Security
Table Of Contents
- View Security
- Contents
- View Security
- Horizon 7 Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure Horizon 7 Environment
- HTTP Protection Measures on Connection Servers and Security Servers
- Index
For example, you can prevent all devices except a known device vendor and product ID,
vid/pid=0123/abcd, from being redirected to the remote desktop or application:
ExcludeAllDevices Enabled
IncludeVidPid o:vid-0123_pid-abcd
N This example conguration provides protection, but a compromised device can report any vid/pid,
so a possible aack could still occur.
By default, Horizon 7 blocks certain device families from being redirected to the remote desktop or
application. For example, HID (human interface devices) and keyboards are blocked from appearing in the
guest. Some released BadUSB code targets USB keyboard devices.
You can prevent specic device families from being redirected to the remote desktop or application. For
example, you can block all video, audio, and mass storage devices:
ExcludeDeviceFamily o:video;audio;storage
Conversely, you can create a whitelist by preventing all devices from being redirected but allowing a specic
device family to be used. For example, you can block all devices except storage devices:
ExcludeAllDevices Enabled
IncludeDeviceFamily o:storage
Another risk can arise when a remote user logs into a desktop or application and infects it. You can prevent
USB access to any Horizon 7 connections that originate from outside the company rewall. The USB device
can be used internally but not externally.
Be aware that if you block TCP port 32111 to disable external access to USB devices, time zone
synchronization will not work because port 32111 is also used for time zone synchronization. For zero
clients, the USB trac is embedded inside a virtual channel on UDP port 4172. Because port 4172 is used for
the display protocol as well as for USB redirection, you cannot block port 4172. If required, you can disable
USB redirection on zero clients. For details, see the zero client product literature or contact the zero client
vendor.
Seing policies to block certain device families or specic devices can help to mitigate the risk of being
infected with BadUSB malware. These policies do not mitigate all risk, but they can be an eective part of an
overall security strategy.
These policies are included in the Horizon Agent Conguration ADMX template le (vdm_agent.admx). For
more information, see Conguring Remote Desktop Features in Horizon 7.
Chapter 6 Deploying USB Devices in a Secure Horizon 7 Environment
VMware, Inc. 33