Security
Table Of Contents
- View Security
- Contents
- View Security
- View Security Reference
- View Accounts
- View Security Settings
- View Resources
- View Log Files
- View TCP and UDP Ports
- Services on a View Connection Server Host
- Services on a Security Server
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Default Global Policies for Security Protocols and Cipher Suites
- Updating JCE Policy Files to Support High-Strength Cipher Suites
- Configuring Global Acceptance and Proposal Policies
- Configure Acceptance Policies on Individual View Servers
- Internet Engineering Task Force Standards
- Perfect Forward Secrecy
- SSLv3 Is Disabled in View
- Deploying USB Devices in a Secure View Environment
- Index
n
In View Administrator, edit the USB access policy for a specific pool to either deny or allow access.
With this approach, you do not have to change the desktop image and can control access to USB devices
in specific desktop and application pools.
Only the global USB access policy is available for RDS desktop and application pools. You cannot set
this policy for individual RDS desktop or application pools.
n
In View Administrator, after you set the policy at the desktop or application pool level, you can
override the policy for a specific user in the pool by selecting the User Overrides setting and selecting a
user.
n
Set the Exclude All Devices policy to true, on the View Agent side or on the client side, as appropriate.
If you set the Exclude All Devices policy to true, Horizon Client prevents all USB devices from being
redirected. You can use other policy settings to allow specific devices or families of devices to be redirected.
If you set the policy to false, Horizon Client allows all USB devices to be redirected except those that are
blocked by other policy settings. You can set the policy on both View Agent and Horizon Client. The
following table shows how the Exclude All Devices policy that you can set for View Agent and
Horizon Client combine to produce an effective policy for the client computer. By default, all USB devices
are allowed to be redirected unless otherwise blocked.
Table 1‑15. Effect of Combining Exclude All Devices Policies
Exclude All Devices Policy on View
Agent
Exclude All Devices Policy on
Horizon Client
Combined Effective Exclude All
Devices Policy
false or not defined (include all USB
devices)
false or not defined (include all USB
devices)
Include all USB devices
false (include all USB devices) true (exclude all USB devices)
Exclude all USB devices
true (exclude all USB devices)
Any or not defined Exclude all USB devices
If you have set Disable Remote Configuration Download policy to true, the value of Exclude All Devices
on View Agent is not passed to Horizon Client, but View Agent and Horizon Client enforce the local value
of Exclude All Devices.
These policies are included in the View Agent Configuration ADM template file (vdm_agent.adm). For more
information, see "USB Settings in the View Agent Configuration ADM Template" in the Setting Up Desktop
and Application Pools in View document.
Disabling USB Redirection for Specific Devices
Some users might have to redirect specific locally-connected USB devices so that they can perform tasks on
their remote desktops or applications. For example, a doctor might have to use a Dictaphone USB device to
record patients' medical information. In these cases, you cannot disable access to all USB devices. You can
use group policy settings to enable or disable USB redirection for specific devices.
Before you enable USB redirection for specific devices, make sure that you trust the physical devices that are
connected to client machines in your enterprise. Be sure that you can trust your supply chain. If possible,
keep track of a chain of custody for the USB devices.
In addition, educate your employees to ensure that they do not connect devices from unknown sources. If
possible, restrict the devices in your environment to those that accept only signed firmware updates, are
FIPS 140-2 Level 3-certified, and do not support any kind of field-updatable firmware. These types of USB
devices are hard to source and, depending on your device requirements, might be impossible to find. These
choices might not be practical, but they are worth considering.
Each USB device has its own vendor and product ID that identifies it to the computer. By configuring View
Agent Configuration group policy settings, you can set an include policy for known device types. With this
approach, you remove the risk of allowing unknown devices to be inserted into your environment.
Chapter 1 View Security Reference
VMware, Inc. 27