Security
Table Of Contents
- View Security
- Contents
- View Security
- View Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Default Global Policies for Security Protocols and Cipher Suites
- Configuring Global Acceptance and Proposal Policies
- Configure Acceptance Policies on Individual View Servers
- Configure Proposal Policies on View Desktops
- Internet Engineering Task Force Standards
- Older Protocols and Ciphers Disabled in View
- Reducing MIME Type Security Risks
- Mitigating Cross-Site Scripting Attacks
- Content Type Checking
- Origin Checking
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure View Environment
- Index
By default, View blocks certain device families from being redirected to the remote desktop or application.
For example, HID (human interface devices) and keyboards are blocked from appearing in the guest. Some
released BadUSB code targets USB keyboard devices.
You can prevent specific device families from being redirected to the remote desktop or application. For
example, you can block all video, audio, and mass storage devices:
ExcludeDeviceFamily o:video;audio;storage
Conversely, you can create a whitelist by preventing all devices from being redirected but allowing a
specific device family to be used. For example, you can block all devices except storage devices:
ExcludeAllDevices Enabled
IncludeDeviceFamily o:storage
Another risk can arise when a remote user logs into a desktop or application and infects it. You can prevent
USB access to any View connections that originate from outside the company firewall. The USB device can
be used internally but not externally.
Be aware that if you block TCP port 32111 to disable external access to USB devices, time zone
synchronization will not work because port 32111 is also used for time zone synchronization. For zero
clients, the USB traffic is embedded inside a virtual channel on UDP port 4172. Because port 4172 is used for
the display protocol as well as for USB redirection, you cannot block port 4172. If required, you can disable
USB redirection on zero clients. For details, see the zero client product literature or contact the zero client
vendor.
Setting policies to block certain device families or specific devices can help to mitigate the risk of being
infected with BadUSB malware. These policies do not mitigate all risk, but they can be an effective part of an
overall security strategy.
These policies are included in the View Agent Configuration ADM template file (vdm_agent.adm). For more
information, see "USB Settings in the View Agent Configuration ADM Template" in the Setting Up Desktop
and Application Pools in View document.
Chapter 6 Deploying USB Devices in a Secure View Environment
VMware, Inc. 35