
DS9.3 Configuration Integrity Review
Response to DS9.3
DS11                Manage Data
DS11.4 Disposal
Response to DS11.4
DS11.2 Storage and Retention Arrangements
DS11.5 Backup and Restoration
Response to DS11.2 and DS11.5
Monitor and Evaluate
ME2.4 Control Self-assessment
Response to ME2.4
 
 
This article will introduce how Microsoft Terminal Services can help organizations of any size meet regulatory mandates by following the CobIT methodology. The CobIT methodology, which is referenced via the Sarbanes-Oxley legislation, provides 215 control objectives in four high level domains. This article highlights how 52 of the control objectives are meet by using Microsoft Terminal Services and the server based computing model.
 
CobIT is a mature, control framework, first released in 1996 by the Information Systems Audit and Control Association (ISACA). Since its origin its evolved with a second edition in 1998, a third in 2000, and a fourth edition in November 2005. CobIT is maintained by the IT Governance Institute (ITGI) and Information Systems Audit and Control Association (ISACA). ISACA describes CobIT as a "framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks" (ref: ISACA). CobIT has become the de facto standard for auditors and Sarbanes-Oxley compliance, which has significantly increased its visibility and use. CobIT has been widely mapped against the “big three” standards, COSO, ITIL, ISO 17799.
 
CobIT is comprised of six documents. List 1.2 shows the six documents:
 
From a structural perspective CobIT consists of a set of 215 Control Objectives for information technology, intended to enable auditing. The Control Objectives are guidance, in that they describe what should be accomplished.
 
The inherent advantages with Terminal Services in regards to compliance stems from the server based computing model, which allows centralized provisioning, operations and management of the entire Windows application and desktop environment from the data center. Access to information systems is provided by a single piece of client software namely the RDC client, which is hardware and operating system independent. With Terminal Services all of applications and Windows desktops are centrally managed in the datacenter. This also allows centralization of security and reglatory compliance policies such as segregation of duties, authentication and access control, patch management, change management, virus scans, data retention, access and transaction auditing, and business continuity. By leveraging Terminal Services’ centralized management capabilities organizations can simplify access controls and system auditing for employees as well as business partners.
 
Auditing corporate information systems for Sarbanes-Oxley compliance can be an overwhelming task due in part to the lack of a definitave Sarbanes-Oxley compliance road map. Organizations turn to 3rd party auditors, which tipically uncover deficiencies in the areas of segregation of duties, change control, and strong password policy enforcement.
 
As with information security, compliance is not a one-time event. Ongoing testing of existing controls must occur yearly and modifications will require additional testing and validation. The consensus is that the scope of audits as well as the expectation of controls will continue to increase. 
 
The current emphasis on audits is baseline security as it pertains to access control, identity management, and audit level visibility of user interactions with corporate systems. Subsequent audits will likely explore the need for a stronger identity management supporting non-repudiation of executive signoffs of financial statements and internal approvals of transactions within the scope of Sarbanes-Oxley Act section 302 and 404. 
Detailed responses to CobIT audit points
These next sections will highlight the high-level control objectives that a Terminal Services environment addresses within the 4 high level domains:
Planning and Organization
PO4 Define the IT Processes, Organisation and Relationships
Referenced from CobIT 4.0 Audit Points
 
PO4.6 Roles and Responsibilities
Define and communicate roles and responsibilities for all personnel in the organisation in relation to information systems to allow sufficient authority to exercise the role and responsibility assigned to them. Create role descriptions and update them regularly.
These descriptions delineate both authority and responsibility, include definitions of skills and experience needed in the relevant position, and are suitable for use in performance evaluation. Role descriptions should contain the responsibility for internal control.
PO4.11 Segregation of Duties
Implement a division of roles and responsibilities that reduces the possibility for a single individual to subvert a critical process. Management also makes sure that personnel are performing only authorized duties relevant to their respective jobs and positions.
 
Response to PO4.6 and P04.11
After roles and responsibilities are defined, the systematic enforcement of segregation of duties as they apply to the access to material applications and information may be implemented with a unified identity management system that is integrated with an automated provisioning system that generates the appropriate entitlements. Metadata representing roles and responsibilities should be incorporated into the identity management system. The provisioning and de-provisioning of user accounts and access to on-line content should be driven by real time events (e.g. employee hire or discharge) that trigger the execution of business rules operating off the metadata. These business rules generate the appropriate accounts and entitlements for each particular user.
 
If entitlements are driven by policies implemented in business rules within the provisioning system, a greater sense of control can be assumed since these rules can be tested with a high level of confidence for compliance to stated policies. A business rules based provisioning system eliminates the possibility for human error in the control of provisioning.
 
Terminal Services provides a single point of access to any Windows application or entire Windows desktop enviroment in a secure and controled manner. Unlike traditional access methods such as VPNs, which provide a layer 3 tunnel to resources, Terminal Services controles all access entitlements thorugh a single piece of client software, which is configured via Active Directory policies and centrilized user profiles.
 
Each user profile, containing application and desktop parameters is invoked durring the logon process to a Terminal Services session. When Terminal Services is used as a single entry point to all applications and desktops, a detailed picture of all the entitlements can be extrapolated to test for conflicts related to segregation of duties.
 
Other security benefits are outlined under responses to specific control objectives.
 
In summary, Terminal Services allows the consistent enforcement of controls PO4.6 and PO4.11 in the following ways:
·        Provides a single entry point for users of all financially significant systems on the corporate network.
PO6           Communicate Management Aims and Direction
Referenced from CobIT Audit Points
PO6.2 Enterprise IT Risk and Internal Control Framework
Develop and maintain a framework that establishes the enterprise’s overall approach to risks and internal control to deliver value while protecting IT resources and systems. The framework should be integrated with the IT process framework and the quality management system, and comply with overall business objectives. It should be aimed at maximising success of value delivery while minimising risks to information assets through preventive measures, timely identification of irregularities, limitation of losses and timely recovery of business assets.
Response to PO6.2
The use of Terminal Services for access to corporate systems is an approach, which can minimize the risks associated with providing users access to financially significant systems. As described in the response to PO4.6 and PO4.11, the Terminal Services approach reduces the number of connections methods to the corporate network and information systems. Utilizing Terminal Services provides the following security benefits while reducing the complexity of the infrastructure and reducing overall user support costs
·        Audit level visibility and traceability of user behavior;
·        Support for biometric authentication for non-repudiation;
·        Reduced security patch management for desktops and laptops;
·        Centralized deployment of Windows applications and desktops in the data center;
·        Centralized storage of user profiles and data for back up and retention.
 
Inherent in the design of the server based computing model is the simplification of the access infrastructure to support both internal and remote access to corporate resources.
PO7 Manage IT Human Resources 
Referenced from CobIT Audit Points
PO7.4 Personnel Training
Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls and security awareness at the level required to achieve organisational goals.
Response to PO7.4 
Since Terminal Services centrally deploys and manages applications and desktops, the liability on the user for security issues is reduced. The requirement for regular implementation of security practices such as regular virus scans, patches, updates, etc. can be managed in the data center. Users may be provisioned with Thin Client devices with a minimum of local functionality (no local drives, no local web browsers, chat applications), thereby reducing the opportunity for users to commit security breaches.
 
Local machines may be “locked down” with respect to saving and printing data locally, thereby reducing the probability of intentional or unintentional mishandling of confidential, private or proprietary information. By reducing the inherent risks with client PCs, management can focus on fewer issues for education.
Acquisition and Implementation
AI1          Identify Automated Solutions
Referenced from CobIT Audit Points
AI1.1 Definition and Maintenance of Business Functional and Technical Requirements
Identify, prioritise, specify and agree business functional and technical requirements covering the full scope of all initiatives required to achieve the expected outcomes of the IT-enabled investment programme. Define the criteria for acceptance of the requirements.
These initiatives should include any changes required to the nature of the enterprise’s business, business processes, people skills and competencies, organisation structure, and the enabling technology.
 
Requirements take into account the business functional needs, the enterprise’s technological direction, performance, cost, reliability, compatibility, auditability, security, availability and continuity, ergonomics, usability, safety and legislation. Establish processes to ensure and manage the integrity, accuracy and currency of business requirements as a basis for control of ongoing system acquisition and development. The business sponsor should own these requirements.
 
AI1.2 Risk Analysis Report
Identify, document and analyse risks associated with the business processes as part of the organisation’s process for the development of requirements. Risks include threats to data integrity, security, availability, privacy, and compliance with laws and regulations.
Required internal control measures and audit trails should be identified as part of these requirements.
Response to AI1.1 and Al1.2
Terminal Services by design, simplifies access to information systems used by users, while increasing security. Terminal Services also contributes to reduced costs in security by the consolidation of client applications from edge PCs to the datacenter. Terminal Services reduces the cost of access, security, and desktop support in the following ways:
·        Terminal Services provides a single application running on the client hardware to access all corporate resources, eliminating the need to provision legacy client applications on the desktop, thereby reducing desktop software management costs.
·        Since client applications are provisioned and run from a datacenter: updates and security patches can be deployed centrally, rather than pushed to PCs, thereby reducing bandwidth costs and desktop management resources.
·        Requirements to upgrade PCs to the newest hardware platform, operating system, or minimum memory to run the latest client or security/access applications can be deferred since these upgrades can be made at the data center. Multiple users can share the resources of a single server running the client application, thereby allowing the deferment of field costs for hardware upgrades, application provisioning and testing, and offering the organization a much better TCO and the ability to control the timing of these costs.
·        Client application and user data is stored in the data center, where backups are more easily executed thereby reducing the cost of backup and recovery and mitigating the risks associated with data loss.
·        Web browser applications as well as mail clients, which represent the greatest security risk for viruses, Trojan horses, and Spyware are provisioned in the data center; where security applications such as virus scanners can be run on a regular basis, ensuring those programs are clean and reducing the risk of an infection and the cost of recovering systems and data at client workstations and desktops.
·        New applications or upgrades are provisioned, installed and tested in the data center on known, standardized server configurations, thereby eliminating the number of permutations and security liabilities requiring testing and verification for client workstations and desktops.
 
AI2          Acquire and Maintain Application Software
Referenced from CobIT Audit Points
AI2.3 Application Control and Auditability
Ensure that business controls are properly translated into application controls such that processing is accurate, complete, timely, authorised and auditable. Issues to consider especially are authorisation mechanisms, information integrity, access control, backup and design of audit trails.
AI2.4 Application Security and Availability
Address application security and availability requirements in response to identified risks, in line with data classification, the organisation’s information security architecture and risk profile. Issues to consider include access rights and privilege management, protection of sensitive information at all stages, authentication and transaction integrity, and automatic recovery.
Response to AI2.3 and AI2.4
Not all applications, especially legacy applications, that might be considered financially significant under Sarbanes-Oxley, have the necessary application controls to enforce Segregation of Duties. By accessing these applications through Terminal Services, user access can be regulated through an authentication and authorization system as described in the response to PO4.6 and P04.11. Further control over the user actions with the information presented in the application can be implemented as follows:
AI3          Acquire and Maintain Technology Infrastructure
Referenced from CobIT Audit Points
AI3.1 Technological Infrastructure Acquisition Plan
Produce a plan for the acquisition, implementation and maintenance of the technological infrastructure that meets established business functional and technical requirements and is in accord with the organisation’s technology direction. The plan should consider future flexibility for capacity additions, transition costs, technical risks and the lifetime of the investment for technology upgrades. Assess the complexity costs and the commercial viability of the vendor and product when adding new technical capability.
AI3.2 Infrastructure Resource Protection and Availability
Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated.
AI3.3 Infrastructure Maintenance
Develop a strategy and plan for infrastructure maintenance and ensure that changes are controlled in line with the organisation’s change management procedure. Include periodic review against business needs, patch management and upgrade strategies, risks, vulnerabilities assessment and security requirements.
AI6.1 Change Standards and Procedures
Set up formal change management procedures to handle in a standardised manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.
AI7.3 Implementation Plan
Establish an implementation plan and obtain approval from relevant parties. The plan defines release design, build of release packages, rollout procedures/installation, incident handling, distribution controls (including tools), storage of software, review of the release and documentation of changes. The plan should also include fallback/backout arrangements.
 
Response to 3.1, 3.2, 3.3, AI6.1, and AI7.3
As defined in the response to sections PO4.6 and PO4.11, Terminal Services can simplify the enforcement of Segregation of Duties for the development lifecycle. The appropriate entitlements for a developer vs. a production user can be implemented as part of a Terminal Services user profile. Potential conflicts with roles and responsibilities can be immediately determined by inspection of user profiles and the Active Directory database. Developers may be provisioned with read only access vs. write access to certain systems. 
 
Terminal Services also provides the capability for developers to shadow a production user in a support mode, thereby allowing a developer to assist a legitimate user of a material system with debugging or completing a business transaction without requiring the developer to have a production account.
 
All actions performed by a user accessing a system via Terminal Services may be logged for later auditing. Since all systems are accessed via Terminal Servicess, all activity while logged on Terminal Servicess is written to the Windows security logs. 
AI7 Install and Accredit Solutions and Changes
Referenced from CobIT Audit Points
AI7.1 Training
Train the staff of the affected user departments and the operations group of the IT function in accordance with the defined training and implementation plan and associated materials, as part of every information systems development, implementation or modification project.
Response to AI7.1
Terminal Services provides collaboration capabilities for group presentations and labs allowing multiple IT support personnel from remote locations to participate in distance learning activities via Terminal Services session sharing.
 
Referenced from CobIT Audit Points
AI7.11 Recording and Tracking of Changes
Automate the system used to monitor changes to application systems to support the recording and tracking of changes made to applications, procedures, processes, system and service parameters, and the underlying platforms.
Response to AI7.11
Terminal Services can simplify the enforcement of Segregation of Duties for the development lifecycle. The appropriate entitlements for a developer vs. a production user can be implemented as part of the user account profile in Active Directory. Potential conflicts with roles and responsibilities can be immediately determined by inspection of Active Directory Group Policy. Developers may be provisioned with read only access vs. write access to certain systems. 
 
Active Directory also provides the capability for developers to shadow a production user in a support mode, thereby allowing a developer to assist a legitimate user of a material system with debugging or completing a business transaction without requiring the developer to have a production account.
 
All actions performed by a user accessing a system via Terminal Services may be logged for later auditing. Since all systems are accessed via Terminal Servicess, all activity while logged on Terminal Servicess is written to the Windows security logs. 
 
Referenced from CobIT Audit Points
AI6.5 Change Closure and Documentation
Whenever system changes are implemented, update the associated system and user documentation and procedures accordingly. Establish a review process to ensure complete implementation of changes.
AI7.9 Software Release
Ensure that the release of software is governed by formal procedures ensuring sign-off, packaging, regression testing, distribution, handover, status tracking, backout procedures and user notification.
AI7.10 System Distribution
Establish control procedures to ensure timely and correct distribution and update of approved configuration items. This involves integrity controls; segregation of duties among those who build, test and operate; and adequate audit trails of all actions.
Response to AI6.5, AI7.9, and AI7.10
Since applications and desktops are centrally managed on Terminal Servers in the data center, updates and patches management is greatly simplified in contrast to a distributed computing model where applications are managed on each PC that may be geographically disparate. Terminal Services addresses a significant challenge in managing desktop applications where client machines are unmanaged. Terminal Services eliminates the risk of updating PCs that may be off-line, or PCs with faulty software distribution clients, or users that simply refuse to run updates.
 
Since the desktop applications are deployed in the data center, a complete enterprise application can be refreshed with an update in a matter of hours. An IT organization can be assured with 100% compliance in a specified timeframe since all desktop applications are within their physical control.
Delivery and Support
DS4          Ensure Continuous Service
Referenced from CobIT Audit Points
DS4.3 Critical IT Resources
Focus attention on items specified as most critical in the IT continuity plan to build in resilience and establish priorities in recovery situations. Avoid the distraction of recovering less critical items and ensure response and recovery in line with prioritised business needs, while ensuring that costs are kept at an acceptable level and complying with regulatory and contractual requirements. Consider resilience, response and recovery requirements for different tiers, e.g., one to four hours, four to 24 hours, more than 24 hours and critical business operational periods.
DS4.8 IT Services Recovery and Resumption
Plan the actions to be taken for the period when IT is recovering and resuming services. This may include activation of backup sites, initiation of alternative processing, customer and stakeholder communication, resumption procedures, etc. Ensure the business understands IT recovery times and the necessary technology investments to support business recovery and resumption needs.
 
DS4.9 Offsite Backup Storage
Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity plans. Content of backup storage needs to be determined in collaboration between business process owners and IT personnel. Management of the offsite storage facility should respond to the data classification policy and the enterprise’s media storage practices. IT management should ensure that offsite arrangements are periodically assessed, at least annually, for content, environmental protection and security. Ensure compatibility of hardware and software to restore archived data and periodically test and refresh archived data.
 
Response to DS4.3, DS4.8, and DS4.9
Terminal Servicess enhances disaster recovery by seamlessly providing services from the backup data center without requiring application reconfiguration. If the primary data center is down, users will still have access to all applications remotely. Users can still access their mail, desktop productivity tools, and corporate applications remotely (outside of the facility) from any available terminal securely with satisfactory performance.
 
Since desktop applications are installed centrally in a data center (assuming the datacenter has redundancy as well), all user data is also stored in the data center storage facilities, thereby ensuring that home folders, etc. are also backed up and accessible when necessary.
 
Terminal Servicess goes beyond just data backup of corporate information by providing the business with Terminal Services delivered desktops that are not physically tied to a particular location.
DS5          Ensure Systems Security
Referenced from CobIT Audit Points
DS5.3 Identity Management
All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements. User access rights are requested by user management, approved by system owner and implemented by the security-responsible person. User identities and access rights are maintained in a central repository. Cost-effective technical and procedural measures are deployed and kept current to establish user identification, implement authentication and enforce access rights.
Response to DS5.3
Not all N-tier web applications might be considered material under Sarbanes-Oxley, have the necessary application controls. By controlling access to these applications via Terminal Services, user access can be regulated through an authentication and authorization system as described in the response to control objectives PO4.4, PO4.10 and DS5.2. Further control over the user actions with the information presented in the application can be implemented as follows:
 
Referenced from CobIT Audit Points
DS5.4 User Account Management
Ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges should be included. These procedures should apply for all users, including administrators (privileged users), internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.
DS5.5 Security Testing, Surveillance and Monitoring
Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure the approved security level is maintained. A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed. Access to the logging information is in line with business requirements in terms of access rights and retention requirements.
Response to DS5.4 and DS5.5
After procedures are defined, the systematic provisioning of resources may be implemented with a unified identity management system that is integrated with an automated provisioning system that generates the appropriate accounts. The provisioning and de-provisioning of user accounts and access to on-line content should be driven by real time events (e.g. employee hire or discharge) from the system of record i.e. HR application.
 
Terminal Services provides a single point of access to legacy applications, web-based applications and on-line content in a secure manner. Unlike traditional access methods such as a VPN which provieds a layer 3 tunnel to resources, Terminal Services unifies the access of all entitlements to Windows applications and desktops configured via Active Directory for each user.
 
Each user profile, which contains the listing of application and desktop parameters, is invoked at the time of log-in to the Terminal Services session. If Terminal Services is used as the single entry point for corporate systems, a complete picture of all entitlements may be extracted in the profile to inspect for conflict in duties.
 
In summary, Terminal Services enables the consistent enforcement of controls in the following ways:
 
Since Terminal Services offers a single point of access to the corporate systems, all users actions while on-line can be logged and tied to the Windows credentials for auditing purposes. Applications that require a higher degree of scrutiny can be isolated to their own application silo, and the auditing controls can be turned up to the highest resolution without affecting the performance of the other applications.
 
Referenced from CobIT Audit Points
DS5.9 Malicious Software Prevention, Detection and Correction
Ensure that preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (viruses, worms, spyware, spam, internally developed fraudulent software, etc.).
Response to DS5.9
Terminal Services deploys applications within the data center which makes it simpler and more cost effective to enforce security patches to applications that provide a point of infection such as mail, web browsers, and instant messaging. Terminal Services with Active Directory provides a means to proactively implement preventive measures to applications which are in the physical control of the IT staff. This level of control cannot be duplicated with applications that are run on client machines in remote locations.
 
If a client application is infected in the datacenter with a virus, the affected server can be diagnosed, quarantined, re-imaged, and redeployed in a short timeframe. Users can be directed to a backup server in the meantime.
 
The IT staff can also manage control of the configuration for client application centrally. As an example, a web browser deployed in the datacenter can prohibit access to certain web sites considered to be at risk for suspected downloads. Downloading and installation of web plug-ins such as toolbars, chat programs that may incorporate Trojan horses or Spyware can be prevented since administrative rights for the application environment are maintained by the IT staff. Web browsers may also be configured in a “Kiosk” mode, which will only allow users to view content, and hide the toolbar.
 
If the client machine used to access the corporate network is infected with a virus, Trojan horse, or Spyware, the risk to the corporate network is minimized for the following reasons:
 
·        The access method supported by Terminal Services vs. VPN IPSec, thereby preventing the bridging of networks, and the likelihood that a rogue application can access or replicate itself in the network.
·        The infected applications, i.e. web browser, instant messaging or chat application are not used to connect with the corporate servers. The RDP client, which is on the terminal, communicates with the corporate applications directly, thereby isolating the infected applications from the corporate network.
·        Although keyboard keystrokes on the client machine can be recorded by a Spyware program, the traffic back from the server is bitmapped graphics, which are more difficult to record, store or transmit without detection.
 
Terminal Services provides a degree of isolation between applications since client applications can be deployed in the datacenter on separate servers. If one application is down because of a virus attack such as mail, other applications such as business intelligence can continue to be used.
 
Referenced from CobIT Audit Points
DS5.10 Network Security
Ensure that security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation and intrusion detection) are used to authorise access and control information flows from and to networks.
Response to DS5.10
The applications deployed in a Terminal Services environment minimize the need for open ports in the firewall, thereby eliminating multiple entry points for hacking into the network. Terminal Services utilizes one port 3389 for RDP traffic. Traditional client/server applications require a variety of ports as listed below. Maintaining a small list ports for all application access greatly simplifies the management of firewalls.
 

 

Application
Port Requirements
MS Outlook/Exchange
135 (RPC), 102 (X.400), 110 (POP3), 119 (NNTP), 143 (IMAP4), 389 (LDAP)…
MS NetMeeting
389 (ILS), 522 (ULP), 1503 (T.120), 1720 (H.323)…
Instant Messaging
5050 (outbound TCP), 5101 (inbound TCP)…
SQL Server Applications
1433, 139
Terminal Emulator
23 (Telnet)
Web Apps
80 (Web), 443 (SSL)
RDP/Terminal Services
3389
Referenced from CobIT Audit Points
DS5.11 Exchange of Sensitive Data
Ensure sensitive transaction data are exchanged only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.
Response to DS5.11
Terminal Services’ Windows logon process can utilize additional multi-factor authentication platforms such as smart cards and biometric validation to provide for the digital signing and non-repudiation of transactions. Biometric validation can be performed at the time of log-on, or at the time of execution of the transaction. 
 
Microsoft’ products currently are integrated with third party offerings which are non-hardware biometric verification products. The combined offering provides the capability to perform strong authentication with keyboard stroke patterns, thereby eliminating the need to acquire, install, and maintain another peripheral device, allowing strong authentication to an individual for the purposes of transaction non-repudiation from any available client machine.
 
Terminal Services can transmit and receive information over a network between the terminal and the server utilizing 128-bit encryption. Information that is transmitted to the client is in compressed, encrypted bit maps providing an additional level of obfuscation, making it much more difficult to extract data surreptitiously captured during transmission.
 
Additionally, since the client application is executing at the data center, no information is cached at the client machine, thereby reducing the risk of proprietary information residing in a non-secured machine after the end of a user session.
 
Referenced from CobIT Audit Points
DS6           Identify and Allocate Costs
DS6.2 IT Accounting
Capture and allocate actual costs according to the defined cost model. Variances between forecasts and actual costs should be analysed and reported on, in compliance with the enterprise’s financial measurement systems.
DS6.3 Cost Modelling and Charging
Based on the service definition, define a cost model that includes direct, indirect and overhead costs of services and supports the calculation of chargeback rates per service. The cost model should be in line with the enterprise’s cost accounting procedures. The
IT cost model should ensure that the charging for services is identifiable, measurable and predictable by users to encourage proper use of resources. User management should be able to verify actual usage and charging of services.
DS6.4 Cost Model Maintenance
Regularly review and benchmark the appropriateness of the cost/recharge model to maintain its relevance and appropriateness to the evolving business and IT activities.
Response to DS6.2, DS6.3 and DS6.4
Since a Terminal Services provides for the centralized hosting and deployment of desktop applications, usage of these applications can be centrally provisioned and monitored on a per user basis. Terminal Services can log the frequency, duration, and amount of corporate resources utilized by each user.
 
Terminal Services allows a company to implement a “utility billing” infrastructure where baseline applications (email, HR internal web site, disk storage) are provided at a fixed monthly cost, with other entitlements (ERP access, analytics and financial applications) available at incremental costs. Other resources such as disk space, printing, external web use, etc. can be billed on a per use basis, thereby encouraging each line of business to conserve and optimize their use of these resources.
 
DS8 Manage Service Desk and Incidents
Referenced from CobIT Audit Points
DS8.1 Service Desk
Establish a service desk function, which is the user interface with IT, to register, communicate, dispatch and analyse all calls, reported incidents, service requests and information demands. There should be monitoring and escalation procedures based on agreed-upon service levels relative to the appropriate SLA that allow classification and prioritisation of any reported issue as an incident, service request or information request. Measure end users’ satisfaction with the quality of the service desk and IT services.
Response to DS8.1
Terminal Services provides a collaboration offering allowing help desk individuals to view user desktops remotely and observe the problem directly. Terminal Services can perform remote control of both internal workstations and external workstations without any client/server configuration. The capability to also record a “shadowing” session allows the problem to be documented completely and shared with problem management personnel.
DS9          Manage the Configuration
Referenced from CobIT Audit Points
DS9.1 Configuration Repository and Baseline
Establish a central repository to contain all relevant information on configuration items. This repository includes hardware, application software, middleware, parameters, documentation, procedures and tools for operating, accessing and using the systems and services. Relevant information to consider is naming, version numbers and licensing details. A baseline of configuration items should be kept for every system and service as a checkpoint to which to return after changes.
 
Response DS9.1
Since a Terminal Services provides for the centralized hosting and deployment of desktop applications, these applications can be centrally provisioned and maintained. This includes rollback functionality for recovery after a deployment and eases any user acceptance testing, by allowing the real users of the application to perform any tests very easily.
 
For applications that do not have built-in license management, Terminal Services can ensure that the application can only be run equal to the number of licenses the company has obtained.
 
Referenced from CobIT Audit Points
DS9.3 Configuration Integrity Review
Review and verify on a regular basis, using, where necessary, appropriate tools, the status of configuration items to confirm the integrity of the current and historical configuration data and to compare against the actual situation. Review periodically against the policy for software usage the existence of any personal or unlicensed software or any software instances in excess of current license agreements. Errors and deviations should be reported, acted on and corrected.
Response to DS9.3
Since Terminal Services deploys applications and dektops from a data center, user machines can be completely locked down, or configured to prevent unauthorized software from being installed. Newly approved applications can be provisioned within the data center, eliminating the need to install the applications locally. Users never have a requirement for administrator rights to install or update their local machines. Administrator rights which can be used for personal software installation or other unauthorized activities can be restricted.
 
If a user installs local software which may be a security risk, the impact to the corporate information systems is minimized since the Terminal Services client used to access corporate systems is in effect isolated from these non-compliant applications.
 
DS11          Manage Data
Referenced from CobIT Audit Points
DS11.4 Disposal
Define and implement procedures to prevent access to sensitive data and software from equipment or media when they are disposed of or transferred to another use. Such procedures should ensure that data marked as deleted or to be disposed cannot be retrieved.
Response to DS11.4
Since user data that is usually stored on the local drive of the client machine can now be hosted in the data center, there is less likelihood that proprietary or confidential information would reside on a desktop or laptop.
 
Referenced from CobIT Audit Points
DS11.2 Storage and Retention Arrangements
Define and implement procedures for data storage and archival, so data remain accessible and usable. The procedures should consider retrieval requirements, cost-effectiveness, continued integrity and security requirements. Establish storage and retention arrangements to satisfy legal, regulatory and business requirements for documents, data, archives, programmes, reports and messages (incoming and outgoing) as well as the data (keys, certificates) used for their encryption and authentication.
 
DS11.5 Backup and Restoration
Define and implement procedures for backup and restoration of systems, data and documentation in line with business requirements and the continuity plan. Verify compliance with the backup procedures, and verify the ability to and time required for successful and complete restoration. Test backup media and the restoration process.
Response to DS11.2 and DS11.5
Since user files such as PST files for mail, user documents, etc. are hosted in the data center, it is much easier to execute a backup and retention program. This simplifies the management of security and compliance issues for desktop and laptop users.
Monitor and Evaluate
 
ME2 Monitor and Evaluate Internal Control
ME2.4 Control Self-assessment
Evaluate the completeness and effectiveness of management’s internal controls over IT processes, policies and contracts through a continuing programme of self-assessment.
Response to ME2.4
Terminal Services centralizes the access, maintenance, management and monitoring of applications and desktops within the corporate facilities, as well as laptops used to connect to corporate applications remotely. User profiles that determine which applications are accessed and can be integrated to a unified identity management system. Desktop applications may be deployed, patched and upgraded on centrally located data center servers. Terminal Services with Windows infrastructure provides a comprehensive monitoring and management interface for the Terminal Services environment, which allows for a snapshot audit of all user entitlements as well as a log for all user actions.