Terminal Server Gateways and PCI Compliance

Before starting, every Windows 7/Server 2008 R2 OS will need to have a specific patch (KB3080079) to be able to use TLS 1.1+ to connect to the Gateway properly after following the directions below.

To begin, download the IISCrypto software from Nartac onto the gateway server.

Upon opening, accept the agreement if it appears.

Click on the Templates section.

Select “PCI 3.1” in the drop down.

Click Apply.

Reboot the server.

It’s possible that at this point you might encounter and inability to connect and you’ll get the following error in the event log.

A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

To fix this error, open the Control Panel, click Administrative Tools, and then open Local Security Policy.

In Local Security Settings, expand Local Policies, and then click Security Options.

Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

You may or may not need to run gpupdate /force

XenServer Security: Clearing CIFS/SMB Passwords

XenServer stores the passwords to any CIFS/SMB share you are currently using or have used in the past even if the share was removed. (Tested this up to XenServer 7.)

Now, this can be a concern because these credentials might be to a domain account, domain administrator account, or have privileged access to a specific system. I wrote the following command to go through and clear all of the stored CIFS/SMB shares.

xe secret-list | grep uuid | cut -c 17- | xargs -I {Var} xe secret-destroy uuid={Var}

This query’s all existing passwords, removes the unnecessary text, and removes the saved passwords.


xe secret-list

Lists all passwords and UUIDs.

xe secret-list | grep uuid

Lists just the UUIDs of existing CIFS passwords

cut -c 17-

Removes the excess characters of the “xe secret-list | grep uuid” command.

xargs -I {Var}

Passes the results of the previous command to the next one with a set variable, in this case “{Var}”

xe secret-destroy uuid=

Removes the password from “xe secret-list”