View Security VMware Horizon 6 Version 6.2.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Security You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2015 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Security 5 1 View Accounts, Resources, and Log Files 7 View Accounts 7 View Resources 8 View Log Files 8 2 View Security Settings 11 Security-Related Global Settings in View Administrator 12 Security-Related Server Settings in View Administrator 14 Security-Related Settings in View LDAP 15 3 Ports and Services 17 View TCP and UDP Ports 17 Services on a View Connection Server Host 21 Services on a Security Server 22 4 Configuring Security Protocols and Cipher Suites on a View Connection
View Security 4 VMware, Inc.
View Security View Security provides a concise reference to the security features of VMware Horizon 6™. n Required system and database login accounts. n Configuration options and settings that have security implications. n Resources that must be protected, such as security-relevant configuration files and passwords, and the recommended access controls for secure operation. n Location of log files and their purpose.
View Security 6 VMware, Inc.
View Accounts, Resources, and Log Files 1 Having different accounts for specific components protects against giving individuals more access and permissions than they need. Knowing the locations of configuration files and other files with sensitive data aids in setting up security for various host systems.
View Security Table 1‑2. View Database Accounts View Component Required Accounts View Composer database An SQL Server or Oracle database stores View Composer data. You create an administrative account for the database that you can associate with the View Composer user account. For information about setting up a View Composer database, see the View Installation document. Event database used by View Connection Server An SQL Server or Oracle database stores View event data.
Chapter 1 View Accounts, Resources, and Log Files Table 1‑4. View Log Files View Component File Path and Other Information All components (installation logs) %TEMP%\vminst.log_date_timestamp View Agent :\ProgramData\VMware\VDM\logs To access View log files that are stored in :\ProgramData\VMware\VDM\logs, you must open the logs from a program with elevated administrator privileges. Right-click the program file and select Run as administrator.
View Security 10 VMware, Inc.
View Security Settings 2 View includes several settings that you can use to adjust the security of the configuration. You can access the settings by using View Administrator or by using the ADSI Edit utility, as appropriate. NOTE For information about security settings for Horizon Client and View Agent, see the Horizon Client and View Agent Security document.
View Security Security-Related Global Settings in View Administrator Security-related global settings for client sessions and connections are accessible under View Configuration > Global Settings in View Administrator. Table 2‑1. Security-Related Global Settings 12 Setting Description Change data recovery password The password is required when you restore the View LDAP configuration from an encrypted backup. When you install View Connection Server version 5.
Chapter 2 View Security Settings Table 2‑1. Security-Related Global Settings (Continued) Setting Description For clients that support applications. If the user stops using the keyboard and mouse, disconnect their applications and discard SSO credentials Protects application sessions when there is no keyboard or mouse activity on the client device. If set to After ... minutes, View disconnects all applications and discards SSO credentials after the specified number of minutes without user activity.
View Security Security-Related Server Settings in View Administrator Security-related server settings are accessible under View Configuration > Servers in View Administrator. Table 2‑2. Security-Related Server Settings Setting Description Use PCoIP Secure Gateway for PCoIP connections to machine Determines whether Horizon Client makes a further secure connection to the View Connection Server or security server host when users connect to View desktops and applications with the PCoIP display protocol.
Chapter 2 View Security Settings Security-Related Settings in View LDAP Security-related settings are provided in View LDAP under the object path cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int. You can use the ADSI Edit utility to change the value of these settings on a View Connection Server instance. The change propagates automatically to all other View Connection Server instances in a group. Table 2‑3.
View Security 16 VMware, Inc.
3 Ports and Services Certain UDP and TCP ports must be open so that View components can communicate with each other. Knowing which Windows services run on each type of View server helps identify services that do not belong on the server.
View Security Table 3‑1. TCP and UDP Ports Used by View (Continued) 18 Source Port Target Port Protoc ol Security server * View Connection Server * ESP AJP13-forwarded Web traffic, when using IPsec without NAT. Security server 4500 View Connection Server 4500 UDP AJP13-forwarded Web traffic, when using IPsec through a NAT device. Security server * View desktop 3389 TCP Microsoft RDP traffic to View desktops.
Chapter 3 Ports and Services Table 3‑1. TCP and UDP Ports Used by View (Continued) Source Port Target Port Protoc ol Horizon Client * View Connection Server 443 TCP HTTPS access. Port 443 is enabled by default for client connections. Port 443 can be changed. Client connection attempts to port 80 are redirected to port 443 by default, but port 80 can service client connections if SSL is off-loaded to an intermediate device.
View Security Table 3‑1. TCP and UDP Ports Used by View (Continued) 20 Source Port Target Port Protoc ol View Connection Server 55000 View Agent 4172 UDP PCoIP (not SALSA20) if PCoIP Secure Gateway via the View Connection Server is used. View Connection Server 4172 Horizon Client Varies UDP PCoIP (not SALSA20) if PCoIP Secure Gateway via the View Connection Server is used. NOTE Because the target port varies, see “Notes and Caveats for TCP and UDP Ports Used by View,” on page 21.
Chapter 3 Ports and Services Table 3‑1. TCP and UDP Ports Used by View (Continued) Source Port Target Port Protoc ol Description View desktop * View Connection Server instances 4002 TCP JMS SSL traffic. View Composer service * ESXi host 902 TCP Used when View Composer customizes linkedclone disks, including View Composer internal disks and, if they are specified, persistent disks and system disposable disks.
View Security Table 3‑2. View Connection Server Host Services (Continued) Service Name Startup Type Description VMware Horizon 6 Framework Component Manual Provides event logging, security, and COM+ framework services. This service must always be running. VMware Horizon 6 Message Bus Component Manual Provides messaging services between the View components. This service must always be running. VMware Horizon 6 PCoIP Secure Gateway Manual Provides PCoIP Secure Gateway services.
Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server 4 You can configure the security protocols and cipher suites that are accepted by View Connection Server. You can define a global acceptance policy that applies to all View Connection Server instances in a replicated group, or you can define an acceptance policy for individual View Connection Server instances and security servers.
View Security Default Global Policies for Security Protocols and Cipher Suites Global acceptance and proposal policies enable certain security protocols and cipher suites by default. Table 4‑1. Default Global Policies Default Security Protocols n n n TLS 1.2 TLS 1.1 TLS 1.
Chapter 4 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server Change the Global Acceptance and Proposal Policies To change the global acceptance and proposal policies for security protocols and cipher suites, you use the ADSI Edit utility to edit View LDAP attributes. Prerequisites n Familiarize yourself with the View LDAP attributes that define the acceptance and proposal policies.
View Security 2 Add secureProtocols.n and enabledCipherSuite.n entries, including the associated security protocols and cipher suites. 3 Save the locked.properties file. 4 Restart the VMware Horizon View Connection Server service or VMware Horizon View Security Server service to make your changes take effect. Example: Default Acceptance Policies on an Individual Server The following example shows the entries in the locked.
Chapter 4 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server Internet Engineering Task Force Standards View Connection Server and security server comply with certain Internet Engineering Task Force (IETF) Standards. n RFC 5746 Transport Layer Security (TLS) – Renegotiation Indication Extension, also known as secure renegotiation, is enabled by default.
View Security SSLv3 For more information, see http://tools.ietf.org/html/rfc7568. For Connection Server instances, security servers, and View desktops, you can enable SSLv3 by removing SSLv3 from the jdk.tls.disabledAlgorithms property in the C:\Program Files\VMware\VMware View\Server\jre\lib\security\java.security file on each View Connection Server instance and security server.
Chapter 4 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server For example: acceptContentType.1=x-www-form-urlencoded To accept another content type, add the entry acceptContentType.2=content-type, and so on Origin Checking By default, protection against cross-site request forging is disabled. You can enable this protection by adding the following entry to the file locked.
View Security 30 VMware, Inc.
Configuring Security Protocols and Cipher Suites for Blast Secure Gateway 5 The security settings for View Connection Server do not apply to Blast Secure Gateway (BSG). You must configure security for BSG separately. Configure Security Protocols and Cipher Suites for Blast Secure Gateway (BSG) You can configure the security protocols and cipher suites that BSG's client-side listener accepts by editing the file absg.properties. The protocols that are allowed are, from low to high, tls1.0, tls1.
View Security 3 Edit the localHttpsCipherSpec property to specify a list of cipher suites. For example, localHttpsCipherSpec=ECDHE-RSA-AES256-SHA:HIGH:!AESGCM:!CAMELLIA:!3DES:!EDH:!EXPORT:!MD5:! PSK:!RC4:!SRP:!aNULL:!eNULL 4 32 Restart the Windows service VMware Horizon View Blast Secure Gateway. VMware, Inc.
Deploying USB Devices in a Secure View Environment 6 USB devices can be vulnerable to a security threat called BadUSB, in which the firmware on some USB devices can be hijacked and replaced with malware. For example, a device can be made to redirect network traffic or to emulate a keyboard and capture keystrokes. You can configure the USB redirection feature to protect your View deployment against this security vulnerability.
View Security If you set the Exclude All Devices policy to true, Horizon Client prevents all USB devices from being redirected. You can use other policy settings to allow specific devices or families of devices to be redirected. If you set the policy to false, Horizon Client allows all USB devices to be redirected except those that are blocked by other policy settings. You can set the policy on both View Agent and Horizon Client.
Chapter 6 Deploying USB Devices in a Secure View Environment By default, View blocks certain device families from being redirected to the remote desktop or application. For example, HID (human interface devices) and keyboards are blocked from appearing in the guest. Some released BadUSB code targets USB keyboard devices. You can prevent specific device families from being redirected to the remote desktop or application.
View Security 36 VMware, Inc.
Index A MIME type security risks 28 acceptance policies, configuring globally 24 accounts 7 ADM template files, security-related settings 12 O B origin checking 29 P Blast Secure Gateway configure cipher suites 31 configuring cipher suites 31 configuring security protocols 31 Blast Secure Gateway service 21, 22 proposal policies, configuring globally 24 C S cipher suites configure for Blast Secure Gateway 31 configuring for Blast Secure Gateway 31 configuring for View Connection Server 23 defaul
View Security VMwareVDMDS service 21 W Web Component service 21 38 VMware, Inc.