1

I am trying to convert a widows jump server to a Linux jump server. There are a few windows boxes behind this jumpserver, and I was wondering if I can just enable port forwarding over ssh with a password based ssh key, and rdp to those servers.

Specifically, i am not sure if this is against PCI DSS? Does anyone know from experience?

Additionally, if I don't enable port forwarding, then is there any other way to access these windows servers?

Please help me understand. Thanks .

yetdot
  • 706
  • 5
  • 7
  • Can you clarify whether you're concerned with containing PCI scope here? For example, is the "jump server" the dividing line between in-scope (CDE) and out-of-scope systems? If so, the question is not "is th is against PCI DSS" but "does this provide sufficient segmentation to control scope spread under PCI DSS". – gowenfawr Aug 09 '16 at 12:25
  • The jumpserver is in scope of PCI. The users local workstation is not in scope of PCI. From the segmentation perspective, my understanding is that nothing should change. Earlier the users were running rdp client with 2factor authentication. That should continue to be the case here, the users authenticate using password based ssh key and an otp, before they can establish the tunnel session. – yetdot Aug 09 '16 at 13:18
  • Also, I was less concerned with the scope factor, but more around whether or not there are any obvious issues with running connectivity ports over an ssh tunnel. – yetdot Aug 09 '16 at 13:23
  • one "obvious issue" is that you'll need to secure the SSH server, including restricting the ports you allow forwarding to *on the server side* - there's a good guide, including discussion of PermitOpen, in [this question](http://askubuntu.com/q/48129). Basically, since it's on the edge of scope, expect the auditor to put it through the wringer looking for holes, and secure it accordingly... See, you may not be concerned about the scope factor, but your auditor is :) :) :) – gowenfawr Aug 09 '16 at 13:43
  • Thanks for that link. It is indeed helpful. You are aptly correct, it is the auditor who can and may raise it as a concern. :). I'll give that link a read and see what is feasible. Thanks! – yetdot Aug 09 '16 at 13:51

1 Answers1

2

It would not violate PCI-DSS if normal rules are taken into consideration. In fact, it's common practice by PCI-DSS recommendations.

The thing is it would be good to implement two-factor authentication on these with e.g. token and also timeout unused connections and use these connections only when needed.

Basically to see what's going on the RDP connection when it's being used and require token when establishing new connection.

Aria
  • 2,706
  • 11
  • 19
  • The two factor will be involved, the windows box has it and so will the Linux one. Reading a bit more, I'll be locking down the port forwarding to certain IP and port combinations as well. – yetdot Aug 08 '16 at 23:47