View Security Modified for Horizon 7 7.3.2 VMware Horizon 7 7.
View Security You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2009–2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
Contents View Security 4 1 Horizon 7 Accounts, Resources, and Log Files 5 Horizon 7 Accounts 5 Horizon 7 Resources Horizon 7 Log Files 6 6 2 View Security Settings 8 Security-Related Global Settings in View Administrator 9 Security-Related Server Settings in View Administrator 11 Security-Related Settings in View LDAP 12 3 Ports and Services 13 View TCP and UDP Ports 13 Services on a View Connection Server Host Services on a Security Server 18 18 4 Configuring Security Protocols and Cipher
View Security View Security provides a concise reference to the security features of VMware Horizon 7. n Required system and database login accounts. n Configuration options and settings that have security implications. n Resources that must be protected, such as security-relevant configuration files and passwords, and the recommended access controls for secure operation. n Location of log files and their purpose.
Horizon 7 Accounts, Resources, and Log Files 1 Having different accounts for specific components protects against giving individuals more access and permissions than they need. Knowing the locations of configuration files and other files with sensitive data aids in setting up security for various host systems. Note Starting with Horizon 7.0, View Agent is renamed Horizon Agent.
View Security Table 1‑2. Horizon Database Accounts Horizon Component Required Accounts View Composer database An SQL Server or Oracle database stores View Composer data. You create an administrative account for the database that you can associate with the View Composer user account. For information about setting up a View Composer database, see the View Installation document. Event database used by Horizon Connection Server An SQL Server or Oracle database stores Horizon event data.
View Security Table 1‑4. Horizon 7 Log Files Horizon Component File Path and Other Information All components (installation logs) %TEMP%\vmmsi.log_date_timestamp Horizon Agent :\ProgramData\VMware\VDM\logs %TEMP%\vminst.log_date_timestamp To access Horizon 7 log files that are stored in :\ProgramData\VMware\VDM\logs, you must open the logs from a program with elevated administrator privileges. Right-click the program file and select Run as administrator.
View Security Settings 2 View includes several settings that you can use to adjust the security of the configuration. You can access the settings by using View Administrator or by using the ADSI Edit utility, as appropriate. Note For information about security settings for Horizon Client and Horizon Agent, see the Horizon Client and Agent Security document.
View Security Security-Related Global Settings in View Administrator Security-related global settings for client sessions and connections are accessible under View Configuration > Global Settings in View Administrator. Table 2‑1. Security-Related Global Settings Setting Description Change data recovery password The password is required when you restore the View LDAP configuration from an encrypted backup. When you install View Connection Server version 5.1 or later, you provide a data recovery password.
View Security Table 2‑1. Security-Related Global Settings (Continued) Setting Description Reauthenticate secure tunnel connections after network interruption Determines if user credentials must be reauthenticated after a network interruption when Horizon Clients use secure tunnel connections to View desktops and applications. This setting offers increased security.
View Security Security-Related Server Settings in View Administrator Security-related server settings are accessible under View Configuration > Servers in View Administrator. Table 2‑2. Security-Related Server Settings Setting Description Use PCoIP Secure Gateway for PCoIP connections to machine Determines whether Horizon Client makes a further secure connection to the View Connection Server or security server host when users connect to View desktops and applications with the PCoIP display protocol.
View Security Security-Related Settings in View LDAP Security-related settings are provided in View LDAP under the object path cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int. You can use the ADSI Edit utility to change the value of these settings on a View Connection Server instance. The change propagates automatically to all other View Connection Server instances in a group. Table 2‑3.
3 Ports and Services Certain UDP and TCP ports must be open so that View components can communicate with each other. Knowing which Windows services run on each type of View server helps identify services that do not belong on the server. This section includes the following topics: n View TCP and UDP Ports n Services on a View Connection Server Host n Services on a Security Server View TCP and UDP Ports View uses TCP and UDP ports for network access between its components.
View Security Table 3‑1. TCP and UDP Ports Used by View (Continued) Source Port Target Port Protoco l Description Security server * View Connection Server 4001 TCP JMS traffic. Security server * View Connection Server 4002 TCP JMS SSL traffic. Security server * View Connection Server 8009 TCP AJP13-forwarded Web traffic, if not using IPsec. Security server * View Connection Server * ESP AJP13-forwarded Web traffic, when using IPsec without NAT.
View Security Table 3‑1. TCP and UDP Ports Used by View (Continued) Source Port Target Port Protoco l Description Security server, View Connection Server, or Unified Access Gateway appliance * Horizon Agent 22443 TCP HTML Access if Blast Secure Gateway is used. Horizon Agent 4172 Horizon Client * UDP PCoIP, if PCoIP Secure Gateway is not used. Note Because the target port varies, see the note below this table.
View Security Table 3‑1. TCP and UDP Ports Used by View (Continued) Source Port Target Port Protoco l Horizon Client * Horizon Agent 32111 TCP USB redirection and time zone synchronization if direct connections are used instead of tunnel connections. Horizon Client * Horizon Agent 4172 TCP and UDP PCoIP if PCoIP Secure Gateway is not used. Description Note Because the source port varies, see the note below this table.
View Security Table 3‑1. TCP and UDP Ports Used by View (Continued) Source Port Target Port Protoco l Unified Access Gateway appliance * View Connection Server or load balancer 443 TCP HTTPS access. Unified Access Gateway appliances connect on TCP port 443 to communicate with a View Connection Server instance or load balancer in front of multiple View Connection Server instances.
View Security Services on a View Connection Server Host The operation of View depends on several services that run on a View Connection Server host. Table 3‑2. View Connection Server Host Services Service Name Startup Type Description VMware Horizon View Blast Secure Gateway Automatic Provides secure HTML Access and Blast Extreme services. This service must be running if clients connect to View Connection Server through the Blast Secure Gateway.
View Security Table 3‑3. Security Server Services (Continued) Service Name Startup Type Description VMware Horizon View Framework Component Manual Provides event logging, security, and COM+ framework services. This service must always be running. VMware Horizon View PCoIP Secure Gateway Manual Provides PCoIP Secure Gateway services. This service must be running if clients connect to this security server through the PCoIP Secure Gateway.
Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server 4 You can configure the security protocols and cipher suites that are accepted by View Connection Server. You can define a global acceptance policy that applies to all View Connection Server instances in a replicated group, or you can define an acceptance policy for individual View Connection Server instances and security servers.
View Security Default Global Policies for Security Protocols and Cipher Suites Global acceptance and proposal policies enable certain security protocols and cipher suites by default. Table 4‑1. Default Global Policies Default Security Protocols Default Cipher Suites n TLS 1.2 n TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 n TLS 1.
View Security Global Proposal Policies The following attribute lists security protocols. You must order the list by placing the latest protocol first: pae-ClientSSLSecureProtocols = \LIST:TLSv1.2,TLSv1.1,TLSv1 The following attribute lists the cipher suites. This list should be in order of preference. Place the most preferred cipher suite first, the second-most preferred suite next, and so on. This example shows an abbreviated list: pae-ClientSSLCipherSuites = \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,T
View Security Configure Acceptance Policies on Individual Servers To specify a local acceptance policy on an individual Connection Server instance or security server, you must add properties to the locked.properties file. If the locked.properties file does not yet exist on the server, you must create it. You add a secureProtocols.n entry for each security protocol that you want to configure. Use the following syntax: secureProtocols.n=security protocol. You add an enabledCipherSuite.
View Security preferredSecureProtocol=TLSv1.2 # The order of the following list is unimportant unless honorClientOrder is false: enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 enabledCipherSuite.2=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabledCipherSuite.3=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 enabledCipherSuite.4=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabledCipherSuite.5=TLS_RSA_WITH_AES_128_CBC_SHA enabledCipherSuite.
View Security Older Protocols and Ciphers Disabled in View Some older protocols and ciphers that are no longer considered secure are disabled in View by default. If required, you can enable them manually. DHE Cipher Suites For more information, see http://kb.vmware.com/kb/2121183. Cipher suites that are compatible with DSA certificates use Diffie-Hellman ephemeral keys, and these suites are no longer enabled by default, starting with Horizon 6 version 6.2.
View Security For Connection Server instances, security servers, and View desktops, you can enable RC4 on a Connection Server, security server, or a Horizon Agent machine by editing the configuration file C:\Program Files\VMware\VMware View\Server\jre\lib\security\java.security. At the end of the file is a multi-line entry called jdk.tls.legacyAlgorithms.
Configuring Security Protocols and Cipher Suites for Blast Secure Gateway 5 The security settings for View Connection Server do not apply to Blast Secure Gateway (BSG). You must configure security for BSG separately. Configure Security Protocols and Cipher Suites for Blast Secure Gateway (BSG) You can configure the security protocols and cipher suites that BSG's client-side listener accepts by editing the file absg.properties. The protocols that are allowed are, from low to high, tls1.0, tls1.
View Security 2 Edit the properties localHttpsProtocolLow and localHttpsProtocolHigh to specify a range of protocols. For example, localHttpsProtocolLow=tls1.0 localHttpsProtocolHigh=tls1.2 To enable only one protocol, specify the same protocol for both localHttpsProtocolLow and localHttpsProtocolHigh. 3 Edit the localHttpsCipherSpec property to specify a list of cipher suites.
Deploying USB Devices in a Secure Horizon 7 Environment 6 USB devices can be vulnerable to a security threat called BadUSB, in which the firmware on some USB devices can be hijacked and replaced with malware. For example, a device can be made to redirect network traffic or to emulate a keyboard and capture keystrokes. You can configure the USB redirection feature to protect your Horizon 7 deployment against this security vulnerability.
View Security n In View Administrator, after you set the policy at the desktop or application pool level, you can override the policy for a specific user in the pool by selecting the User Overrides setting and selecting a user. n Set the Exclude All Devices policy to true, on the Horizon Agent side or on the client side, as appropriate. n Use Smart Policies to create a policy that disables the USB redirection Horizon Policy setting.
View Security In addition, educate your employees to ensure that they do not connect devices from unknown sources. If possible, restrict the devices in your environment to those that accept only signed firmware updates, are FIPS 140-2 Level 3-certified, and do not support any kind of field-updatable firmware. These types of USB devices are hard to source and, depending on your device requirements, might be impossible to find. These choices might not be practical, but they are worth considering.
View Security Setting policies to block certain device families or specific devices can help to mitigate the risk of being infected with BadUSB malware. These policies do not mitigate all risk, but they can be an effective part of an overall security strategy. These policies are included in the Horizon Agent Configuration ADMX template file (vdm_agent.admx). For more information, see Configuring Remote Desktop Features in Horizon 7. VMware, Inc.
HTTP Protection Measures on Connection Servers and Security Servers 7 Horizon 7 employs certain measures to protect communication that uses the HTTP protocol. This section includes the following topics: n Internet Engineering Task Force Standards n World Wide Web Consortium Standards n Other Protection Measures n Configure HTTP Protection Measures Internet Engineering Task Force Standards Connection Server and security server comply with certain Internet Engineering Task Force (IETF) standards.
View Security n RFC 6454 Origin Checking, which protects against cross-site request forging, is enabled by default. You can disable it by adding the entry checkOrigin=false to locked.properties. For more information, see Cross-Origin Resource Sharing. Note In earlier releases, this protection was disabled by default. World Wide Web Consortium Standards Connection Server and security server comply with certain World Wide Web Consortium (W3) standards.
View Security Table 7‑1. CORS Properties (Continued) Property Value Type Master Default Other Defaults checkOrigin true true n/a false admin=true false allowCredentials true false broker=true helpdesk=true misc=true portal=true saml=true tunnel=true view-vlsi=true view-vlsi-rest=true allowMethod... http-method-name GET,HEAD,POST misc=GET,HEAD saml=GET,HEAD allowPreflight true true n/a false maxAge cache-time 0 n/a balancedHost load-balancer-name OFF n/a portalHost...
View Security If clients need to connect through a Unified Access Gateway or another gateway, you must specify all of the gateway addresses by adding portalHost entries to locked.properties. Port 443 is assumed for these addresses too. Do the same if you want to provide access to a Connection Server or security server by a name that is different from the one that is specified in the External URL. Chrome Extension clients set their initial Origin to their own identity.
View Security Other Protection Measures Besides the Internet Engineering Task Force and W3 standards, Horizon 7 employs other measures to protect communication that uses the HTTP protocol. Reducing MIME Type Security Risks By default, Horizon 7 sends the header x-content-type-options: nosniff in its HTTP responses to help prevent attacks based on MIME-type confusion. You can disable this feature by adding the following entry to the file locked.
View Security To accept requests with any declared content type, specify acceptContentType=*. Note In releases earlier than Horizon 7 version 7.2, changing this list does not affect connections to Horizon Administrator. Handshake Monitoring TLS handshakes on port 443 must complete within a configurable period, otherwise they will be forcibly terminated. By default, this period is 10 seconds. If smart card authentication is enabled, TLS handshakes on port 443 can complete within 100 seconds.
View Security A TLS handshake over-run is not the only reason to blacklist a client. Other reasons include a series of abandoned connections, or a series of requests ending in error, such as multiple attempts to access nonexistent URLs. These various triggers have differing minimum blacklist periods. To extend monitoring of these additional triggers to port 80, add the following entry to the locked.
View Security Configure HTTP Protection Measures To configure HTTP protection measures you must create or edit the locked.properties file in the SSL gateway configuration folder on the Connection Server or security server instance. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties n Use the following syntax to configure a property in locked.properties: myProperty = newValue n The property name is always case-sensitive and the value might be case-sensitive.
View Security n To determine the correct service name to use when making a service-specific configuration, look in the debug logs for lines containing the following sequence: (ajp:admin:Request21) Request from abc.def.com/10.20.30.40: GET /admin/ In this example, the service name is admin.
