VMware Horizon View - 6.2 Security Guide

View Security

VMware Horizon 6

Version 6.2

This document supports the version of each product listed and
supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions
of this document, see http://www.vmware.com/support/pubs.

EN-001910-00

View Security

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

Copyright © 2015 VMware, Inc. All rights reserved. Copyright and trademark information.

VMware, Inc.

3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

2 VMware, Inc.

Contents

View Security 5

View Security Reference 7

1

View Accounts 7

View Security Settings 8

View Resources 17

View Log Files 17

View TCP and UDP Ports 18

Services on a View Connection Server Host 22

Services on a Security Server 23

Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a

Security Server 23

Deploying USB Devices in a Secure View Environment 29

Index 33

VMware, Inc. 3

View Security

4 VMware, Inc.

View Security

View Security provides a concise reference to the security features of VMware Horizon 6™.

Required system and database login accounts.

n

Configuration options and settings that have security implications.

n

Resources that must be protected, such as security-relevant configuration files and passwords, and the

n

recommended access controls for secure operation.

Location of log files and their purpose.

n

External interfaces, ports, and services that must be open or enabled for the correct operation of View.

n

Intended Audience

This information is intended for IT decision makers, architects, administrators, and others who must
familiarize themselves with the security components of View.

VMware, Inc.

5

View Security

6 VMware, Inc.

View Security Reference 1

When you are configuring a secure View environment, you can change settings and make adjustments in
several areas to protect your systems.

This chapter includes the following topics:

“View Accounts,” on page 7

n

“View Security Settings,” on page 8

n

“View Resources,” on page 17

n

“View Log Files,” on page 17

n

“View TCP and UDP Ports,” on page 18

n

“Services on a View Connection Server Host,” on page 22

n

“Services on a Security Server,” on page 23

n

“Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a

n

Security Server,” on page 23

“Deploying USB Devices in a Secure View Environment,” on page 29

n

View Accounts

You must set up system and database accounts to administer View components.

Table 1‑1. View System Accounts

View Component Required Accounts

Horizon Client Configure user accounts in Active Directory for the users who have access to remote desktops

and applications. The user accounts must be members of the Remote Desktop Users group, but
the accounts do not require View administrator privileges.

vCenter Server Configure a user account in Active Directory with permission to perform the operations in

vCenter Server that are necessary to support View.

For information about the required privileges, see the View Installation document.

VMware, Inc. 7

View Security

Table 1‑1. View System Accounts (Continued)

View Component Required Accounts

View Composer Create a user account in Active Directory to use with View Composer. View Composer requires

this account to join linked-clone desktops to your Active Directory domain.

The user account should not be a View administrative account. Give the account the minimum
privileges that it requires to create and remove computer objects in a specified Active Directory
container. For example, the account does not require domain administrator privileges.

For information about the required privileges, see the View Installation document.

View Connection
Server

When you install View, you can specify a specific domain user, the local Administrators group,
or a specific domain user group as View administrators. We recommend creating a dedicated
domain user group of View administrators. The default is the currently logged in domain user.

In View Administrator, you can use View Configuration > Administrators to change the list of
View administrators.

See the View Administration document for information about the privileges that are required.

Table 1‑2. View Database Accounts

View Component Required Accounts

View Composer
database

Event database used
by View Connection
Server

An SQL Server or Oracle database stores View Composer data. You create an administrative
account for the database that you can associate with the View Composer user account.

For information about setting up a View Composer database, see the View Installation document.

An SQL Server or Oracle database stores View event data. You create an administrative account
for the database that View Administrator can use to access the event data.

For information about setting up a View Composer database, see the View Installation document.

To reduce the risk of security vulnerabilities, take the following actions:

Configure View databases on servers that are separate from other database servers that your

n

organization uses.

Do not allow a single user account to access multiple databases.

n

Configure separate accounts for access to the View Composer and event databases.

n

View Security Settings

View includes several settings that you can use to adjust the security of the configuration. You can access the
settings by using View Administrator, by editing group profiles, or by using the ADSI Edit utility, as
appropriate.

Security-Related Global Settings in View Administrator

Security-related global settings for client sessions and connections are accessible under View Configuration
> Global Settings in View Administrator.

8 VMware, Inc.

Chapter 1 View Security Reference

Table 1‑3. Security-Related Global Settings

Setting Description

Change data recovery
password

Message security mode Determines the security mechanism used when JMS messages are passed between View

Enhanced Security Status

(Read-only)

Reauthenticate secure
tunnel connections after
network interruption

Forcibly disconnect users Disconnects all desktops and applications after the specified number of minutes has passed

For clients that support
applications.

If the user stops using the
keyboard and mouse,
disconnect their
applications and discard
SSO credentials

The password is required when you restore the View LDAP configuration from an
encrypted backup.

When you install View Connection Server version 5.1 or later, you provide a data recovery
password. After installation, you can change this password in View Administrator.

When you back up View Connection Server, the View LDAP configuration is exported as
encrypted LDIF data. To restore the encrypted backup with the vdmimport utility, you
must provide the data recovery password. The password must contain between 1 and 128
characters. Follow your organization's best practices for generating secure passwords.

components.

If set to Disabled, message security mode is disabled.

n

If set to Enabled, legacy message signing and verification of JMS messages takes place.

n

View components reject unsigned messages. This mode supports a mix of SSL and
plain JMS connections.

If set to Enhanced, SSL is used for all JMS connections, to encrypt all messages. Access

n

control is also enabled to restrict the JMS topics that View components can send
messages to and receive messages from.

If set to Mixed, message security mode is enabled, but not enforced for View

n

components that predate View Manager 3.0.

The default setting is Enhanced for new installations. If you upgrade from a previous
version, the setting used in the previous version is retained.

IMPORTANT VMware strongly recommends setting the message security mode to Enhanced
after you upgrade all View Connection Server instances, security servers, and View
desktops to this release. The Enhanced setting provides many important security
improvements and MQ (message queue) updates.

Read-only field that appears when Message security mode is changed from Enabled to
Enhanced. Because the change is made in phases, this field shows the progress through the
phases:

Waiting for Message Bus restart is the first phase. This state is displayed until you

n

manually restart either all View Connection Server instances in the pod or the VMware
Horizon View Message Bus Component service on all View Connection Server hosts in
the pod.

Pending Enhanced is the next state. After all View Message Bus Component services

n

have been restarted, the system begins changing the message security mode to

Enhanced for all desktops and security servers.

Enhanced is the final state, indicating that all components are now using Enhanced

n

message security mode.

Determines if user credentials must be reauthenticated after a network interruption when
Horizon Clients use secure tunnel connections to View desktops and applications.

This setting offers increased security. For example, if a laptop is stolen and moved to a
different network, the user cannot automatically gain access to the View desktops and
applications because the network connection was temporarily interrupted.

This setting is disabled by default.

since the user logged in to View. All desktops and applications will be disconnected at the
same time regardless of when the user opened them.

The default is 600 minutes.

Protects application sessions when there is no keyboard or mouse activity on the client
device. If set to After ... minutes, View disconnects all applications and discards SSO
credentials after the specified number of minutes without user activity. Desktop sessions
are disconnected. Users must log in again to reconnect to the applications that were
disconnected or launch a new desktop or application.

If set to Never, View never disconnects applications or discards SSO credentials due to user
inactivity.

The default is Never.

VMware, Inc. 9

View Security

Table 1‑3. Security-Related Global Settings (Continued)

Setting Description

Other clients.

Discard SSO credentials

Enable IPSec for Security
Server pairing

View Administrator
session timeout

Discards the SSO credentials after a certain time period. This setting is for clients that do
not support application remoting. If set to After ... minutes, users must log in again to
connect to a desktop after the specified number of minutes has passed since the user logged
in to View, regardless of any user activity on the client device.

The default is After 15 minutes.

Determines whether to use Internet Protocol Security (IPSec) for connections between
security servers and View Connection Server instances. This setting must be disabled
before installing a security server in FIPS mode; otherwise pairing will fail.

By default, IPSec for security server connections is enabled.

Determines how long an idle View Administrator session continues before the session
times out.

IMPORTANT Setting the View Administrator session timeout to a high number of minutes
increases the risk of unauthorized use of View Administrator. Use caution when you allow
an idle session to persist a long time.

By default, the View Administrator session timeout is 30 minutes. You can set a session
timeout from 1 to 4320 minutes.

For more information about these settings and their security implications, see the View Administration
document.

NOTE SSL is required for all Horizon Client connections and View Administrator connections to View. If
your View deployment uses load balancers or other client-facing, intermediate servers, you can off-load SSL
to them and then configure non-SSL connections on individual View Connection Server instances and
security servers. See "Off-load SSL Connections to Intermediate Servers" in the View Administration
document.

Security-Related Server Settings in View Administrator

Security-related server settings are accessible under View Configuration > Servers in View Administrator.

10 VMware, Inc.

Table 1‑4. Security-Related Server Settings

Setting Description

Use PCoIP Secure Gateway
for PCoIP connections to
machine

Use Secure Tunnel
connection to machine

Use Blast Secure Gateway
for HTML Access to
machine

Determines whether Horizon Client makes a further secure connection to the View
Connection Server or security server host when users connect to View desktops and
applications with the PCoIP display protocol.

If this setting is disabled, the desktop or application session is established directly
between the client and the View desktop or the Remote Desktop Services (RDS) host,
bypassing the View Connection Server or security server host.

This setting is disabled by default.

Determines whether Horizon Client makes a further HTTPS connection to the View
Connection Server or security server host when users connect to a View desktop or an
application.

If this setting is disabled, the desktop or application session is established directly
between the client and the View desktop or the Remote Desktop Services (RDS) host,
bypassing the View Connection Server or security server host.

This setting is enabled by default.

Determines whether clients that use a Web browser to access desktops use Blast Secure
Gateway to establish a secure tunnel to View Connection Server.

If not enabled, Web browsers make direct connections to View desktops, bypassing View
Connection Server.

This setting is disabled by default.

Chapter 1 View Security Reference

For more information about these settings and their security implications, see the View Administration
document.

Security-Related Settings in the View Agent Configuration Template

Security-related settings are provided in the ADM template file for View Agent (vdm_agent.adm). Unless
noted otherwise, the settings include only a Computer Configuration setting.

Security Settings are stored in the registry on the guest machine under HKLM\Software\VMware, Inc.\VMware

VDM\Agent\Configuration.

Table 1‑5. Security-Related Settings in the View Agent Configuration Template

Setting Description

AllowDirectRDP

AllowSingleSignon

Determines whether non-Horizon Clients can connect directly to View desktops
with RDP. When this setting is disabled, View Agent permits only View-managed
connections through Horizon Client.

By default, while a user is logged in to a View desktop session, you can use RDP
to connect to the virtual machine from outside of View. The RDP connection
terminates the View desktop session, and the View user's unsaved data and
settings might be lost. The View user cannot log in to the desktop until the
external RDP connection is closed. To avoid this situation, disable the
AllowDirectRDP setting.

IMPORTANT For View to operate correctly, the Windows Remote Desktop Services
service must be running on the guest operating system of each desktop. You can
use this setting to prevent users from making direct RDP connections to their
desktops.

This setting is enabled by default.
The equivalent Windows Registry value is AllowDirectRDP.

Determines whether single sign-on (SSO) is used to connect users to desktops and
applications. When this setting is enabled, users are required to enter only their
credentials when connecting with Horizon Client. When it is disabled, users must
reauthenticate when the remote connection is made.

This setting is enabled by default.
The equivalent Windows Registry value is AllowSingleSignon.

VMware, Inc. 11