View Security VMware Horizon 7 Version 7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Security You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2009–2016 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Security 5 1 View Accounts, Resources, and Log Files 7 View Accounts 7 View Resources 8 View Log Files 8 2 View Security Settings 11 Security-Related Global Settings in View Administrator 12 Security-Related Server Settings in View Administrator 14 Security-Related Settings in View LDAP 15 3 Ports and Services 17 View TCP and UDP Ports 17 Services on a View Connection Server Host 21 Services on a Security Server 22 4 Configuring Security Protocols and Cipher Suites on a View Connection
View Security 4 VMware, Inc.
View Security View Security provides a concise reference to the security features of VMware Horizon 7. n Required system and database login accounts. n Configuration options and settings that have security implications. n Resources that must be protected, such as security-relevant configuration files and passwords, and the recommended access controls for secure operation. n Location of log files and their purpose.
View Security 6 VMware, Inc.
View Accounts, Resources, and Log Files 1 Having different accounts for specific components protects against giving individuals more access and permissions than they need. Knowing the locations of configuration files and other files with sensitive data aids in setting up security for various host systems. NOTE Starting with Horizon 7.0, View Agent is renamed Horizon Agent.
View Security Table 1‑2. View Database Accounts View Component Required Accounts View Composer database An SQL Server or Oracle database stores View Composer data. You create an administrative account for the database that you can associate with the View Composer user account. For information about setting up a View Composer database, see the View Installation document. Event database used by View Connection Server An SQL Server or Oracle database stores View event data.
Chapter 1 View Accounts, Resources, and Log Files Table 1‑4. View Log Files View Component File Path and Other Information All components (installation logs) %TEMP%\vminst.log_date_timestamp Horizon Agent :\ProgramData\VMware\VDM\logs To access View log files that are stored in :\ProgramData\VMware\VDM\logs, you must open the logs from a program with elevated administrator privileges. Right-click the program file and select Run as administrator.
View Security 10 VMware, Inc.
View Security Settings 2 View includes several settings that you can use to adjust the security of the configuration. You can access the settings by using View Administrator or by using the ADSI Edit utility, as appropriate. NOTE For information about security settings for Horizon Client and Horizon Agent, see the Horizon Client and Agent Security document.
View Security Security-Related Global Settings in View Administrator Security-related global settings for client sessions and connections are accessible under View Configuration > Global Settings in View Administrator. Table 2‑1. Security-Related Global Settings 12 Setting Description Change data recovery password The password is required when you restore the View LDAP configuration from an encrypted backup. When you install View Connection Server version 5.
Chapter 2 View Security Settings Table 2‑1. Security-Related Global Settings (Continued) Setting Description For clients that support applications. If the user stops using the keyboard and mouse, disconnect their applications and discard SSO credentials Protects application sessions when there is no keyboard or mouse activity on the client device. If set to After ... minutes, View disconnects all applications and discards SSO credentials after the specified number of minutes without user activity.
View Security Security-Related Server Settings in View Administrator Security-related server settings are accessible under View Configuration > Servers in View Administrator. Table 2‑2. Security-Related Server Settings Setting Description Use PCoIP Secure Gateway for PCoIP connections to machine Determines whether Horizon Client makes a further secure connection to the View Connection Server or security server host when users connect to View desktops and applications with the PCoIP display protocol.
Chapter 2 View Security Settings Security-Related Settings in View LDAP Security-related settings are provided in View LDAP under the object path cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int. You can use the ADSI Edit utility to change the value of these settings on a View Connection Server instance. The change propagates automatically to all other View Connection Server instances in a group. Table 2‑3.
View Security 16 VMware, Inc.
3 Ports and Services Certain UDP and TCP ports must be open so that View components can communicate with each other. Knowing which Windows services run on each type of View server helps identify services that do not belong on the server.
View Security Table 3‑1. TCP and UDP Ports Used by View (Continued) 18 Source Port Target Port Protoc ol Description Security server * View Connection Server 4002 TCP JMS SSL traffic. Security server * View Connection Server 8009 TCP AJP13-forwarded Web traffic, if not using IPsec. Security server * View Connection Server * ESP AJP13-forwarded Web traffic, when using IPsec without NAT.
Chapter 3 Ports and Services Table 3‑1. TCP and UDP Ports Used by View (Continued) Source Port Target Port Protoc ol Horizon Agent 4172 View Connection Server, security server, or Access Point appliance 55000 UDP PCoIP (not SALSA20) if PCoIP Secure Gateway is used. Horizon Agent 4172 Access Point appliance * UDP PCoIP. View desktops and applications send PCoIP data back to an Access Point appliance from UDP port 4172 .
View Security Table 3‑1. TCP and UDP Ports Used by View (Continued) Source Port Target Port Protoc ol View Connection Server * View Connection Server 48080 TCP For internal communication between View Connection Server components. View Connection Server * vCenter Server or View Composer 80 TCP SOAP messages if SSL is disabled for access to vCenter Servers or View Composer. View Connection Server * vCenter Server 443 TCP SOAP messages if SSL is enabled for access to vCenter Servers.
Chapter 3 Ports and Services HTTP Redirection in View Connection attempts over HTTP are silently redirected to HTTPS, except for connection attempts to View Administrator. HTTP redirection is not needed with more recent Horizon clients because they default to HTTPS, but it is useful when your users connect with a Web browser, for example to download Horizon Client. The problem with HTTP redirection is that it is a non-secure protocol.
View Security Table 3‑2. View Connection Server Host Services (Continued) Startup Type Description VMware Horizon View Web Component Manual Provides web services. This service must always be running. VMwareVDMDS Automatic Provides LDAP directory services. This service must always be running. During upgrades of View, this service ensures that existing data is migrated correctly.
Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server 4 You can configure the security protocols and cipher suites that are accepted by View Connection Server. You can define a global acceptance policy that applies to all View Connection Server instances in a replicated group, or you can define an acceptance policy for individual View Connection Server instances and security servers.
View Security Default Global Policies for Security Protocols and Cipher Suites Global acceptance and proposal policies enable certain security protocols and cipher suites by default. Table 4‑1. Default Global Policies Default Security Protocols n n n TLS 1.2 TLS 1.1 TLS 1.
Chapter 4 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server Change the Global Acceptance and Proposal Policies To change the global acceptance and proposal policies for security protocols and cipher suites, you use the ADSI Edit utility to edit View LDAP attributes. Prerequisites n Familiarize yourself with the View LDAP attributes that define the acceptance and proposal policies.
View Security 2 Add secureProtocols.n and enabledCipherSuite.n entries, including the associated security protocols and cipher suites. 3 Save the locked.properties file. 4 Restart the VMware Horizon View Connection Server service or VMware Horizon View Security Server service to make your changes take effect. Example: Default Acceptance Policies on an Individual Server The following example shows the entries in the locked.
Chapter 4 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server Older Protocols and Ciphers Disabled in View Some older protocols and ciphers that are no longer considered secure are disabled in View by default. If required, you can enable them manually. DHE Cipher Suites For more information, see http://kb.vmware.com/kb/2121183.
View Security TLS 1.0 In Horizon 7, TLS 1.0 is disabled by default. For more information, see https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf and http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf. For instructions on how to enable TLS 1.0, see the sections "Enable TLSv1 on vCenter Connections from Connection Server" and "Enable TLSv1 on vCenter and ESXi Connections from View Composer" in the View Upgrades document. 28 VMware, Inc.
Configuring Security Protocols and Cipher Suites for Blast Secure Gateway 5 The security settings for View Connection Server do not apply to Blast Secure Gateway (BSG). You must configure security for BSG separately. Configure Security Protocols and Cipher Suites for Blast Secure Gateway (BSG) You can configure the security protocols and cipher suites that BSG's client-side listener accepts by editing the file absg.properties. The protocols that are allowed are, from low to high, tls1.0, tls1.
View Security 3 Edit the localHttpsCipherSpec property to specify a list of cipher suites. For example, localHttpsCipherSpec=ECDHE-RSA-AES256-SHA:HIGH:!AESGCM:!CAMELLIA:!3DES:!EDH:!EXPORT:!MD5:! PSK:!RC4:!SRP:!aNULL:!eNULL 4 30 Restart the Windows service VMware Horizon View Blast Secure Gateway. VMware, Inc.
Deploying USB Devices in a Secure View Environment 6 USB devices can be vulnerable to a security threat called BadUSB, in which the firmware on some USB devices can be hijacked and replaced with malware. For example, a device can be made to redirect network traffic or to emulate a keyboard and capture keystrokes. You can configure the USB redirection feature to protect your View deployment against this security vulnerability.
View Security n Use Smart Policies to create a policy that disables the USB redirection Horizon Policy setting. With this approach, you can disable USB redirection on a specific remote desktop if certain conditions are met. For example, you can configure a policy that disables USB redirection when users connect to a remote desktop from outside your corporate network. If you set the Exclude All Devices policy to true, Horizon Client prevents all USB devices from being redirected.
Chapter 6 Deploying USB Devices in a Secure View Environment For example, you can prevent all devices except a known device vendor and product ID, vid/pid=0123/abcd, from being redirected to the remote desktop or application: ExcludeAllDevices Enabled IncludeVidPid o:vid-0123_pid-abcd NOTE This example configuration provides protection, but a compromised device can report any vid/pid, so a possible attack could still occur.
View Security 34 VMware, Inc.
HTTP Protection Measures on Connection Servers and Security Servers 7 View employs certain measures to protect communication that uses the HTTP protocol. This chapter includes the following topics: n “Internet Engineering Task Force Standards,” on page 35 n “Other Protection Measures,” on page 36 Internet Engineering Task Force Standards View Connection Server and security server comply with certain Internet Engineering Task Force (IETF) Standards.
View Security If clients will be connecting through Access Point, you must specify the Access Point addresses in the file locked.properties. Port 443 is assumed for these addresses. For example: portalHost.1=access-point-name-1 portalHost.2=access-point-name-2 Do the same if you want to provide access to a Connection Server or security server by a name that is different from the one that is specified in the External URL.
Index A MIME type security risks 36 acceptance policies, configuring globally 24 accounts 7 ADM template files, security-related settings 12 O B origin checking 35 P Blast Secure Gateway configure cipher suites 29 configuring cipher suites 29 configuring security protocols 29 Blast Secure Gateway service 21, 22 proposal policies, configuring globally 24 C S cipher suites configure for Blast Secure Gateway 29 configuring for Blast Secure Gateway 29 configuring for View Connection Server 23 defaul
View Security VMwareVDMDS service 21 W Web Component service 21 38 VMware, Inc.
