VMware Horizon View - 6.2 Security Guide

View Security

VMware Horizon 6

Version 6.2

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.

EN-001910-00

View Security

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

View Security 5

View Security Reference 7

View Accounts 7

View Security Settings 8

View Resources 17

View Log Files 17

View TCP and UDP Ports 18

Services on a View Connection Server Host 22

Services on a Security Server 23

Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a

Security Server 23

Deploying USB Devices in a Secure View Environment 29

Index 33

VMware, Inc. 3

View Security

4 VMware, Inc.

View Security

View Security provides a concise reference to the security features of VMware Horizon 6™.

Required system and database login accounts.

Configuration options and settings that have security implications.

Resources that must be protected, such as security-relevant configuration files and passwords, and the

recommended access controls for secure operation.

Location of log files and their purpose.

External interfaces, ports, and services that must be open or enabled for the correct operation of View.

Intended Audience

This information is intended for IT decision makers, architects, administrators, and others who must familiarize themselves with the security components of View.

VMware, Inc.

View Security

6 VMware, Inc.

View Security Reference 1

When you are configuring a secure View environment, you can change settings and make adjustments in several areas to protect your systems.

This chapter includes the following topics:

“View Accounts,” on page 7

“View Security Settings,” on page 8

“View Resources,” on page 17

“View Log Files,” on page 17

“View TCP and UDP Ports,” on page 18

“Services on a View Connection Server Host,” on page 22

“Services on a Security Server,” on page 23

“Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a

Security Server,” on page 23

“Deploying USB Devices in a Secure View Environment,” on page 29

View Accounts

You must set up system and database accounts to administer View components.

Table 1‑1. View System Accounts

View Component Required Accounts

Horizon Client Configure user accounts in Active Directory for the users who have access to remote desktops

and applications. The user accounts must be members of the Remote Desktop Users group, but the accounts do not require View administrator privileges.

vCenter Server Configure a user account in Active Directory with permission to perform the operations in

vCenter Server that are necessary to support View.

For information about the required privileges, see the View Installation document.

VMware, Inc. 7

View Security

Table 1‑1. View System Accounts (Continued)

View Component Required Accounts

View Composer Create a user account in Active Directory to use with View Composer. View Composer requires

this account to join linked-clone desktops to your Active Directory domain.

The user account should not be a View administrative account. Give the account the minimum privileges that it requires to create and remove computer objects in a specified Active Directory container. For example, the account does not require domain administrator privileges.

For information about the required privileges, see the View Installation document.

View Connection Server

When you install View, you can specify a specific domain user, the local Administrators group, or a specific domain user group as View administrators. We recommend creating a dedicated domain user group of View administrators. The default is the currently logged in domain user.

In View Administrator, you can use View Configuration > Administrators to change the list of View administrators.

See the View Administration document for information about the privileges that are required.

Table 1‑2. View Database Accounts

View Component Required Accounts

View Composer database

Event database used by View Connection Server

An SQL Server or Oracle database stores View Composer data. You create an administrative account for the database that you can associate with the View Composer user account.

For information about setting up a View Composer database, see the View Installation document.

An SQL Server or Oracle database stores View event data. You create an administrative account for the database that View Administrator can use to access the event data.

For information about setting up a View Composer database, see the View Installation document.

To reduce the risk of security vulnerabilities, take the following actions:

Configure View databases on servers that are separate from other database servers that your

organization uses.

Do not allow a single user account to access multiple databases.

Configure separate accounts for access to the View Composer and event databases.

View Security Settings

View includes several settings that you can use to adjust the security of the configuration. You can access the settings by using View Administrator, by editing group profiles, or by using the ADSI Edit utility, as appropriate.

Security-Related Global Settings in View Administrator

Security-related global settings for client sessions and connections are accessible under View Configuration > Global Settings in View Administrator.

8 VMware, Inc.

Chapter 1 View Security Reference

Table 1‑3. Security-Related Global Settings

Setting Description

Change data recovery password

Message security mode Determines the security mechanism used when JMS messages are passed between View

Enhanced Security Status

(Read-only)

Reauthenticate secure tunnel connections after network interruption

Forcibly disconnect users Disconnects all desktops and applications after the specified number of minutes has passed

For clients that support applications.

If the user stops using the keyboard and mouse, disconnect their applications and discard SSO credentials

The password is required when you restore the View LDAP configuration from an encrypted backup.

When you install View Connection Server version 5.1 or later, you provide a data recovery password. After installation, you can change this password in View Administrator.

When you back up View Connection Server, the View LDAP configuration is exported as encrypted LDIF data. To restore the encrypted backup with the vdmimport utility, you must provide the data recovery password. The password must contain between 1 and 128 characters. Follow your organization's best practices for generating secure passwords.

components.

If set to Disabled, message security mode is disabled.

If set to Enabled, legacy message signing and verification of JMS messages takes place.

View components reject unsigned messages. This mode supports a mix of SSL and plain JMS connections.

If set to Enhanced, SSL is used for all JMS connections, to encrypt all messages. Access

control is also enabled to restrict the JMS topics that View components can send messages to and receive messages from.

If set to Mixed, message security mode is enabled, but not enforced for View

components that predate View Manager 3.0.

The default setting is Enhanced for new installations. If you upgrade from a previous version, the setting used in the previous version is retained.

IMPORTANT VMware strongly recommends setting the message security mode to Enhanced after you upgrade all View Connection Server instances, security servers, and View desktops to this release. The Enhanced setting provides many important security improvements and MQ (message queue) updates.

Read-only field that appears when Message security mode is changed from Enabled to Enhanced. Because the change is made in phases, this field shows the progress through the phases:

Waiting for Message Bus restart is the first phase. This state is displayed until you

manually restart either all View Connection Server instances in the pod or the VMware Horizon View Message Bus Component service on all View Connection Server hosts in the pod.

Pending Enhanced is the next state. After all View Message Bus Component services

have been restarted, the system begins changing the message security mode to

Enhanced for all desktops and security servers.

Enhanced is the final state, indicating that all components are now using Enhanced

message security mode.

Determines if user credentials must be reauthenticated after a network interruption when Horizon Clients use secure tunnel connections to View desktops and applications.

This setting offers increased security. For example, if a laptop is stolen and moved to a different network, the user cannot automatically gain access to the View desktops and applications because the network connection was temporarily interrupted.

This setting is disabled by default.

since the user logged in to View. All desktops and applications will be disconnected at the same time regardless of when the user opened them.

The default is 600 minutes.

Protects application sessions when there is no keyboard or mouse activity on the client device. If set to After ... minutes, View disconnects all applications and discards SSO credentials after the specified number of minutes without user activity. Desktop sessions are disconnected. Users must log in again to reconnect to the applications that were disconnected or launch a new desktop or application.

If set to Never, View never disconnects applications or discards SSO credentials due to user inactivity.

The default is Never.

VMware, Inc. 9

View Security

Table 1‑3. Security-Related Global Settings (Continued)

Setting Description

Other clients.

Discard SSO credentials

Enable IPSec for Security Server pairing

View Administrator session timeout

Discards the SSO credentials after a certain time period. This setting is for clients that do not support application remoting. If set to After ... minutes, users must log in again to connect to a desktop after the specified number of minutes has passed since the user logged in to View, regardless of any user activity on the client device.

The default is After 15 minutes.

Determines whether to use Internet Protocol Security (IPSec) for connections between security servers and View Connection Server instances. This setting must be disabled before installing a security server in FIPS mode; otherwise pairing will fail.

By default, IPSec for security server connections is enabled.

Determines how long an idle View Administrator session continues before the session times out.

IMPORTANT Setting the View Administrator session timeout to a high number of minutes increases the risk of unauthorized use of View Administrator. Use caution when you allow an idle session to persist a long time.

By default, the View Administrator session timeout is 30 minutes. You can set a session timeout from 1 to 4320 minutes.

For more information about these settings and their security implications, see the View Administration document.

NOTE SSL is required for all Horizon Client connections and View Administrator connections to View. If your View deployment uses load balancers or other client-facing, intermediate servers, you can off-load SSL to them and then configure non-SSL connections on individual View Connection Server instances and security servers. See "Off-load SSL Connections to Intermediate Servers" in the View Administration document.

Security-Related Server Settings in View Administrator

Security-related server settings are accessible under View Configuration > Servers in View Administrator.

10 VMware, Inc.

Table 1‑4. Security-Related Server Settings

Setting Description

Use PCoIP Secure Gateway for PCoIP connections to machine

Use Secure Tunnel connection to machine

Use Blast Secure Gateway for HTML Access to machine

Determines whether Horizon Client makes a further secure connection to the View Connection Server or security server host when users connect to View desktops and applications with the PCoIP display protocol.

If this setting is disabled, the desktop or application session is established directly between the client and the View desktop or the Remote Desktop Services (RDS) host, bypassing the View Connection Server or security server host.

This setting is disabled by default.

Determines whether Horizon Client makes a further HTTPS connection to the View Connection Server or security server host when users connect to a View desktop or an application.

This setting is enabled by default.

Determines whether clients that use a Web browser to access desktops use Blast Secure Gateway to establish a secure tunnel to View Connection Server.

If not enabled, Web browsers make direct connections to View desktops, bypassing View Connection Server.

This setting is disabled by default.

Chapter 1 View Security Reference

For more information about these settings and their security implications, see the View Administration document.

Security-Related Settings in the View Agent Configuration Template

Security-related settings are provided in the ADM template file for View Agent (vdm_agent.adm). Unless noted otherwise, the settings include only a Computer Configuration setting.

Security Settings are stored in the registry on the guest machine under HKLM\Software\VMware, Inc.\VMware

VDM\Agent\Configuration.

Table 1‑5. Security-Related Settings in the View Agent Configuration Template

Setting Description

AllowDirectRDP

AllowSingleSignon

Determines whether non-Horizon Clients can connect directly to View desktops with RDP. When this setting is disabled, View Agent permits only View-managed connections through Horizon Client.

By default, while a user is logged in to a View desktop session, you can use RDP to connect to the virtual machine from outside of View. The RDP connection terminates the View desktop session, and the View user's unsaved data and settings might be lost. The View user cannot log in to the desktop until the external RDP connection is closed. To avoid this situation, disable the AllowDirectRDP setting.

IMPORTANT For View to operate correctly, the Windows Remote Desktop Services service must be running on the guest operating system of each desktop. You can use this setting to prevent users from making direct RDP connections to their desktops.

This setting is enabled by default. The equivalent Windows Registry value is AllowDirectRDP.

Determines whether single sign-on (SSO) is used to connect users to desktops and applications. When this setting is enabled, users are required to enter only their credentials when connecting with Horizon Client. When it is disabled, users must reauthenticate when the remote connection is made.

This setting is enabled by default. The equivalent Windows Registry value is AllowSingleSignon.

VMware, Inc. 11

View Security

Table 1‑5. Security-Related Settings in the View Agent Configuration Template (Continued)

Setting Description

CommandsToRunOnConnect

CommandsToRunOnReconnect

CommandsToRunOnDisconnect

ConnectionTicketTimeout

CredentialFilterExceptions

Specifies a list of commands or command scripts to be run when a session is connected for the first time.

No list is specified by default. The equivalent Windows Registry value is CommandsToRunOnConnect.

Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect.

No list is specified by default. The equivalent Windows Registry value is CommandsToRunOnReconnect.

Specifies a list of commands or command scripts to be run when a session is disconnected.

No list is specified by default. The equivalent Windows Registry value is CommandsToRunOnDisconnect.

Specifies the amount of time in seconds that the View connection ticket is valid.

If this setting is not configured, the default timeout period is 120 seconds. The equivalent Windows Registry value is VdmConnectionTicketTimeout.

Specifies the executable files that are not allowed to load the agent CredentialFilter. Filenames must not include a path or suffix. Use a semicolon to separate multiple filenames.

No list is specified by default. The equivalent Windows Registry value is CredentialFilterExceptions.

For more information about these settings and their security implications, see the View Administration document.

Security Settings in the Horizon Client Configuration Template

Security-related settings are provided in the ADM template file for Horizon Client (vdm_client.adm). Except where noted, the settings include only a Computer Configuration setting. If a User Configuration setting is available and you define a value for it, it overrides the equivalent Computer Configuration setting.

Security Settings are stored in the registry on the host machine under one of the following paths:

For 32-bit Windows: HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client\Security

For 64-bit Windows: HKLM\SOFTWARE\Wow6432Node\VMware, Inc.\VMware VDM\Client\Security

Table 1‑6. Horizon Client Configuration Template: Security Settings

Setting Description

Allow command line credentials

(Computer Configuration setting)

Servers Trusted For Delegation

(Computer Configuration setting)

Determines whether user credentials can be provided with Horizon Client command line options. If this setting is disabled, the smartCardPIN and password options are not available when users run Horizon Client from the command line.

This setting is enabled by default. The equivalent Windows Registry value is AllowCmdLineCredentials.

Specifies the View Connection Server instances that accept the user identity and credential information that is passed when a user selects the Log in as current user check box. If you do not specify any View Connection Server instances, all View Connection Server instances accept this information.

To add a View Connection Server instance, use one of the following formats:

domain\system$

system$@domain.com

The Service Principal Name (SPN) of the View Connection Server service.

The equivalent Windows Registry value is BrokersTrustedForDelegation.

12 VMware, Inc.

Table 1‑6. Horizon Client Configuration Template: Security Settings (Continued)

Setting Description

Certificate verification mode

(Computer Configuration setting)

Default value of the 'Log in as current user' checkbox

(Computer and User Configuration setting)

Configures the level of certificate checking that is performed by Horizon Client. You can select one of these modes:

No Security. View does not perform certificate checking.

Warn But Allow. When the following server certificate issues occur, a warning is displayed, but the user can continue to connect to View Connection Server:

A self-signed certificate is provided by View. In this case, it is acceptable

if the certificate name does not match the View Connection Server name provided by the user in Horizon Client.

A verifiable certificate that was configured in your deployment has

expired or is not yet valid.

If any other certificate error condition occurs, View displays an error dialog and prevents the user from connecting to View Connection Server.

Warn But Allow is the default value.

Full Security. If any type of certificate error occurs, the user cannot connect to View Connection Server. View displays certificate errors to the user.

When this group policy setting is configured, users can view the selected certificate verification mode in Horizon Client but cannot configure the setting. The SSL configuration dialog box informs users that the administrator has locked the setting.

When this setting is not configured or disabled, Horizon Client users can select a certificate verification mode.

To allow a View server to perform checking of certificates provided by Horizon Client, the client must make HTTPS connections to the View Connection Server or security server host. Certificate checking is not supported if you off-load SSL to an intermediate device that makes HTTP connections to the View Connection Server or security server host.

For Windows clients, if you do not want to configure this setting as a group policy, you can also enable certificate verification by adding the CertCheckMode value name to one of the following registry keys on the client computer:

For 32-bit Windows: HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client\Security

For 64-bit Windows: HKLM\SOFTWARE\Wow6432Node\VMware, Inc.\VMware VDM\Client\Security

Use the following values in the registry key:

0 implements No Security.

1 implements Warn But Allow.

2 implements Full Security.

If you configure both the group policy setting and the CertCheckMode setting in the Windows Registry key, the group policy setting takes precedence over the registry key value.

Specifies the default value of the Log in as current user check box on theHorizon Client connection dialog box.

This setting overrides the default value specified during Horizon Client installation.

If a user runs Horizon Client from the command line and specifies the logInAsCurrentUser option, that value overrides this setting.

When the Log in as current user check box is selected, the identity and credential information that the user provided when logging in to the client system is passed to the View Connection Server instance and ultimately to the remote desktop. When the check box is deselected, users must provide identity and credential information multiple times before they can access a remote desktop.

This setting is disabled by default. The equivalent Windows Registry value is LogInAsCurrentUser.

Chapter 1 View Security Reference

VMware, Inc. 13

View Security

Table 1‑6. Horizon Client Configuration Template: Security Settings (Continued)

Setting Description

Display option to Log in as current user

(Computer and User Configuration setting)

Enable jump list integration

(Computer Configuration setting)

Enable SSL encrypted framework channel

(Computer and User Configuration setting)

Configures SSL protocols and cryptographic algorithms

(Computer and User Configuration setting)

Enable Single Sign-On for smart card authentication

(Computer Configuration setting)

Determines whether the Log in as current user check box is visible on the Horizon Client connection dialog box.

When the check box is visible, users can select or deselect it and override its default value. When the check box is hidden, users cannot override its default value from the Horizon Client connection dialog box.

You can specify the default value for the Log in as current user check box by using the policy setting Default value of the 'Log in as current user' checkbox.

This setting is enabled by default. The equivalent Windows Registry value is LogInAsCurrentUser_Display.

Determines whether a jump list appears in the Horizon Client icon on the taskbar of Windows 7 and later systems. The jump list lets users connect to recent View Connection Server instances and remote desktops.

If Horizon Client is shared, you might not want users to see the names of recent desktops. You can disable the jump list by disabling this setting.

This setting is enabled by default. The equivalent Windows Registry value is EnableJumplist.

Determines whether SSL is enabled for View 5.0 and earlier desktops. Before View 5.0, the data sent over port TCP 32111 to the desktop was not encrypted.

Enable: Enables SSL, but allows fallback to the previous unencrypted

connection if the remote desktop does not have SSL support. For example, View 5.0 and earlier desktops do not have SSL support. Enable is the default setting.

Disable: Disables SSL. This setting is not recommended but might be useful

for debugging or if the channel is not being tunneled and could potentially then be optimized by a WAN accelerator product.

Enforce: Enables SSL, and refuses to connect to desktops with no SSL

support .

The equivalent Windows Registry value is EnableTicketSSLAuth.

Configures the cipher list to restrict the use of certain cryptographic algorithms and protocols before establishing an encrypted SSL connection. The cipher list consists of one or more cipher strings separated by colons.

NOTE All cipher strings are case-sensitive.

If this feature is enabled, the default value for Horizon Client 3.5 and later is

TLSv1:TLSv1.1:TLSv1.2:!aNULL:kECDH+AES:ECDH+AES:RSA +AES:@STRENGTH.

The default value for Horizon Client 3.3 and 3.4 is TLSv1:TLSv1.1:AES:!

aNULL:@STRENGTH.

The value for Horizon Client 3.2 and earlier is SSLv3:TLSv1:TLSv1.1:AES:!

aNULL:@STRENGTH.

That means that In Horizon Client 3.5 and later, TLS v1.0, TLS v1.1, and TLS v1.2 are enabled. (SSL v2.0 and v3.0 are disabled.) In Horizon Client 3.3 and 3.4, TLS v1.0 and TLS v1.1 are enabled. (SSL v2.0 and v3.0, and TLS v1.2 are disabled.) In Horizon Client 3.2 and earlier, SSL v3.0 is also enabled. (SSL v2.0 and TLS v1.2 are disabled.)

Cipher suites use 128- or 256-bit AES, remove anonymous DH algorithms, and then sort the current cipher list in order of encryption algorithm key length.

Reference link for the configuration:

http://www.openssl.org/docs/apps/ciphers.html

The equivalent Windows Registry value is SSLCipherList.

Determines whether single sign-on is enabled for smart card authentication. When single sign-on is enabled, Horizon Client stores the encrypted smart card PIN in temporary memory before submitting it to View Connection Server. When single sign-on is disabled, Horizon Client does not display a custom PIN dialog.

The equivalent Windows Registry value is EnableSmartCardSSO.

14 VMware, Inc.

Table 1‑6. Horizon Client Configuration Template: Security Settings (Continued)

Setting Description

Ignore bad SSL certificate date received from the server

(Computer Configuration setting)

Ignore certificate revocation problems

(Computer Configuration setting)

Ignore incorrect SSL certificate common name (host name field)

(Computer Configuration setting)

Ignore incorrect usage problems

(Computer Configuration setting)

Ignore unknown certificate authority problems

(Computer Configuration setting)

(View 4.6 and earlier releases only) Determines whether errors that are associated with invalid server certificate dates are ignored. These errors occur when a server sends a certificate with a date that has passed.

The equivalent Windows Registry value is IgnoreCertDateInvalid.

(View 4.6 and earlier releases only) Determines whether errors that are associated with a revoked server certificate are ignored. These errors occur when the server sends a certificate that has been revoked and when the client cannot verify a certificate's revocation status.

This setting is disabled by default. The equivalent Windows Registry value is IgnoreRevocation.

(View 4.6 and earlier releases only) Determines whether errors that are associated with incorrect server certificate common names are ignored. These errors occur when the common name on the certificate does not match the hostname of the server that sends it.

The equivalent Windows Registry value is IgnoreCertCnInvalid.

(View 4.6 and earlier releases only) Determines whether errors that are associated with incorrect usage of a server certificate are ignored. These errors occur when the server sends a certificate that is intended for a purpose other than verifying the identity of the sender and encrypting server communications.

The equivalent Windows Registry value is IgnoreWrongUsage.

(View 4.6 and earlier releases only) Determines whether errors that are associated with an unknown Certificate Authority (CA) on the server certificate are ignored. These errors occur when the server sends a certificate that is signed by an untrusted third-party CA.

The equivalent Windows Registry value is IgnoreUnknownCa.

Chapter 1 View Security Reference

For more information about these settings and their security implications, see the Using VMware Horizon Client for Windows document.

Security-Related Settings in the Scripting Definitions Section of the Horizon Client Configuration Template

Security-related settings are provided in the Scripting Definitions section of the ADM template file for Horizon Client (vdm_client.adm). Unless noted otherwise, the settings include both a Computer Configuration setting and a User Configuration setting. If you define a User Configuration setting, it overrides the equivalent Computer Configuration setting.

Settings for Scripting Definitions for USB devices are stored in the registry on the host machine under one of the following paths:

For 32-bit Windows: HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client\USB

For 64-bit Windows: HKLM\SOFTWARE\Wow6432Node\VMware, Inc.\VMware VDM\Client\USB

Settings for Scripting Definitions for the password are stored in the registry on the host machine under

HKEY_CURRENT_USER\Software\VMware, Inc.\VMware VDM\Client\USB.

VMware, Inc. 15

View Security

Table 1‑7. Security-Related Settings in the Scripting Definitions Section

Setting Description

Connect all USB devices to the desktop on launch

Connect all USB devices to the desktop when they are plugged in

Logon Password

Determines whether all of the available USB devices on the client system are connected to the desktop when the desktop is launched.

This setting is disabled by default. The equivalent Windows Registry value is connectUSBOnStartup.

Determines whether USB devices are connected to the desktop when they are plugged in to the client system.

This setting is disabled by default. The equivalent Windows Registry value is connectUSBOnInsert.

Specifies the password that Horizon Client uses during login. The password is stored in plain text by Active Directory.

This setting is undefined by default. The equivalent Windows Registry value is Password.

For more information about these settings and their security implications, see the Using VMware Horizon Client for Windows document.

Security-Related Settings in View LDAP

Security-related settings are provided in View LDAP under the object path

cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int. You can use the ADSI Edit utility to change

the value of these settings on a View Connection Server instance. The change propagates automatically to all other View Connection Server instances in a group.

Table 1‑8. Security-Related Settings in View LDAP

Name-value pair Description

cs-allowunencryptedstartsession

The attribute is pae-NameValuePair.

This attribute controls whether a secure channel is required between a View Connection Server instance and a desktop when a remote user session is being started.

When View Agent 5.1 or later is installed on a desktop computer, this attribute has no effect and a secure channel is always required. When a View Agent older than View 5.1 is installed, a secure channel cannot be established if the desktop computer is not a member of a domain with a two-way trust to the domain of the View Connection Server instance. In this case, the attribute is important to determine whether a remote user session can be started without a secure channel.

In all cases, user credentials and authorization tickets are protected by a static key. A secure channel provides further assurance of confidentiality by using dynamic keys.

If set to 0, a remote user session will not start if a secure channel cannot be established. This setting is suitable if all the desktops are in trusted domains or all desktops have View Agent 5.1 or later installed.

If set to 1, a remote user session can be started even if a secure channel cannot be established. This setting is suitable if some desktops have older View Agents installed and are not in trusted domains.

The default setting is 1.

16 VMware, Inc.

View Resources

View includes several configuration files and similar resources that must be protected.

Table 1‑9. View Connection Server and Security Server Resources

Resource Location Protection

LDAP settings Not applicable. LDAP data is protected automatically

LDAP backup files

locked.properties

(Certificate properties file)

Log files See “View Log Files,” on page 17 Protected by access control.

web.xml

(Tomcat configuration file)

<Drive Letter>:\Programdata\VMWare\VDM\backups

(Windows Server 2008)

install_directory\VMware\VMware View\Server\sslgateway\conf

install_directory\VMware View\Server\broker\web apps\ROOT\Web INF

Chapter 1 View Security Reference

as part of role-based access control.

Protected by access control.

Can be protected by access control. Ensure that this file is secured against access by any user other than View administrators.

Protected by access control.

View Log Files

View creates log files that record the installation and operation of its components.

NOTE View log files are intended for use by VMware Support. VMware recommends that you configure and use the event database to monitor View. For more information, see the View Installation and View Integration documents.

Table 1‑10. View Log Files

View Component File Path and Other Information

All components (installation logs)

View Agent

View Applications View Event Database configured on an SQL Server or Oracle database server.

View Composer

%TEMP%\vminst.log_date_timestamp %TEMP%\vmmsi.log_date_timestamp

<Drive Letter>:\ProgramData\VMware\VDM\logs To access View log files that are stored in <Drive

Letter>:\ProgramData\VMware\VDM\logs, you must open the logs from a program with

elevated administrator privileges. Right-click the program file and select Run as administrator.

If a User Data Disk (UDD) is configured, <Drive Letter> might correspond to the UDD. The logs for PCoIP are named pcoip_agent*.log and pcoip_server*.log.

Windows Application Event logs. Disabled by default.

%system_drive%\Windows\Temp\vmware-viewcomposer-ga-new.log on the linked-clone desktop.

The View Composer log contains information about the execution of QuickPrep and Sysprep scripts. The log records the start time and end time of script execution, and any output or error messages.

VMware, Inc. 17

View Security

Table 1‑10. View Log Files (Continued)

View Component File Path and Other Information

View Connection Server or Security Server

View Services View Event Database configured on an SQL Server or Oracle database server.

<Drive Letter>:\ProgramData\VMware\VDM\logs.

The log directory is configurable in the log configuration settings of the View Common Configuration ADM template file (vdm_common.adm).

PCoIP Secure Gateway logs are written to files named SecurityGateway_*.log in the PCoIP Secure Gateway subdirectory of the log directory on a security server.

Windows System Event logs.

View TCP and UDP Ports

View uses TCP and UDP ports for network access between its components.

During installation, View can optionally configure Windows firewall rules to open the ports that are used by default. If you change the default ports after installation, you must manually reconfigure Windows firewall rules to allow access on the updated ports. See "Replacing Default Ports for View Services" in the View Installation document.

Table 1‑11. TCP and UDP Ports Used by View

Source Port Target Port

Security server 55000 View Agent 4172 UDP PCoIP (not SALSA20) if PCoIP Secure Gateway is

Security server 4172 Horizon Client Varies UDP PCoIP (not SALSA20) if PCoIP Secure Gateway is

Security server 500 View

Connection Server

Security server * View

Connection Server

Security server * View

Connection Server

Security server * View

Connection Server

Security server * View

Connection Server

Security server 4500 View

Connection Server

Security server * View desktop 3389 TCP Microsoft RDP traffic to View desktops.

Security server * View desktop 9427 TCP Windows Media MMR redirection and client drive

Security server * View desktop 32111 TCP USB redirection.

Security server * View desktop 4172 TCP PCoIP if PCoIP Secure Gateway is used.

Protoc ol Description

used.

NOTE Because the target port varies, see “Notes

and Caveats for TCP and UDP Ports Used by View,” on page 21.

500 UDP IPsec negotiation traffic.

4001 TCP JMS traffic.

4002 TCP JMS SSL traffic.

8009 TCP AJP13-forwarded Web traffic, if not using IPsec.

* ESP AJP13-forwarded Web traffic, when using IPsec

without NAT.

4500 UDP AJP13-forwarded Web traffic, when using IPsec

through a NAT device.

redirection.

18 VMware, Inc.

Chapter 1 View Security Reference

Table 1‑11. TCP and UDP Ports Used by View (Continued)

Protoc

Source Port Target Port

Security server * View desktop 22443 TCP HTML Access.

View Agent 4172 Horizon Client Varies UDP PCoIP, if PCoIP Secure Gateway is not used.

View Agent 4172 View

55000 UDP PCoIP (not SALSA20) if PCoIP Secure Gateway is Connection Server or security server

View Agent 4172 Access Point

* UDP PCoIP. View desktops and applications send PCoIP appliance

Horizon Client * View

80 TCP SSL (HTTPS access) is enabled by default for client Connection Server or security server or Access Point appliance

Horizon Client * View security

443 TCP HTTPS access. Port 443 is enabled by default for server or Access Point appliance

Horizon Client * View

443 TCP HTTPS access. Port 443 is enabled by default for Connection Server

Horizon Client * View

4172 TCP Connection Server or security server or Access Point appliance

Horizon Client * View desktop 3389 TCP Microsoft RDP traffic to View desktops if direct

Horizon Client * View desktop 9427 TCP Windows Media MMR redirection and client drive

ol Description

NOTE Because the target port varies, see “Notes

and Caveats for TCP and UDP Ports Used by View,” on page 21.

used.

data back to an Access Point appliance from UDP port 4172 .

The destination UDP port will be the source port from the received UDP packets and so as this is reply data, it is normally unnecessary to add an explicit firewall rule for this.

connections, but port 80 (HTTP access) can be used in certain cases. See “Notes and Caveats for TCP

and UDP Ports Used by View,” on page 21.

client connections. Port 443 can be changed on security servers.

Connection attempts over HTTP to port 80 are redirected to port 443 by default, but port 80 can service client connections if SSL is off-loaded to an intermediate device. You can reconfigure the redirection rule if the HTTPS port was changed. See

“Notes and Caveats for TCP and UDP Ports Used by View,” on page 21.

client connections. Port 443 can be changed.

Client connection attempts to port 80 are redirected to port 443 by default, but port 80 can service client connections if SSL is off-loaded to an intermediate device. Connection attempts to port 80 to reach View Administrator are not redirected. You must connect over HTTPS to reach View Administrator.

You can prevent HTTP redirection and force clients to use HTTPS. See “Notes and Caveats for TCP and

UDP Ports Used by View,” on page 21.

PCoIP if PCoIP Secure Gateway is used. and UDP

connections are used instead of tunnel connections.

redirection, if direct connections are used instead of

tunnel connections.

VMware, Inc. 19

View Security

Table 1‑11. TCP and UDP Ports Used by View (Continued)

Protoc

Source Port Target Port

Horizon Client * View desktop 32111 TCP USB redirection if direct connections are used

Horizon Client * View Agent 4172 TCP

Horizon Client Varies View Agent 4172 UDP PCoIP if PCoIP Secure Gateway is not used.

Horizon Client Varies View

4172 UDP PCoIP (not SALSA20) if PCoIP Secure Gateway is Connection Server or security server

Web Browser * Security server

8443 TCP HTML Access. or Access Point appliance

View Connection Server

View

* View

48080 TCP For internal communication between View Connection Server

* vCenter Server

80 TCP SOAP messages if SSL is disabled for access to or View Composer

* vCenter Server

443 TCP SOAP messages if SSL is enabled for access to or View Composer

55000 View Agent 4172 UDP PCoIP (not SALSA20) if PCoIP Secure Gateway via Connection Server

View

4172 Horizon Client Varies UDP PCoIP (not SALSA20) if PCoIP Secure Gateway via Connection Server

View Connection Server

View

* View

4100 TCP JMS inter-router traffic. Connection Server

* View

4101 TCP JMS SSL inter-router traffic. Connection Server

* View desktop 3389 TCP Microsoft RDP traffic to View desktops if tunnel Connection Server

View

* View desktop 4172 TCP PCoIP if PCoIP Secure Gateway via the View Connection Server

View

* View desktop 9427 TCP Windows Media MMR redirection and client drive Connection Server

ol Description

instead of tunnel connections.

PCoIP if PCoIP Secure Gateway is not used. and UDP

NOTE Because the source port varies, see “Notes

and Caveats for TCP and UDP Ports Used by

View,” on page 21.

used.

NOTE Because the source port varies, see “Notes

and Caveats for TCP and UDP Ports Used by

View,” on page 21.

Connection Server components.

vCenter Servers or View Composer.

the View Connection Server is used.

NOTE Because the target port varies, see “Notes

and Caveats for TCP and UDP Ports Used by

View,” on page 21.

connections via the View Connection Server are

used.

Connection Server is used.

redirection, if tunnel connections via the View

Connection Server are used.

20 VMware, Inc.

Table 1‑11. TCP and UDP Ports Used by View (Continued)

Protoc

Source Port Target Port

View Connection Server

Access Point appliance

View desktop * View

View Composer service

* View desktop 32111 TCP USB redirection if tunnel connections via the View

* View

Connection Server

* View

Connection Server

* View

Connection Server

* View

Connection Server or load balancer

* View desktop 3389 TCP Microsoft RDP traffic to View desktops.

* View desktop 9427 TCP Windows Media MMR redirection and client drive

* View desktop

or application

* View desktop 32111 TCP USB redirection if direct connections are used

* View desktop 22443 TCP HTML Access.

Connection Server instances

* ESXi host 902 TCP Used when View Composer customizes linked-

8472 TCP For interpod communication in Cloud Pod

22389 TCP For global LDAP replication in Cloud Pod

22636 TCP For secure global LDAP replication in Cloud Pod

443 TCP HTTPS access. Access Point appliances connect on

4172 TCP

4002 TCP JMS SSL traffic.

ol Description

and UDP

Chapter 1 View Security Reference

Connection Server are used.

Architecture.

TCP port 443 to communicate with a View

Connection Server instance or load balancer in front

of multiple View Connection Server instances.

redirection.

Access Point appliances connect to View desktops

and applications on TCP port 4172 and UDP port

4172 to exchange PCoIP traffic.

instead of tunnel connections.

clone disks, including View Composer internal

disks and, if they are specified, persistent disks and

system disposable disks.

Notes and Caveats for TCP and UDP Ports Used by View

Connection attempts over HTTP are silently redirected to HTTPS, except for connection attempts to View Administrator. HTTP redirection is not needed with more recent View clients because they default to HTTPS, but it is useful when your users connect with a Web browser, for example to download View Client.

The problem with HTTP redirection is that it is a non-secure protocol. If a user does not form the habit of entering https:// in the address bar, an attacker can compromise the Web browser, install malware, or steal credentials, even when the expected page is correctly displayed.

NOTE HTTP redirection for external connections can take place only if you configure your external firewall to allow inbound traffic to TCP port 80.

Connection attempts over HTTP to View Administrator are not redirected. Instead, an error message is returned indicating that you must use HTTPS.

VMware, Inc. 21

View Security

To prevent redirection for all HTTP connection attempts, see "Prevent HTTP Redirection for Client Connections to Connection Server" in the View Installation document.

Connections to port 80 of a View Connection Server instance or security server can also take place if you offload SSL client connections to an intermediate device. See "Off-load SSL Connections to Intermediate Servers" in the View Administration document.

To allow HTTP redirection when the SSL port number was changed, see "Change the Port Number for HTTP Redirection to Connection Server" in the View Installation document.

NOTE The UDP port number that clients use for PCoIP may change. If port 50002 is in use, the client will pick 50003. If port 50003 is in use, the client will pick port 50004, and so on. You must configure firewall with ANY where "Varies" is listed in the table.

Services on a View Connection Server Host

The operation of View depends on several services that run on a View Connection Server host.

Table 1‑12. View Connection Server Host Services

Startup

Service Name

VMware Horizon 6 Blast Secure Gateway

VMware Horizon 6 Connection Server

VMware Horizon 6 Framework Component

VMware Horizon 6 Message Bus Component

VMware Horizon 6 PCoIP Secure Gateway

VMware Horizon 6 Script Host

VMware Horizon 6 Security Gateway Component

VMware Horizon 6 Web Component

VMwareVDMDS Automatic Provides LDAP directory services. This service must always be running. During

Type Description

Automatic Provides secure HTML Access services. This service must be running if clients

connect to View Connection Server through the HTML Access Secure Gateway.

Automatic Provides connection broker services. This service must always be running. If you

start or stop this service, it also starts or stops the Framework, Message Bus, Security Gateway, and Web services. This service does not start or stop the VMwareVDMDS service or the VMware Horizon View Script Host service.

Manual Provides event logging, security, and COM+ framework services. This service must

always be running.

Manual Provides messaging services between the View components. This service must

always be running.

Manual Provides PCoIP Secure Gateway services. This service must be running if clients

connect to View Connection Server through the PCoIP Secure Gateway.

Disabled Provides support for third-party scripts that run when you delete virtual machines.

This service is disabled by default. You should enable this service if you want to run scripts.

Manual Provides common gateway services. This service must always be running.

Manual Provides web services. This service must always be running.

upgrades of View, this service ensures that existing data is migrated correctly.

22 VMware, Inc.

Services on a Security Server

The operation of View depends on several services that run on a security server.

Table 1‑13. Security Server Services

Startup

Service Name

VMware Horizon 6 Blast Secure Gateway

VMware Horizon 6 Security Server

VMware Horizon 6 Framework Component

VMware Horizon 6 PCoIP Secure Gateway

VMware Horizon 6 Security Gateway Component

Type Description

Automatic Provides secure HTML Access services. This service must be running if clients

connect to this security server through the HTML Access Secure Gateway.

Automatic Provides security server services. This service must always be running. If you start

or stop this service, it also starts or stops the Framework and Security Gateway services.

Manual Provides event logging, security, and COM+ framework services. This service must

always be running.

Manual Provides PCoIP Secure Gateway services. This service must be running if clients

connect to this security server through the PCoIP Secure Gateway.

Manual Provides common gateway services. This service must always be running.

Chapter 1 View Security Reference

Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server

You can configure the security protocols and cipher suites that are accepted by View Connection Server instances. You can define a global acceptance policy that applies to all View Connection Server instances in a replicated group, or you can define an acceptance policy for individual View Connection Server instances and security servers

You also can configure the security protocols and cipher suites that View Connection Server instances propose when connecting to vCenter Server and View Composer. You can define a global proposal policy that applies to all View Connection Server instances in a replicated group. You cannot define individual instances to opt out of a global proposal policy.

Oracle's Unlimited Strength Jurisdiction Policy files are included as standard, allowing 256-bit keys by default.

VMware, Inc. 23

View Security

Default Global Policies for Security Protocols and Cipher Suites

Global acceptance and proposal policies enable certain security protocols and cipher suites by default.

Table 1‑14. Default Global Policies

Default Security Protocols Default Cipher Suites

TLS 1.2 TLS 1.1 TLS 1.0

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

If all connecting clients support TLS 1.1 and/or TLS 1.2, you can remove TLS 1.0 from the acceptance policy.

Configuring Global Acceptance and Proposal Policies

Global acceptance and proposal policies are defined in View LDAP attributes. These policies apply to all View Connection Server instances and security servers in a replicated group. To change a global policy, you can edit View LDAP on any View Connection Server instance.

Each policy is a single-valued attribute in the following View LDAP location:

cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int

Global Acceptance and Proposal Policies Defined in View LDAP

You can edit the View LDAP attributes that define global acceptance and proposal policies.

Global Acceptance Polices

The following attribute lists security protocols. You must order the list by placing the latest protocol first:

pae-ServerSSLSecureProtocols = \LIST:TLSv1.2,TLSv1.1,TLSv1

The following attribute lists the cipher suites. The order of the cipher suites is unimportant. This example shows an abbreviated list:

pae-ServerSSLCipherSuites = \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

Global Proposal Policies

The following attribute lists security protocols. You must order the list by placing the latest protocol first:

pae-ClientSSLSecureProtocols = \LIST:TLSv1.2,TLSv1.1,TLSv1

The following attribute lists the cipher suites. This list should be in order of preference. Place the most preferred cipher suite first, the second-most preferred suite next, and so on. This example shows an abbreviated list:

pae-ClientSSLCipherSuites = \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

24 VMware, Inc.

Chapter 1 View Security Reference

Change the Global Acceptance and Proposal Policies

To change the global acceptance and proposal policies for security protocols and cipher suites, you use the ADSI Edit utility to edit View LDAP attributes.

Prerequisites

Familiarize yourself with the View LDAP attributes that define the acceptance and proposal policies.

See “Global Acceptance and Proposal Policies Defined in View LDAP,” on page 24.

See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your

Windows Server operating system version.

Procedure

1 Start the ADSI Edit utility on your View Connection Server computer.

2 In the console tree, select Connect to.

3 In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name

DC=vdi, DC=vmware, DC=int.

4 In the Select or type a domain or server text box, select or type localhost:389 or the fully qualified

domain name (FQDN) of the View Connection Server computer followed by port 389.

For example: localhost:389 or mycomputer.mydomain.com:389

5 Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and select OU=Common in the

right pane.

6 On the object CN=Common, OU=Global, OU=Properties, select each attribute that you want to change

and type the new list of security protocols or cipher suites.

7 Restart the VMware Horizon View Connection Server service.

Configure Acceptance Policies on Individual View Servers

To specify a local acceptance policy on an individual View Connection Server instance or security server, you must add properties to the locked.properties file. If the locked.properties file does not yet exist on the View server, you must create it.

You add a secureProtocols.n entry for each security protocol that you want to configure. Use the following syntax: secureProtocols.n=security protocol.

You add an enabledCipherSuite.n entry for each cipher suite that you want to configure. Use the following syntax: enabledCipherSuite.n=cipher suite.

The variable n is an integer that you add sequentially (1, 2, 3) to each type of entry.

Make sure that the entries in the locked.properties file have the correct syntax and the names of the cipher suites and security protocols are spelled correctly. Any errors in the file can cause the negotiation between the client and server to fail.

Procedure

1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View

Connection Server or security server computer.

For example: install_directory\VMware\VMware View\Server\sslgateway\conf\

2 Add secureProtocols.n and enabledCipherSuite.n entries, including the associated security protocols

and cipher suites.

3 Save the locked.properties file.

VMware, Inc. 25

View Security

4 Restart the VMware Horizon View Connection Server service or VMware Horizon View Security Server

service to make your changes take effect.

Example: Default Acceptance Policies on an Individual Server

The following example shows the entries in the locked.properties file that are needed to specify the default policies:

# The following list should be ordered with the latest protocol first:

secureProtocols.1=TLSv1.2 secureProtocols.2=TLSv1.1 secureProtocols.3=TLSv1

# This setting must be the latest protocol given in the list above:

preferredSecureProtocol=TLSv1.2

# The order of the following list is unimportant:

enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 enabledCipherSuite.2=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabledCipherSuite.3=TLS_RSA_WITH_AES_128_CBC_SHA256 enabledCipherSuite.4=TLS_RSA_WITH_AES_128_CBC_SHA

Configure Proposal Policies on View Desktops

You can control the security of Message Bus connections to View Connection Server by configuring the proposal policies on View desktops that run Windows.

Make sure that View Connection Server is configured to accept the same policies to avoid a connection failure.

Procedure

1 Start the Windows Registry Editor on the View desktop.

2 Navigate to the HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Agent\Configuration registry

key.

3 Add a new String (REG_SZ) value, ClientSSLSecureProtocols.

4 Set the value to a list of cipher suites in the format \LIST:protocol_1,protocol_2,....

List the protocols with the latest protocol first. For example:

\LIST:TLSv1.2,TLSv1.1,TLSv1

5 Add a new String (REG_SZ) value, ClientSSLCipherSuites.

6 Set the value to a list of cipher suites in the format \LIST:cipher_suite_1,cipher_suite_2,....

The list should be in order of preference, with the most preferred cipher suite first. For example:

\LIST:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

26 VMware, Inc.

Chapter 1 View Security Reference

Internet Engineering Task Force Standards

View Connection Server and security server comply with certain Internet Engineering Task Force (IETF) Standards.

RFC 5746 Transport Layer Security (TLS) – Renegotiation Indication Extension, also known as secure

renegotiation, is enabled by default.

NOTE Client-initiated renegotiation is disabled by default on Connection Servers and security servers. To enable, edit registry value [HKLM\SOFTWARE\VMware, Inc.\VMware

VDM\plugins\wsnm\TunnelService\Params]JvmOptions and remove

-Djdk.tls.rejectClientInitiatedRenegotiation=true from the string.

RFC 6797 HTTP Strict Transport Security (HSTS), also known as transport security, is enabled by

default.

RFC 7034 HTTP Header Field X-Frame-Options, also known as counter clickjacking, is enabled by

default. You can disable it by adding the entry x-frame-options=OFF to the file locked.properties. For information on how to add properties to the file locked.properties, see “Configure Acceptance Policies

on Individual View Servers,” on page 25.

Older Protocols and Ciphers Disabled in View

Some older protocols and ciphers that are no longer considered secure are disabled in View by default. If required, you can enable them manually.

DHE Cipher Suites

For more information, see http://kb.vmware.com/kb/2121183. Cipher suites that are compatible with DSA certificates use Diffie-Hellman ephemeral keys, and these suites are no longer enabled by default, starting with Horizon 6 version 6.2.

For Connection Server instances, security servers, and View desktops, you can enable these cipher suites by editing the View LDAP database, locked.properties file, or registry, as described in this guide. See

“Change the Global Acceptance and Proposal Policies,” on page 25, “Configure Acceptance Policies on Individual View Servers,” on page 25, and “Configure Proposal Policies on View Desktops,” on page 26.

You can define a list of cipher suites that includes one or more of the following suites, in this order:

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (TLS 1.2 only, not FIPS)

TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (TLS 1.2 only, not FIPS)

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (TLS 1.2 only)

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (TLS 1.2 only)

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

For View Composer and View Agent Direct-Connection (VADC) machines, you can enable DHE cipher suites by adding the following to the list of ciphers when you follow the procedure "Disable Weak Ciphers in SSL/TLS for View Composer and View Agent Machines" in the View Installation document.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

NOTE It is not possible to enable support for ECDSA certificates. These certificates have never been supported.

VMware, Inc. 27

View Security

SSLv3

For more information, see http://tools.ietf.org/html/rfc7568.

For Connection Server instances, security servers, and View desktops, you can enable SSLv3 by removing

SSLv3 from the jdk.tls.disabledAlgorithms property in the C:\Program Files\VMware\VMware View\Server\jre\lib\security\java.security file on each View Connection Server instance and security

server.

For View Composer and View Agent Direct-Connection (VADC) machines, you can enable SSLv3 by adding the following values (REG_DWORD) to the registry key

HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server:

DisabledByDefault=0 Enabled=1

RC4

For more information, see http://tools.ietf.org/html/rfc7465.

For Connection Server instances, security servers, and View desktops, you can enable RC4 on a Connection Server, security server, or a View Agent machine by editing the configuration file C:\Program

Files\VMware\VMware View\Server\jre\lib\security\java.security. At the end of the file is a multi-line

entry called jdk.tls.legacyAlgorithms. Remove RC4_128 and the comma that follows it from this entry and restart the Connection Server, security server, or the View Agent machine, as the case may be.

For View Composer and View Agent Direct-Connection (VADC) machines, you can enable RC4 by adding the following to the list of ciphers when you follow the procedure "Disable Weak Ciphers in SSL/TLS for View Composer and View Agent Machines" in the View Installation document.

TLS_RSA_WITH_RC4_128_SHA

Reducing MIME Type Security Risks

By default, View sends the header x-content-type-options: nosniff in its HTTP responses to help prevent attacks based on MIME-type confusion.

You can disable this feature by adding the following entry to the file locked.properties:

x-content-type-options=OFF

Mitigating Cross-Site Scripting Attacks

By default, View employs the XSS (cross-site scripting) Filter feature to mitigate cross-site scripting attacks by sending the header x-xss-protection=1; mode=block in its HTTP responses.

You can disable this feature by adding the following entry to the file locked.properties:

x-xss-protection=OFF

Content Type Checking

By default, View accepts requests with any declared content type except for connections to View Administrator.

To restrict the content types that View accepts, add the following entry to the file locked.properties:

acceptContentType.1=content-type

28 VMware, Inc.

For example:

acceptContentType.1=x-www-form-urlencoded

To accept another content type, add the entry acceptContentType.2=content-type, and so on

Origin Checking

By default, protection against cross-site request forging is disabled.

You can enable this protection by adding the following entry to the file locked.properties:

checkOrigin=true

If multiple Connection Servers or security servers are load balanced, you must specify the load balancer address by adding the following entry to the file locked.properties. Port 443 is assumed for this address.

balancedHost=load-balancer-name

When this option is enabled, connections to View can be made only to the address given in the external URL, to the balancedHost address, or to localhost.

Deploying USB Devices in a Secure View Environment

USB devices can be vulnerable to a security threat called BadUSB, in which the firmware on some USB devices can be hijacked and replaced with malware. For example, a device can be made to redirect network traffic or to emulate a keyboard and capture keystrokes. You can configure the USB redirection feature to protect your View deployment against this security vulnerability.

Chapter 1 View Security Reference

By disabling USB redirection, you can prevent any USB devices from being redirected to your users' View desktops and applications. Alternatively, you can disable redirection of specific USB devices, allowing users to have access only to specific devices on their desktops and applications.

The decision whether to take these steps depends on the security requirements in your organization. These steps are not mandatory. You can install USB redirection and leave the feature enabled for all USB devices in your View deployment. At a minimum, consider seriously the extent to which your organization should try to limit its exposure to this security vulnerability.

Disabling USB Redirection for All Types of Devices

Some highly secure environments require you to prevent all USB devices that users might have connected to their client devices from being redirected to their remote desktops and applications. You can disable USB redirection for all desktop pools, for specific desktop pools, or for specific users in a desktop pool.

Use any of the following strategies, as appropriate for your situation:

When you install View Agent on a desktop image or RDS host, deselect the USB redirection setup

option. (The option is deselected by default.) This approach prevents access to USB devices on all remote desktops and applications that are deployed from the desktop image or RDS host.

In View Administrator, edit the USB access policy for a specific pool to either deny or allow access.

With this approach, you do not have to change the desktop image and can control access to USB devices in specific desktop and application pools.

Only the global USB access policy is available for RDS desktop and application pools. You cannot set this policy for individual RDS desktop or application pools.

In View Administrator, after you set the policy at the desktop or application pool level, you can

override the policy for a specific user in the pool by selecting the User Overrides setting and selecting a user.

Set the Exclude All Devices policy to true, on the View Agent side or on the client side, as appropriate.

VMware, Inc. 29

View Security

If you set the Exclude All Devices policy to true, Horizon Client prevents all USB devices from being redirected. You can use other policy settings to allow specific devices or families of devices to be redirected. If you set the policy to false, Horizon Client allows all USB devices to be redirected except those that are blocked by other policy settings. You can set the policy on both View Agent and Horizon Client. The following table shows how the Exclude All Devices policy that you can set for View Agent and Horizon Client combine to produce an effective policy for the client computer. By default, all USB devices are allowed to be redirected unless otherwise blocked.

Table 1‑15. Effect of Combining Exclude All Devices Policies

Exclude All Devices Policy on View Agent

false or not defined (include all USB devices)

false (include all USB devices) true (exclude all USB devices)

true (exclude all USB devices)

Exclude All Devices Policy on Horizon Client

false or not defined (include all USB devices)

Any or not defined Exclude all USB devices

Combined Effective Exclude All Devices Policy

Include all USB devices

Exclude all USB devices

If you have set Disable Remote Configuration Download policy to true, the value of Exclude All Devices on View Agent is not passed to Horizon Client, but View Agent and Horizon Client enforce the local value of Exclude All Devices.

These policies are included in the View Agent Configuration ADM template file (vdm_agent.adm). For more information, see "USB Settings in the View Agent Configuration ADM Template" in the Setting Up Desktop and Application Pools in View document.

Disabling USB Redirection for Specific Devices

Some users might have to redirect specific locally-connected USB devices so that they can perform tasks on their remote desktops or applications. For example, a doctor might have to use a Dictaphone USB device to record patients' medical information. In these cases, you cannot disable access to all USB devices. You can use group policy settings to enable or disable USB redirection for specific devices.

Before you enable USB redirection for specific devices, make sure that you trust the physical devices that are connected to client machines in your enterprise. Be sure that you can trust your supply chain. If possible, keep track of a chain of custody for the USB devices.

In addition, educate your employees to ensure that they do not connect devices from unknown sources. If possible, restrict the devices in your environment to those that accept only signed firmware updates, are FIPS 140-2 Level 3-certified, and do not support any kind of field-updatable firmware. These types of USB devices are hard to source and, depending on your device requirements, might be impossible to find. These choices might not be practical, but they are worth considering.

Each USB device has its own vendor and product ID that identifies it to the computer. By configuring View Agent Configuration group policy settings, you can set an include policy for known device types. With this approach, you remove the risk of allowing unknown devices to be inserted into your environment.

For example, you can prevent all devices except a known device vendor and product ID,

vid/pid=0123/abcd, from being redirected to the remote desktop or application:

ExcludeAllDevices Enabled

IncludeVidPid o:vid-0123_pid-abcd

NOTE This example configuration provides protection, but a compromised device can report any vid/pid, so a possible attack could still occur.

30 VMware, Inc.

Chapter 1 View Security Reference

By default, View blocks certain device families from being redirected to the remote desktop or application. For example, HID (human interface devices) and keyboards are blocked from appearing in the guest. Some released BadUSB code targets USB keyboard devices.

You can prevent specific device families from being redirected to the remote desktop or application. For example, you can block all video, audio, and mass storage devices:

ExcludeDeviceFamily o:video;audio;storage

Conversely, you can create a whitelist by preventing all devices from being redirected but allowing a specific device family to be used. For example, you can block all devices except storage devices:

ExcludeAllDevices Enabled

IncludeDeviceFamily o:storage

Another risk can arise when a remote user logs into a desktop or application and infects it. You can prevent USB access to any View connections that originate from outside the company firewall. The USB device can be used internally but not externally.

To disable external access to USB devices, you can block TCP port 32111 from the security server to the remote desktops and applications. For zero clients, the USB traffic is embedded inside a virtual channel on UDP port 4172. Because port 4172 is used for the display protocol as well as for USB redirection, you cannot block port 4172. If required, you can disable USB redirection on zero clients. For details, see the zero client product literature or contact the zero client vendor.

Setting policies to block certain device families or specific devices can help to mitigate the risk of being infected with BadUSB malware. These policies do not mitigate all risk, but they can be an effective part of an overall security strategy.

VMware, Inc. 31

View Security

32 VMware, Inc.

Index

acceptance policies, configuring globally 24 accounts 7 ADM template files, security-related settings 8

Blast Secure Gateway service 22, 23

cipher suites

configuring for View Connection Server 23 default global policies 24

editing in View LDAP 25 Connection Server service 22 content type checking 28 cross-site scripting attacks 28

desktops, configuring proposal policies 26

firewall settings 18 Framework Component service 22, 23

RC4, disabled in View 27 resources 17

Script Host service 22 security protocols

configuring for View Connection Server 23 default policies 24

editing in View LDAP 25 security servers, services 23 security settings, global 8

Security Gateway Component service 22, 23 security overview 5 Security Server service 23 server settings. security related 8 services

security server hosts 23

View Connection Server hosts 22 SSLv3, disabled in View 27

TCP ports, 80 and 443 21

HTTP, redirection 21

Internet Engineering Task Force (IETF)

Standards 27

locked.properties, configuring acceptance

policies 25

log files 17

Message Bus Component service 22 MIME type security risks 28

origin checking 29

proposal policies, configuring globally 24

UDP ports 18 USB redirection

deploying devices securely 29

disabling all devices 29

disabling specific devices 30

View Connection Server, services 22 View LDAP, global acceptance and proposal

policies 24 View security 7 VMwareVDMDS service 22

Web Component service 22

VMware, Inc.

View Security

34 VMware, Inc.

VMware Horizon View - 6.2 Security Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

View Security

View Security Reference 1

View Accounts

View Security Settings

View Resources

View Log Files

View TCP and UDP Ports

Notes and Caveats for TCP and UDP Ports Used by View

Services on a View Connection Server Host

Services on a Security Server

Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server

Default Global Policies for Security Protocols and Cipher Suites

Configuring Global Acceptance and Proposal Policies

Global Acceptance and Proposal Policies Defined in View LDAP

Change the Global Acceptance and Proposal Policies

Configure Acceptance Policies on Individual View Servers

Configure Proposal Policies on View Desktops

Internet Engineering Task Force Standards

Older Protocols and Ciphers Disabled in View

Reducing MIME Type Security Risks

Mitigating Cross-Site Scripting Attacks

Content Type Checking

Origin Checking

Deploying USB Devices in a Secure View Environment

Disabling USB Redirection for All Types of Devices

Disabling USB Redirection for Specific Devices

Index