6.1
Table Of Contents
- View Security
- Contents
- View Security
- View Security Reference
- View Accounts
- View Security Settings
- View Resources
- View Log Files
- View TCP and UDP Ports
- Services on a View Connection Server Host
- Services on a Security Server
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Default Global Policies for Security Protocols and Cipher Suites
- Updating JCE Policy Files to Support High-Strength Cipher Suites
- Configuring Global Acceptance and Proposal Policies
- Configure Acceptance Policies on Individual View Servers
- Internet Engineering Task Force Standards
- Perfect Forward Secrecy
- SSLv3 Is Disabled in View
- Deploying USB Devices in a Secure View Environment
- Index
For example, you can prevent all devices except a known device vendor and product ID,
vid/pid=0123/abcd, from being redirected to the remote desktop or application:
ExcludeAllDevices Enabled
IncludeVidPid o:vid-0123_pid-abcd
NOTE This example configuration provides protection, but a compromised device can report any vid/pid,
so a possible attack could still occur.
By default, View blocks certain device families from being redirected to the remote desktop or application.
For example, HID (human interface devices) and keyboards are blocked from appearing in the guest. Some
released BadUSB code targets USB keyboard devices.
You can prevent specific device families from being redirected to the remote desktop or application. For
example, you can block all video, audio, and mass storage devices:
ExcludeDeviceFamily o:video;audio;storage
Conversely, you can create a whitelist by preventing all devices from being redirected but allowing a
specific device family to be used. For example, you can block all devices except storage devices:
ExcludeAllDevices Enabled
IncludeDeviceFamily o:storage
Another risk can arise when a remote user logs into a desktop or application and infects it. You can prevent
USB access to any View connections that originate from outside the company firewall. The USB device can
be used internally but not externally.
To disable external access to USB devices, you can block TCP port 32111 from the security server to the
remote desktops and applications. For zero clients, the USB traffic is embedded inside a virtual channel on
UDP port 4172. Because port 4172 is used for the display protocol as well as for USB redirection, you cannot
block port 4172. If required, you can disable USB redirection on zero clients. For details, see the zero client
product literature or contact the zero client vendor.
Setting policies to block certain device families or specific devices can help to mitigate the risk of being
infected with BadUSB malware. These policies do not mitigate all risk, but they can be an effective part of an
overall security strategy.
These policies are included in the View Agent Configuration ADM template file (vdm_agent.adm). For more
information, see "USB Settings in the View Agent Configuration ADM Template" in the Setting Up Desktop
and Application Pools in View document.
View Security
28 VMware, Inc.