Security

ManualsBrandsVMware ManualsApplicationsHorizon 7.2

Table Of Contents

View Security

View Security

VMware Horizon 7 7.2

This document supports the version of each product listed and

supports all subsequent versions until the document is

replaced by a new edition. To check for more recent editions of

this document, see http://www.vmware.com/support/pubs.

EN-002042-00

Summary of content (44 pages)

PAGE 1
View Security VMware Horizon 7 7.2 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
PAGE 2
View Security You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2009–2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
PAGE 3
Contents View Security 5 1 Horizon 7 Accounts, Resources, and Log Files 7 Horizon 7 Accounts 7 Horizon 7 Resources 8 Horizon 7 Log Files 8 2 View Security Settings 11 Security-Related Global Settings in View Administrator 12 Security-Related Server Settings in View Administrator 14 Security-Related Settings in View LDAP 15 3 Ports and Services 17 View TCP and UDP Ports 17 Services on a View Connection Server Host Services on a Security Server 22 21 4 Configuring Security Protocols and Cipher Suites
PAGE 4
View Security 4 VMware, Inc.
PAGE 5
View Security View Security provides a concise reference to the security features of VMware Horizon 7. n Required system and database login accounts. n Configuration options and settings that have security implications. n Resources that must be protected, such as security-relevant configuration files and passwords, and the recommended access controls for secure operation. n Location of log files and their purpose.
PAGE 6
View Security 6 VMware, Inc.
PAGE 7
Horizon 7 Accounts, Resources, and Log Files 1 Having different accounts for specific components protects against giving individuals more access and permissions than they need. Knowing the locations of configuration files and other files with sensitive data aids in setting up security for various host systems. Note Starting with Horizon 7.0, View Agent is renamed Horizon Agent.
PAGE 8
View Security Table 1‑2. Horizon Database Accounts Horizon Component Required Accounts View Composer database An SQL Server or Oracle database stores View Composer data. You create an administrative account for the database that you can associate with the View Composer user account. For information about setting up a View Composer database, see the View Installation document. Event database used by Horizon Connection Server An SQL Server or Oracle database stores Horizon event data.
PAGE 9
Chapter 1 Horizon 7 Accounts, Resources, and Log Files Table 1‑4. Horizon 7 Log Files Horizon Component File Path and Other Information All components (installation logs) %TEMP%\vminst.log_date_timestamp Horizon Agent :\ProgramData\VMware\VDM\logs To access Horizon 7 log files that are stored in :\ProgramData\VMware\VDM\logs, you must open the logs from a program with elevated administrator privileges. Right-click the program file and select Run as administrator.
PAGE 10
View Security 10 VMware, Inc.
PAGE 11
View Security Settings 2 View includes several settings that you can use to adjust the security of the configuration. You can access the settings by using View Administrator or by using the ADSI Edit utility, as appropriate. Note For information about security settings for Horizon Client and Horizon Agent, see the Horizon Client and Agent Security document.
PAGE 12
View Security Security-Related Global Settings in View Administrator Security-related global settings for client sessions and connections are accessible under View Configuration > Global Settings in View Administrator. Table 2‑1. Security-Related Global Settings 12 Setting Description Change data recovery password The password is required when you restore the View LDAP configuration from an encrypted backup. When you install View Connection Server version 5.
PAGE 13
Chapter 2 View Security Settings Table 2‑1. Security-Related Global Settings (Continued) Setting Description For clients that support applications. If the user stops using the keyboard and mouse, disconnect their applications and discard SSO credentials Protects application sessions when there is no keyboard or mouse activity on the client device. If set to After ... minutes, View disconnects all applications and discards SSO credentials after the specified number of minutes without user activity.
PAGE 14
View Security Security-Related Server Settings in View Administrator Security-related server settings are accessible under View Configuration > Servers in View Administrator. Table 2‑2. Security-Related Server Settings Setting Description Use PCoIP Secure Gateway for PCoIP connections to machine Determines whether Horizon Client makes a further secure connection to the View Connection Server or security server host when users connect to View desktops and applications with the PCoIP display protocol.
PAGE 15
Chapter 2 View Security Settings Security-Related Settings in View LDAP Security-related settings are provided in View LDAP under the object path cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int. You can use the ADSI Edit utility to change the value of these settings on a View Connection Server instance. The change propagates automatically to all other View Connection Server instances in a group. Table 2‑3.
PAGE 16
View Security 16 VMware, Inc.
PAGE 17
3 Ports and Services Certain UDP and TCP ports must be open so that View components can communicate with each other. Knowing which Windows services run on each type of View server helps identify services that do not belong on the server.
PAGE 18
View Security Table 3‑1. TCP and UDP Ports Used by View (Continued) 18 Source Port Target Port Protoc ol Description Security server * View Connection Server 4002 TCP JMS SSL traffic. Security server * View Connection Server 8009 TCP AJP13-forwarded Web traffic, if not using IPsec. Security server * View Connection Server * ESP AJP13-forwarded Web traffic, when using IPsec without NAT.
PAGE 19
Chapter 3 Ports and Services Table 3‑1. TCP and UDP Ports Used by View (Continued) Source Port Target Port Protoc ol Horizon Agent 4172 Horizon Client * UDP PCoIP, if PCoIP Secure Gateway is not used. Note Because the target port varies, see the note below this table. Horizon Agent 4172 View Connection Server, security server, or Unified Access Gateway appliance 55000 UDP PCoIP (not SALSA20) if PCoIP Secure Gateway is used.
PAGE 20
View Security Table 3‑1. TCP and UDP Ports Used by View (Continued) Protoc ol Source Port Target Port Description Horizon Client * View Connection Server, security server, or Unified Access Gateway appliance 4172 TCP and UDP PCoIP (not SALSA20) if PCoIP Secure Gateway is used. Note Because the source port varies, see the note below this table. Web Browser * Security server or Unified Access Gateway appliance 8443 TCP HTML Access.
PAGE 21
Chapter 3 Ports and Services Note Microsoft Windows Server requires a dynamic range of ports to be open between all Connection Servers in the Horizon 7 environment. These ports are required by Microsoft Windows for the normal operation of Remote Procedure Call (RPC) and Active Directory replication. For more information about the dynamic range of ports, see the Microsoft Windows Server documentation.
PAGE 22
View Security Table 3‑2. View Connection Server Host Services (Continued) Service Name Startup Type Description VMware Horizon View Script Host Disabled Provides support for third-party scripts that run when you delete virtual machines. This service is disabled by default. You should enable this service if you want to run scripts. VMware Horizon View Security Gateway Component Manual Provides common gateway services. This service must always be running.
PAGE 23
Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server 4 You can configure the security protocols and cipher suites that are accepted by View Connection Server. You can define a global acceptance policy that applies to all View Connection Server instances in a replicated group, or you can define an acceptance policy for individual View Connection Server instances and security servers.
PAGE 24
View Security Default Global Policies for Security Protocols and Cipher Suites Global acceptance and proposal policies enable certain security protocols and cipher suites by default. Table 4‑1. Default Global Policies Default Security Protocols n n n TLS 1.2 TLS 1.1 TLS 1.
PAGE 25
Chapter 4 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server Change the Global Acceptance and Proposal Policies To change the global acceptance and proposal policies for security protocols and cipher suites, you use the ADSI Edit utility to edit View LDAP attributes. Prerequisites n Familiarize yourself with the View LDAP attributes that define the acceptance and proposal policies.
PAGE 26
View Security Procedure 1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View Connection Server or security server computer. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\ 2 Add secureProtocols.n and enabledCipherSuite.n entries, including the associated security protocols and cipher suites. 3 Save the locked.properties file.
PAGE 27
Chapter 4 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server 4 Set the value to a list of cipher suites in the format \LIST:protocol_1,protocol_2,.... List the protocols with the latest protocol first. For example: \LIST:TLSv1.2,TLSv1.1,TLSv1 5 Add a new String (REG_SZ) value, ClientSSLCipherSuites. 6 Set the value to a list of cipher suites in the format \LIST:cipher_suite_1,cipher_suite_2,....
PAGE 28
View Security For Connection Server instances, security servers, and View desktops, you can enable RC4 on a Connection Server, security server, or a Horizon Agent machine by editing the configuration file C:\Program Files\VMware\VMware View\Server\jre\lib\security\java.security. At the end of the file is a multi-line entry called jdk.tls.legacyAlgorithms.
PAGE 29
Configuring Security Protocols and Cipher Suites for Blast Secure Gateway 5 The security settings for View Connection Server do not apply to Blast Secure Gateway (BSG). You must configure security for BSG separately. Configure Security Protocols and Cipher Suites for Blast Secure Gateway (BSG) You can configure the security protocols and cipher suites that BSG's client-side listener accepts by editing the file absg.properties. The protocols that are allowed are, from low to high, tls1.0, tls1.
PAGE 30
View Security 3 Edit the localHttpsCipherSpec property to specify a list of cipher suites. For example, localHttpsCipherSpec=ECDHE-RSA-AES256-SHA:HIGH:!AESGCM:!CAMELLIA:!3DES:!EDH:!EXPORT:!MD5:! PSK:!RC4:!SRP:!aNULL:!eNULL 4 30 Restart the Windows service VMware Horizon View Blast Secure Gateway. VMware, Inc.
PAGE 31
Deploying USB Devices in a Secure Horizon 7 Environment 6 USB devices can be vulnerable to a security threat called BadUSB, in which the firmware on some USB devices can be hijacked and replaced with malware. For example, a device can be made to redirect network traffic or to emulate a keyboard and capture keystrokes. You can configure the USB redirection feature to protect your Horizon 7 deployment against this security vulnerability.
PAGE 32
View Security n Use Smart Policies to create a policy that disables the USB redirection Horizon Policy setting. With this approach, you can disable USB redirection on a specific remote desktop if certain conditions are met. For example, you can configure a policy that disables USB redirection when users connect to a remote desktop from outside your corporate network. If you set the Exclude All Devices policy to true, Horizon Client prevents all USB devices from being redirected.
PAGE 33
Chapter 6 Deploying USB Devices in a Secure Horizon 7 Environment For example, you can prevent all devices except a known device vendor and product ID, vid/pid=0123/abcd, from being redirected to the remote desktop or application: ExcludeAllDevices Enabled IncludeVidPid o:vid-0123_pid-abcd Note This example configuration provides protection, but a compromised device can report any vid/pid, so a possible attack could still occur.
PAGE 34
View Security 34 VMware, Inc.
PAGE 35
HTTP Protection Measures on Connection Servers and Security Servers 7 Horizon 7 employs certain measures to protect communication that uses the HTTP protocol.
PAGE 36
View Security World Wide Web Consortium Standards Connection Server and security server comply with certain World Wide Web Consortium (W3) standards. n Cross-Origin Resource Sharing (CORS), which constrains client-side cross-origin requests, is enabled by default. You can disable it by adding the entry enableCORS=false to locked.properties. n Content Security Policy (CSP), which mitigates a broad class of content injection vulnerabilities, is enabled by default.
PAGE 37
Chapter 7 HTTP Protection Measures on Connection Servers and Security Servers Table 7‑1. CORS Properties (Continued) Property Value Type Master Default Other Defaults allowPreflight true false true n/a maxAge cache-time 0 n/a balancedHost load-balancer-name OFF n/a portalHost... gateway-name OFF n/a chromeExtension... chrome-extension-hash OFF n/a Example CORS properties in the locked.
PAGE 38
View Security Content Security Policy The Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), by providing policy directives to compliant browsers. This feature is enabled by default. You can reconfigure the policy directives by adding entries to locked.properties. Table 7‑2.
PAGE 39
Chapter 7 HTTP Protection Measures on Connection Servers and Security Servers Mitigating Cross-Site Scripting Attacks By default, Horizon 7 employs the XSS (cross-site scripting) Filter feature to mitigate cross-site scripting attacks by sending the header x-xss-protection=1; mode=block in its HTTP responses. You can disable this feature by adding the following entry to the file locked.
PAGE 40
View Security n Opera n Safari Note Not all of these user agents are supported by Horizon 7. These are examples. Configure HTTP Protection Measures To configure HTTP protection measures you must create or edit the locked.properties file in the SSL gateway configuration folder on the Connection Server or security server instance. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties n Use the following syntax to configure a property in locked.
PAGE 41
Chapter 7 HTTP Protection Measures on Connection Servers and Security Servers VMware, Inc.
PAGE 42
View Security 42 VMware, Inc.
PAGE 43
Index A M acceptance policies, configuring globally 24 accounts 7 ADM template files, security-related settings 12 Message Bus Component service 21 MIME type security risks 38 B Blast Secure Gateway configure cipher suites 29 configuring cipher suites 29 configuring security protocols 29 Blast Secure Gateway service 21, 22 C cipher suites configure for Blast Secure Gateway 29 configuring for Blast Secure Gateway 29 configuring for View Connection Server 23 default global policies 24 editing in View LD
PAGE 44
View Security VMwareVDMDS service 21 W web browser security 40 Web Component service 21 World Wide Web Consortium Standards 36 44 VMware, Inc.