Security
Table Of Contents
- View Security
- Contents
- View Security
- Horizon 7 Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure Horizon 7 Environment
- HTTP Protection Measures on Connection Servers and Security Servers
- Index
n
Use Smart Policies to create a policy that disables the USB redirection Horizon Policy seing. With this
approach, you can disable USB redirection on a specic remote desktop if certain conditions are met.
For example, you can congure a policy that disables USB redirection when users connect to a remote
desktop from outside your corporate network.
If you set the Exclude All Devices policy to true, Horizon Client prevents all USB devices from being
redirected. You can use other policy seings to allow specic devices or families of devices to be redirected.
If you set the policy to false, Horizon Client allows all USB devices to be redirected except those that are
blocked by other policy seings. You can set the policy on both Horizon Agent and Horizon Client. The
following table shows how the Exclude All Devices policy that you can set for Horizon Agent and
Horizon Client combine to produce an eective policy for the client computer. By default, all USB devices
are allowed to be redirected unless otherwise blocked.
Table 6‑1. Effect of Combining Exclude All Devices Policies
Exclude All Devices Policy on
Horizon Agent
Exclude All Devices Policy on
Horizon Client
Combined Effective Exclude All
Devices Policy
false or not dened (include all USB
devices)
false or not dened (include all USB
devices)
Include all USB devices
false (include all USB devices) true (exclude all USB devices)
Exclude all USB devices
true (exclude all USB devices)
Any or not dened Exclude all USB devices
If you have set Disable Remote Configuration Download policy to true, the value of Exclude All Devices on
Horizon Agent is not passed to Horizon Client, but Horizon Agent and Horizon Client enforce the local
value of Exclude All Devices.
These policies are included in the Horizon Agent Conguration ADMX template le (vdm_agent.admx). For
more information, see "USB Seings in the Horizon Agent Conguration ADMX Template" in Conguring
Remote Desktop Features in Horizon 7.
Disabling USB Redirection for Specific Devices
Some users might have to redirect specic locally-connected USB devices so that they can perform tasks on
their remote desktops or applications. For example, a doctor might have to use a Dictaphone USB device to
record patients' medical information. In these cases, you cannot disable access to all USB devices. You can
use group policy seings to enable or disable USB redirection for specic devices.
Before you enable USB redirection for specic devices, make sure that you trust the physical devices that are
connected to client machines in your enterprise. Be sure that you can trust your supply chain. If possible,
keep track of a chain of custody for the USB devices.
In addition, educate your employees to ensure that they do not connect devices from unknown sources. If
possible, restrict the devices in your environment to those that accept only signed rmware updates, are
FIPS 140-2 Level 3-certied, and do not support any kind of eld-updatable rmware. These types of USB
devices are hard to source and, depending on your device requirements, might be impossible to nd. These
choices might not be practical, but they are worth considering.
Each USB device has its own vendor and product ID that identies it to the computer. By conguring
Horizon Agent Conguration group policy seings, you can set an include policy for known device types.
With this approach, you remove the risk of allowing unknown devices to be inserted into your environment.
View Security
32 VMware, Inc.