6.2
Table Of Contents
- View Security
- Contents
- View Security
- View Security Reference
- View Accounts
- View Security Settings
- View Resources
- View Log Files
- View TCP and UDP Ports
- Services on a View Connection Server Host
- Services on a Security Server
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Default Global Policies for Security Protocols and Cipher Suites
- Configuring Global Acceptance and Proposal Policies
- Configure Acceptance Policies on Individual View Servers
- Configure Proposal Policies on View Desktops
- Internet Engineering Task Force Standards
- Older Protocols and Ciphers Disabled in View
- Reducing MIME Type Security Risks
- Mitigating Cross-Site Scripting Attacks
- Content Type Checking
- Origin Checking
- Deploying USB Devices in a Secure View Environment
- Index
For example:
acceptContentType.1=x-www-form-urlencoded
To accept another content type, add the entry acceptContentType.2=content-type, and so on
Origin Checking
By default, protection against cross-site request forging is disabled.
You can enable this protection by adding the following entry to the file locked.properties:
checkOrigin=true
If multiple Connection Servers or security servers are load balanced, you must specify the load balancer
address by adding the following entry to the file locked.properties. Port 443 is assumed for this address.
balancedHost=load-balancer-name
When this option is enabled, connections to View can be made only to the address given in the external
URL, to the balancedHost address, or to localhost.
Deploying USB Devices in a Secure View Environment
USB devices can be vulnerable to a security threat called BadUSB, in which the firmware on some USB
devices can be hijacked and replaced with malware. For example, a device can be made to redirect network
traffic or to emulate a keyboard and capture keystrokes. You can configure the USB redirection feature to
protect your View deployment against this security vulnerability.
By disabling USB redirection, you can prevent any USB devices from being redirected to your users' View
desktops and applications. Alternatively, you can disable redirection of specific USB devices, allowing users
to have access only to specific devices on their desktops and applications.
The decision whether to take these steps depends on the security requirements in your organization. These
steps are not mandatory. You can install USB redirection and leave the feature enabled for all USB devices in
your View deployment. At a minimum, consider seriously the extent to which your organization should try
to limit its exposure to this security vulnerability.
Disabling USB Redirection for All Types of Devices
Some highly secure environments require you to prevent all USB devices that users might have connected to
their client devices from being redirected to their remote desktops and applications. You can disable USB
redirection for all desktop pools, for specific desktop pools, or for specific users in a desktop pool.
Use any of the following strategies, as appropriate for your situation:
n
When you install View Agent on a desktop image or RDS host, deselect the USB redirection setup
option. (The option is deselected by default.) This approach prevents access to USB devices on all
remote desktops and applications that are deployed from the desktop image or RDS host.
n
In View Administrator, edit the USB access policy for a specific pool to either deny or allow access.
With this approach, you do not have to change the desktop image and can control access to USB devices
in specific desktop and application pools.
Only the global USB access policy is available for RDS desktop and application pools. You cannot set
this policy for individual RDS desktop or application pools.
n
In View Administrator, after you set the policy at the desktop or application pool level, you can
override the policy for a specific user in the pool by selecting the User Overrides setting and selecting a
user.
n
Set the Exclude All Devices policy to true, on the View Agent side or on the client side, as appropriate.
Chapter 1 View Security Reference
VMware, Inc. 29