Security
Table Of Contents
- View Security
- Contents
- View Security
- View Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Default Global Policies for Security Protocols and Cipher Suites
- Configuring Global Acceptance and Proposal Policies
- Configure Acceptance Policies on Individual View Servers
- Configure Proposal Policies on View Desktops
- Internet Engineering Task Force Standards
- Older Protocols and Ciphers Disabled in View
- Reducing MIME Type Security Risks
- Mitigating Cross-Site Scripting Attacks
- Content Type Checking
- Origin Checking
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure View Environment
- Index
Internet Engineering Task Force Standards
View Connection Server and security server comply with certain Internet Engineering Task Force (IETF)
Standards.
n
RFC 5746 Transport Layer Security (TLS) – Renegotiation Indication Extension, also known as secure
renegotiation, is enabled by default.
NOTE Client-initiated renegotiation is disabled by default on Connection Servers and security servers.
To enable, edit registry value [HKLM\SOFTWARE\VMware, Inc.\VMware
VDM\plugins\wsnm\TunnelService\Params]JvmOptions and remove
-Djdk.tls.rejectClientInitiatedRenegotiation=true from the string.
n
RFC 6797 HTTP Strict Transport Security (HSTS), also known as transport security, is enabled by
default.
n
RFC 7034 HTTP Header Field X-Frame-Options, also known as counter clickjacking, is enabled by
default. You can disable it by adding the entry x-frame-options=OFF to the file locked.properties. For
information on how to add properties to the file locked.properties, see “Configure Acceptance Policies
on Individual View Servers,” on page 25.
Older Protocols and Ciphers Disabled in View
Some older protocols and ciphers that are no longer considered secure are disabled in View by default. If
required, you can enable them manually.
DHE Cipher Suites
For more information, see http://kb.vmware.com/kb/2121183. Cipher suites that are compatible with DSA
certificates use Diffie-Hellman ephemeral keys, and these suites are no longer enabled by default, starting
with Horizon 6 version 6.2.
For Connection Server instances, security servers, and View desktops, you can enable these cipher suites by
editing the View LDAP database, locked.properties file, or registry, as described in this guide. See
“Change the Global Acceptance and Proposal Policies,” on page 25, “Configure Acceptance Policies on
Individual View Servers,” on page 25, and “Configure Proposal Policies on View Desktops,” on page 26.
You can define a list of cipher suites that includes one or more of the following suites, in this order:
n
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (TLS 1.2 only, not FIPS)
n
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (TLS 1.2 only, not FIPS)
n
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (TLS 1.2 only)
n
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
n
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (TLS 1.2 only)
n
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
For View Composer and View Agent Direct-Connection (VADC) machines, you can enable DHE cipher
suites by adding the following to the list of ciphers when you follow the procedure "Disable Weak Ciphers
in SSL/TLS for View Composer and View Agent Machines" in the View Installation document.
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
NOTE It is not possible to enable support for ECDSA certificates. These certificates have never been
supported.
Chapter 4 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
VMware, Inc. 27