Security
Table Of Contents
- View Security
- Contents
- View Security
- Horizon 7 Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure Horizon 7 Environment
- HTTP Protection Measures on Connection Servers and Security Servers
- Index
Deploying USB Devices in a Secure
Horizon 7 Environment 6
USB devices can be vulnerable to a security threat called BadUSB, in which the rmware on some USB
devices can be hijacked and replaced with malware. For example, a device can be made to redirect network
trac or to emulate a keyboard and capture keystrokes. You can congure the USB redirection feature to
protect your Horizon 7 deployment against this security vulnerability.
By disabling USB redirection, you can prevent any USB devices from being redirected to your users'
Horizon 7 desktops and applications. Alternatively, you can disable redirection of specic USB devices,
allowing users to have access only to specic devices on their desktops and applications.
The decision whether to take these steps depends on the security requirements in your organization. These
steps are not mandatory. You can install USB redirection and leave the feature enabled for all USB devices in
your Horizon 7 deployment. At a minimum, consider seriously the extent to which your organization
should try to limit its exposure to this security vulnerability.
This chapter includes the following topics:
n
“Disabling USB Redirection for All Types of Devices,” on page 31
n
“Disabling USB Redirection for Specic Devices,” on page 32
Disabling USB Redirection for All Types of Devices
Some highly secure environments require you to prevent all USB devices that users might have connected to
their client devices from being redirected to their remote desktops and applications. You can disable USB
redirection for all desktop pools, for specic desktop pools, or for specic users in a desktop pool.
Use any of the following strategies, as appropriate for your situation:
n
When you install Horizon Agent on a desktop image or RDS host, deselect the USB redirection setup
option. (The option is deselected by default.) This approach prevents access to USB devices on all
remote desktops and applications that are deployed from the desktop image or RDS host.
n
In Horizon Administrator, edit the USB access policy for a specic pool to either deny or allow access.
With this approach, you do not have to change the desktop image and can control access to USB devices
in specic desktop and application pools.
Only the global USB access policy is available for RDS desktop and application pools. You cannot set
this policy for individual RDS desktop or application pools.
n
In View Administrator, after you set the policy at the desktop or application pool level, you can
override the policy for a specic user in the pool by selecting the User Overrides seing and selecting a
user.
n
Set the Exclude All Devices policy to true, on the Horizon Agent side or on the client side, as
appropriate.
VMware, Inc.
31