Start Free Trial
Tax Software Hosting Risk Guide

The Cybersecurity Risk of Running UltraTax CS on a Local Server

Software: UltraTax CS  |  Vendor: Thomson Reuters

Key takeaway

Because UltraTax CS, FileCabinet CS, and related tools share a common data location on the office network, a compromise of any single workstation or the file server itself can expose the firm's entire CS dataset — returns, documents, and historical client files.

Who this applies to

Tax preparation firms, CPA firms, EAs, bookkeepers, EROs, and accounting offices that run UltraTax CS on local PCs, mapped network drives, peer-to-peer shares, or an in-office file server.

UltraTax CS is commonly used by tax professionals, and many firms run it as a desktop or local-network install because it is familiar, fast, and convenient. The tradeoff is that local convenience can create serious cybersecurity exposure when sensitive taxpayer data lives on office PCs, shared drives, mapped network paths, or an in-office file server.

What UltraTax CS is

UltraTax CS, from Thomson Reuters, is part of the broader CS Professional Suite (Accounting CS, Practice CS, FileCabinet CS, etc.) used by mid-sized and larger CPA firms with complex business and individual return work. Thomson Reuters offers Virtual Office CS and SaaS-hosted options as well, but many firms still run UltraTax CS in a traditional on-premise or local-server configuration. This article focuses on that local deployment.

How local UltraTax CS setups usually work

In a local UltraTax CS deployment, the CS Professional Suite is typically installed against a shared data location on a Windows server or NAS — often referred to internally as the "CS data" path. Workstations connect to that path over the office LAN to open returns, post entries, and update FileCabinet documents. Multiple staff members work concurrently, and remote staff often reach the environment through VPN, RDP, or a third-party remote tool. Backups frequently live on a server or an attached drive in the same physical office.

Quick definitions

  • Mapped drive — a Windows drive letter (like T:\ or Z:\) that points to a shared folder on another computer or server.
  • Local server / file server — a computer in the office that hosts shared files for other workstations.
  • Hosted server — a server in a controlled hosting environment (cloud or properly hardened internal) that users reach through controlled remote sessions.
  • MFA — multi-factor authentication; requires a second factor (app code, hardware key) in addition to a password.
  • WISP — Written Information Security Plan, expected of tax professionals under IRS Publication 4557 and FTC Safeguards Rule expectations.
  • Ransomware — malware that encrypts files and demands payment for a decryption key.

Why taxpayer data inside UltraTax CS is so valuable

Return data inside professional tax software typically includes:

  • Names, addresses, and dates of birth
  • Social Security numbers and dependent information
  • Employer information and W-2, 1099, and K-1 details
  • Bank account and routing numbers used for refunds and payments
  • Prior-year return data and carryforwards
  • Tax credits, deductions, and filing status
  • Identity verification information
  • E-file submission data

That combination is exactly what attackers need for identity theft, refund fraud, business email compromise, extortion, and ransomware. It is a major reason tax offices are repeatedly targeted, particularly during filing season.

Risk summary

Local setup elementWhy it creates riskBetter hosted-server control
Shared / mapped tax data folderMalware on one workstation may reach all shared filesKeep tax data inside a controlled hosted session
Shared Windows credentialsHard to prove individual accountabilityRequire unique user accounts with MFA
Local workstation storageData may remain on laptops and desktopsCentralize data on a secured, segmented server
Local backupsBackups may be reachable by ransomwareUse protected, segmented, monitored backups
Uncontrolled remote accessAttackers may abuse exposed RDP / remote toolsUse MFA-protected remote sessions only

The inherent problem with local network sharing

When UltraTax CS data is shared over the office LAN, the security of the tax database effectively depends on the weakest workstation, weakest password, weakest Windows account, weakest remote access tool, weakest backup process, and weakest shared-folder permission in the office. Common risks include:

  • Compromised Windows logins and phishing attacks on staff
  • Malware on a single workstation that reaches all shared data
  • Ransomware encrypting mapped drives and reachable backups
  • Weak, reused, or shared passwords; no individual MFA on app access
  • Local admin rights granted too broadly
  • Exposed RDP or poorly secured third-party remote access tools
  • Unencrypted or co-located backups
  • Old workstations and missing patches during busy season
  • Inconsistent endpoint protection across the office
  • Over-permissive file shares with no centralized audit trail
  • No clear evidence of access controls or written security plan

Realistic attack scenarios

  • A phishing email lands on a workstation with write access to the CS data path; ransomware encrypts both UltraTax data and FileCabinet documents.
  • A weak service-account password on the file server is guessed and used to extract historical returns and PDF documents.
  • A remote partner connects an unmanaged personal laptop through VPN and inadvertently introduces malware into the network.
  • A single shared Windows account is used by multiple admin staff, making it impossible to prove individual accountability for changes.
  • Backups located on the same server are encrypted in the same ransomware event as the live data.

Why "we have antivirus" is not enough

Antivirus, endpoint protection, firewall appliances, spam filtering, and backups are useful — but they are not the same thing as a secure architecture. A UltraTax CS office can still be exposed if a user is phished, a workstation is compromised, a mapped drive is reachable, a backup share lives on the same network, an attacker gains local admin rights, users share credentials, the tax app does not require individual MFA on every access, or the firm cannot prove who accessed which client file and when.

IRS, WISP, and the compliance angle

Tax professionals are expected to protect taxpayer data and to maintain a Written Information Security Plan (WISP). IRS Publication 4557 and the FTC Safeguards Rule frame this expectation in general terms: a firm needs more than good intentions. It needs documented controls, access management, incident response planning, employee training, backup and recovery planning, and security monitoring. This article is not legal advice — it describes architectural patterns that are easier or harder to defend during a review.

Why hackers target tax offices

Small and mid-sized tax firms are attractive targets because they:

  • Hold uniquely valuable identity and financial data
  • Often do not have full-time IT or security staff
  • Frequently rely on older local-network software workflows
  • Use seasonal preparers and rush operations during tax season
  • Sometimes delay patches and upgrades until "after April"
  • Commonly use multiple remote access tools
  • Allow a single compromised workstation to expose all shared tax data

A more defensible architecture: hosted server model

For UltraTax CS, a more defensible architecture isolates the CS data path from ordinary office desktops by running the CS Professional Suite inside a controlled hosted-server environment — either via Thomson Reuters' own hosted offerings, a reputable third-party tax hosting provider, or a properly hardened internal server — with individual MFA-protected accounts, segmented backups, and centralized logging.

In a properly designed hosted-server model: UltraTax CS runs on a controlled server, users access it through secure remote sessions, each user has an individual account, MFA is required, local desktops do not directly store or freely browse the tax database, access is logged, backups are centralized and segmented, permissions are enforced, security updates are managed centrally, and the environment is segmented from the rest of the office network. That is materially easier to document for WISP and compliance purposes than a peer-to-peer or mapped-drive LAN.

Important nuance

A "hosted server" can be either a reputable remote tax software hosting provider or a properly secured local server environment that is designed to behave like a hosted system — users authenticate individually with MFA and access the tax software through controlled sessions, instead of opening raw shared data from ordinary office desktops. The architecture matters more than the address.

Schedule a UltraTax CS security review

If your firm runs UltraTax CS from local desktops, mapped drives, peer-to-peer shares, or an office file server, EasyWISP can help you understand the risk, document your WISP, and plan a safer hosted-server model with individual access controls and MFA.

Schedule a Tax Software Security Review See How EasyWISP Helps Tax Firms

Frequently asked questions

UltraTax CS can be deployed on an in-office server, but the configuration concentrates significant amounts of taxpayer data and supporting documents in one location reachable by every workstation. Without strict access controls, MFA, segmentation, and protected backups, that creates meaningful exposure.

Yes. In a local CS Professional Suite install, return data, SSNs, depreciation schedules, K-1 details, and historical returns live on the firm's server, often alongside FileCabinet CS PDFs of source documents.

Ransomware running under any account with write access to the CS data path can encrypt UltraTax files, FileCabinet documents, and any reachable backups, often in the same event.

A VPN secures the network tunnel but does not by itself enforce per-user MFA into the application, control which devices can connect, or prevent malware on a remote laptop from reaching the CS data path. A hosted-session model is generally stronger.

For most mid-sized firms, moving UltraTax CS into a properly run hosted environment with individual MFA, centralized backups, and segmentation is materially easier to defend under IRS Publication 4557 and the FTC Safeguards Rule than a traditional on-premise install.

Yes — Thomson Reuters offers hosted / Virtual Office options. The architectural point of this article applies regardless of provider: a controlled hosted environment with MFA and segmentation is more defensible than a local-server LAN deployment.

EasyWISP helps firms document their WISP, evaluate their UltraTax CS environment, and plan a safer hosted-server architecture with proper access controls and incident response planning.

Conclusion

UltraTax CS is not automatically unsafe, and many firms have used it for years. The issue is that the local-network architecture gives attackers too many paths to taxpayer data when a single workstation, password, remote access tool, or mapped drive is compromised. For firms handling sensitive taxpayer information, the more defensible model is to move UltraTax CS access into a controlled hosted-server environment with MFA, centralized backups, logging, segmentation, and documented WISP controls.

Related tax software hosting articles

CCH ProSystem fx Tax

Wolters Kluwer / CCH

CCH ATX

Wolters Kluwer / CCH

CCH TaxWise Desktop

Wolters Kluwer / CCH

Lacerte Tax

Intuit

Tax Software Hosting IndexWISP for Tax PreparersIRS Tax Security ComplianceSchedule a Consultation

Disclaimer: This article is for general cybersecurity and compliance education. It is not legal, tax, or regulatory advice. Firms should consult qualified legal, tax, and cybersecurity professionals for guidance specific to their environment.

Start Free Trial