Security
Table Of Contents
- View Security
- Contents
- View Security
- View Security Reference
- View Accounts
- View Security Settings
- View Resources
- View Log Files
- View TCP and UDP Ports
- Services on a View Connection Server Host
- Services on a Security Server
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Default Global Policies for Security Protocols and Cipher Suites
- Updating JCE Policy Files to Support High-Strength Cipher Suites
- Configuring Global Acceptance and Proposal Policies
- Configure Acceptance Policies on Individual View Servers
- Internet Engineering Task Force Standards
- Perfect Forward Secrecy
- SSLv3 Is Disabled in View
- Deploying USB Devices in a Secure View Environment
- Index
Perfect Forward Secrecy
Perfect Forward Secrecy (PFS) assures that compromise of an SSL session does not mean compromise of
other SSL sessions that use the same server certificate. It is a property of cipher suites with DHE in their
names. Of the five cipher suites we enable by default, three have this property. The downside of PFS is
performance, so a balance needs to be struck.
View supports DHE-DSS, DHE-RSA, and ECDHE-RSA cipher suites. The first two can be enabled in
conjunction with standard DSS or RSA certificates. ECDHE-RSA has better performance but requires an
ECC certificate that is signed with an RSA key. Do not request from a CA an ECC certificate that is signed
with an EC key because View cannot use this.
SSLv3 Is Disabled in View
SSLv3 is excluded from the default list of supported security protocols in Horizon 6.0 with View and later
releases. Starting in Horizon 6 version 6.1, the View components use JRE 7u75 or later releases, in which
SSLv3 is deactivated in Java.
VMware strongly recommends that you do not use SSLv3 in your View environment. Security vulnerability
CVE-2014-3566, known as the Poodle vulnerability, affects SSLv3. For details, see
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566.
If you absolutely require SSLv3 in your environment, you can reactivate it in Java. You do this by removing
SSLv3 from the jdk.tls.disabledAlgorithms property in the C:\Program Files\VMware\VMware
View\Server\jre\lib\security\java.security file on each View Connection Server instance and security
server.
Deploying USB Devices in a Secure View Environment
USB devices can be vulnerable to a security threat called BadUSB, in which the firmware on some USB
devices can be hijacked and replaced with malware. For example, a device can be made to redirect network
traffic or to emulate a keyboard and capture keystrokes. You can configure the USB redirection feature to
protect your View deployment against this security vulnerability.
By disabling USB redirection, you can prevent any USB devices from being redirected to your users' View
desktops and applications. Alternatively, you can disable redirection of specific USB devices, allowing users
to have access only to specific devices on their desktops and applications.
The decision whether to take these steps depends on the security requirements in your organization. These
steps are not mandatory. You can install USB redirection and leave the feature enabled for all USB devices in
your View deployment. At a minimum, consider seriously the extent to which your organization should try
to limit its exposure to this security vulnerability.
Disabling USB Redirection for All Types of Devices
Some highly secure environments require you to prevent all USB devices that users might have connected to
their client devices from being redirected to their remote desktops and applications. You can disable USB
redirection for all desktop pools, for specific desktop pools, or for specific users in a desktop pool.
Use any of the following strategies, as appropriate for your situation:
n
When you install View Agent on a desktop image or RDS host, deselect the USB redirection setup
option. (The option is deselected by default.) This approach prevents access to USB devices on all
remote desktops and applications that are deployed from the desktop image or RDS host.
View Security
26 VMware, Inc.