Specifications
You can also use restricted entitlements to control desktop access based on the user-authentication method
that you configure for a particular View Connection Server instance. For example, you can make certain
desktop pools available only to users who have authenticated with a smart card.
The restricted entitlements feature only enforces tag matching. You must design your network topology to
force certain clients to connect through a particular View Connection Server instance.
Using Group Policy Settings to Secure View Desktops
VMware View includes Group Policy administrative (ADM) templates that contain security-related group
policy settings that you can use to secure your View desktops.
For example, you can use group policy settings to perform the following tasks.
n
Specify the View Connection Server instances that can accept user identity and credential information that
is passed when a user selects the Log in as current user check box in View Client.
n
Enable single sign-on for smart card authentication in View Client.
n
Configure server SSL certificate checking in View Client.
n
Prevent users from providing credential information with View Client command line options.
n
Prevent non-View client systems from using RDP to connect to View desktops. You can set this policy so
that connections must be View-managed, which means that users must use View Client to connect to View
desktops.
See the VMware View Administration document for information on using View Client group policy settings.
Implementing Best Practices to Secure Client Systems
You should implement best practices to secure client systems.
n
Make sure that client systems are configured to go to sleep after a period of inactivity and require users
to enter a password before the computer awakens.
n
Require users to enter a username and password when starting client systems. Do not configure client
systems to allow automatic logins.
n
For Mac client systems, consider setting different passwords for the Keychain and the user account. When
the passwords are different, users are prompted before the system enters any passwords on their behalf.
Also consider turning on FileVault protection.
n
Local mode client systems might have more network access when they are running in local mode than
when they are remote and connected to the intranet. Consider enforcing intranet network security policies
for local mode client systems or disable network access for local mode client systems when they are
running in local mode.
Assigning Administrator Roles
A key management task in a VMware View environment is to determine who can use View Administrator and
what tasks those users are authorized to perform.
The authorization to perform tasks in View Administrator is governed by an access control system that consists
of administrator roles and privileges. A role is a collection of privileges. Privileges grant the ability to perform
specific actions, such as entitling a user to a desktop pool or changing a configuration setting. Privileges also
control what an administrator can see in View Administrator.
VMware View Architecture Planning
56 VMware, Inc.