Security
Table Of Contents
- View Security
- Contents
- View Security
- View Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Default Global Policies for Security Protocols and Cipher Suites
- Configuring Global Acceptance and Proposal Policies
- Configure Acceptance Policies on Individual View Servers
- Configure Proposal Policies on View Desktops
- Internet Engineering Task Force Standards
- Older Protocols and Ciphers Disabled in View
- Reducing MIME Type Security Risks
- Mitigating Cross-Site Scripting Attacks
- Content Type Checking
- Origin Checking
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure View Environment
- Index
Deploying USB Devices in a Secure
View Environment 6
USB devices can be vulnerable to a security threat called BadUSB, in which the firmware on some USB
devices can be hijacked and replaced with malware. For example, a device can be made to redirect network
traffic or to emulate a keyboard and capture keystrokes. You can configure the USB redirection feature to
protect your View deployment against this security vulnerability.
By disabling USB redirection, you can prevent any USB devices from being redirected to your users' View
desktops and applications. Alternatively, you can disable redirection of specific USB devices, allowing users
to have access only to specific devices on their desktops and applications.
The decision whether to take these steps depends on the security requirements in your organization. These
steps are not mandatory. You can install USB redirection and leave the feature enabled for all USB devices in
your View deployment. At a minimum, consider seriously the extent to which your organization should try
to limit its exposure to this security vulnerability.
This chapter includes the following topics:
n
“Disabling USB Redirection for All Types of Devices,” on page 33
n
“Disabling USB Redirection for Specific Devices,” on page 34
Disabling USB Redirection for All Types of Devices
Some highly secure environments require you to prevent all USB devices that users might have connected to
their client devices from being redirected to their remote desktops and applications. You can disable USB
redirection for all desktop pools, for specific desktop pools, or for specific users in a desktop pool.
Use any of the following strategies, as appropriate for your situation:
n
When you install View Agent on a desktop image or RDS host, deselect the USB redirection setup
option. (The option is deselected by default.) This approach prevents access to USB devices on all
remote desktops and applications that are deployed from the desktop image or RDS host.
n
In View Administrator, edit the USB access policy for a specific pool to either deny or allow access.
With this approach, you do not have to change the desktop image and can control access to USB devices
in specific desktop and application pools.
Only the global USB access policy is available for RDS desktop and application pools. You cannot set
this policy for individual RDS desktop or application pools.
n
In View Administrator, after you set the policy at the desktop or application pool level, you can
override the policy for a specific user in the pool by selecting the User Overrides setting and selecting a
user.
n
Set the Exclude All Devices policy to true, on the View Agent side or on the client side, as appropriate.
VMware, Inc.
33