3496 vmw view secserhardening

7/23/2019 3496 VMW View SecSerHardening

1/15

VMware View SecurityServer Hardening GuideW H I T E P A P E R


2/15

VMware View Security ServerHardening Guide

W H I T E P A P E R / 2

Table of Contents

VMware View Hardening Guide Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Recommendation Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

VMware View Security Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Guideline Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Guideline Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Type A Parameter Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Type B Component Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Type C Operational Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

VMware View Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

View Security Server Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

VMware View Security Server Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Vmware View Security Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Session Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


3/15



VMware View Hardening Guide Introduction

Scope

This document provides guidance on how to securely deploy VMware View in a production environment. The

focus is on the initial configuration of VMware View and covers only the VMware View Security Server. The

virtual desktop operating system and applications are not covered in this guide and will be in the subsequent

document release.

Hardening guidelines for VMware vSphere and VMware vCenter used in VMware View deployments are

covered in a separate VMware vSphere 4.0 Hardening Guide.

Recommendation Level:

Guideline recommendation levels consist of a rating that corresponds to the operational environment in which

it is to be applied, from the lowest to highest security levels:

Enterprise:This includes most enterprise production environments. The recommendations are meant toprotect against most security attacks and provide protection of confidential information to the level required

by most major security and compliance standards.

DMZ:This includes environments that are particularly susceptible to targeted attacks. Examples include:

Internet-facing hosts, internal systems with highly confidential data, and so on. Note that, despite the name,

this level should not be restricted only to DMZ hosts; each organization should make its own determination as

to the applicability of this level.

Specialized Security Limited Functionality (SSLF):This represents specialized environments that have some

unique aspect that makes them especially vulnerable to sophisticated attacks. Recommendations at this level

might result in loss of functionality, and careful consideration must be used to determine the applicability of

these recommendations, including the possibility of using alternate compensating controls.

Unless otherwise specified, higher security levels include all recommendations from lower levels. For example,

a DMZ environment should implement all level Enterprise and DMZ recommendations, except when otherwise

specified (such as a parameter which should be set to one value at the Enterprise level, but a different value at

the DMZ level).

VMware View Security Server Overview

VMware View Security Server is recommended for DMZ deployments or environments with distinct networks.

It helps connect to a VMware View Connection Server (VCS) and handles the secure tunnel termination from

the VMware View Client installed at the endpoint device using packet-oriented AJPv13 and JMS communication

with the VMware Connection Server. VMware View Security Server ensures only authenticated users to gain

access from one network to another.

With the correct firewall rules in place, virtual desktop access is possible only for authenticated users. Only

authenticated users on an allowed protocol can access the datacenter. In addition, VMware View Security

Server ensures that users can access only those virtual desktop resources for which they are authorized orentitled.

A VMware View Security Server acts as an SSL offload, handling all HTTPS processing and all desktop protocol

traffic that would otherwise occur on the VMware View Connection Server.

For large deployment scalability and high-availability (HA), you can refer to the

VMware View Architecture and Planning Guide.
http://communities.vmware.com/docs/DOC-12306http://%20http//www.vmware.com/pdf/view45_architecture_planning.pdfhttp://%20http//www.vmware.com/pdf/view45_architecture_planning.pdfhttp://communities.vmware.com/docs/DOC-12306


4/15



Figure 1 VMware View 4.5 Security Server Connection

With the introduction of the VMware View with PCoIP, the VMware View Security Server now forwards the

encrypted PCoIP session to authenticated or entitled desktop.

Figure 2:VMware View Security Server Connection with PCoIP support


5/15



About this Guide

Guideline Organization

All recommendations are annotated using a code that consists of three letters followed by a two-digit number

(starting with 01). The three-letter codes are as follows.

VSS: VMware View Security Server

VCS:VMware View Connection Server standard and replica instances

VTS: VMware View Transfer Server

Guideline Templates

The following templates are used to define the guidelines. Since a particular security issue might have

different recommendations for different operating environments, it is possible that one guideline might have

multiple recommendations. The templates below use shading to indicate which parts are common to all

recommendations, and which parts are unique.

Type A: Parameter Setting

Use this template type when the recommendation specifies a configuration parameter to set (or not set) in

specific products.

Examples:

VMware View Connection Server parameters such as authentication methods.

VMware View Security Server SSL settings.

PARAMETER

ELEMENT

DESCRIPTION

Code Code String.

Name Short name of guideline.

Description Description of the interface or feature that the parameter governs.

Threat Description of the specific threat exposed by this feature. Include characterization of

the vulnerability.

Recommendation level Such as Enterprise, DMZ, SSLF

Parameter setting Parameter definitions, including, recommended and not-recommended values.

Indicate if there are preferred ways of setting the value, such as for a COS parameter,

using the API instead of directly editing a configuration file.

Effect on functionality If this setting is adopted, what possible effects does it have on functionality? Do

some features stop working, is there information missing from a UI, or other effects?


6/15



Example:

PARAMETERELEMENT DESCRIPTION

Code VCS01

Name Configure a Connection Server session timeout.

Description The Connection Server session timeout controls how long users can keep their

session open after logging onto a Connection Server after which time they need to

re-authenticate to the Connection Server. The default is 10 hours and is specified in

minutes.

Threat Having a very long session timeout can increase the risk of neglected session

hijacking.

Recommendation level Enterprise.

Parameter setting This setting is defined through VMware View Administrator in VMware View

Configuration Global Settings. It applies to all Connection Servers in a replicatedgroup. The default value of 600 minutes is recommended.

Effect on functionality After the session timeout has expired, a user connected to VMware View Connection

Server will be logged off and will be required to log on again.

Type B: Component Configuration

Use this template type when the guideline recommends a certain configuration of components, either to

reduce risk or to provide a compensating control. Typically, these involve setting a parameter to a site-specific

value or installing components in a manner that satisfy appropriate constraints, and so there is no definitive

value to be checked against.

Examples:

Configure a time synchronization server.

Protect VMware View Security Servers with an external firewall.

CONFIGURATION

ELEMENT

DESCRIPTION

Code Code string.



Risk or control Description of the risk being mitigated, including characterization of the

vulnerability if applicable.


Parameter or objects

configuration

All the parameters or objects involved, and how they should be configured.

Test If this setting is adopted, what possible effects does it have on functionality?

Do some features stop working, is there information missing from a UI,

or other effect?


7/15



CONFIGURATION

ELEMENT

DESCRIPTION

Code VSS01Name Use a time synchronization server for VMware View Security Servers.

Description Every VMware View Security Server should synchronize its time clock from a

time synchronization server.

Risk or control Having an incorrect time clock on a Security Server makes SSL server certificate

validation periods inaccurate and log analysis difficult.

Recommendation level Configure all VMware View Security Servers to use the same reliable external



configuration

Use the date and time setting on the Windows OS to specify the name of an

external time synchronization server.

Test Verify on each Security Server that the clock is accurate and that it is set to

synchronize from an external time source.

Type C: Operational Patterns

This type of template should be used to describe recommendations for how to operate or interact with the

system administrative components.

Examples:

Use SSL server certificates signed by a certificate authority.

Use OCSP to manage certificate revocation when using smart card authentication.

CONFIGURATION

ELEMENT

DESCRIPTION

Code Code string.



Risk or control Description of the risk being mitigated, including characterization of

vulnerability if applicable.


Condition or steps All the parameters or objects involved, and how they should be configured.

Test Concise description of the specific conditions to meet or avoid, and/or the steps

needed to achieve this.


8/15



CONFIGURATION

ELEMENT

DESCRIPTION

Code VSS02

Name Do not use the default self-signed server certificates on a VMware View SecurityServer.

Description When VMware View Security Server is first installed, the SSL server defaults to

self-signed certificates. These should be replaced by SSL server certificates

signed by a commercial certificate authority (CA) or an organizational CA.

Risk or control The use of default certificates leaves the SSL connection more vulnerable to

man-in-the-middle attacks. Changing the default certificates to trusted CA

signed certificates mitigates the potential for this type of attack.

Recommendation level Enterprise

Test Use a Web browser to make an HTTPS connection to the VMware View Security

Server, using the capabilities within the browser to view the server SSL

certificate. Verify that it is signed by the appropriate CA.


9/15



VMware View Security Server

View Security Server Host

View Security Server runs on Windows Server 2003 or Windows Server 2008. It is critical to protect this host

against normal operating system vulnerabilities and attacks.

The standard set of recommendations applies: install antivirus agents, spyware filters, intrusion detection

systems, and other security measures according to your organizations policies. Make sure to keep all security

measures up-to-date, including the application of operating system patches.

CONFIGURATION

ELEMENT

DESCRIPTION

Code VSS01

Name Keep VMware View Security Server system properly patched.

Description By staying up to date on Window patches, vulnerabilities in the OS can be

mitigated.

Risk or control If an attacker can obtain access and elevate privileges on the VMware View

Security Server system, they can take over the entire vSphere deployment.


Condition or steps Employ a system to keep the VMware View Security Server system up to date

with patches, in accordance with industry-standard guidelines, or internal

guidelines where appropriate.

CONFIGURATION

ELEMENT

DESCRIPTION

Code VSS02

Name Provide Windows system protection on the VMware View Security Server host.

Description By providing OS-level protection, vulnerabilities in the OS can be mitigated. This

protection includes antivirus, anti-malware, and other similar measures.

Risk or control If an attacker can obtain access and elevate privileges on the VMware View

Security Server system, they can then take over the entire vSphere deployment


Condition or steps Provide Windows system protection, such as antivirus, in accordance with

industry-standard guidelines, or internal guidelines where appropriate.


10/15


W H I T E P A P E R / 1 0

CONFIGURATION

ELEMENT

DESCRIPTION

Code VSS03

Name Restrict administrative Windows login.

Description The number of administrators with rights to perform administrative login to a

VMware View Security Server should be minimized and carefully controlled.

Risk or control If an unauthorized administrator gains access to the Security Server then it is

vulnerable to unauthorized modification.

Recommendation Level Enterprise.

Condition or steps Create specific administrative login accounts for individuals and make those

accounts a member of the local administrators group.

CONFIGURATIONELEMENT

DESCRIPTION

Code VSS04

Name Implement an administrative password policy.

Description Set a password policy for all VMware View Security Servers. This should include

minimum length, character types, and requirements to periodically change

passwords.

Risk or control If an unauthorized administrator gains access to the Security Server, then it is

vulnerable to unauthorized modification.


Condition or steps Set a password policy on each VMware View Security Server.

CONFIGURATION

ELEMENT

DESCRIPTION

Code VSS05

Name Remove unnecessary network protocols.

Description View Security Server only uses IPv4 communication. Other protocols such as file

and printer sharing for Microsoft Networks and Novell IPX etc should be

removed.

Risk or control If unnecessary protocols are enabled, the VMware View Security Server can be

more vulnerable to network attack.


Condition or steps In the Control Panel on each VMware View Security Server, look at theproperties of each network adapter and remove or uninstall protocols that are

not required.


11/15



CONFIGURATION

ELEMENT

DESCRIPTION

Code VSS06

Name Disable unnecessary Windows services.

Description View Security Server only requires a small number of Windows services to be

running. Security is enhanced when unnecessary services are disabled in

Windows. This prevents them from automatically starting at boot time.

Risk or control If unnecessary Windows services are running, the View Security Server can be

more vulnerable to network attack.


Condition or steps Ensure that no Server roles are enabled. Disable any Windows services that are

not required. The following list shows Windows services on Server 2008 that are

started by default and are not required. These should be disabled.

Windows Server 2008 R2 Standard

Application Experience

Application Management

Certificate Propagation

Com+ Event System

DHCP Client

Distributed Link Tracking Client

Distributed Transaction Coordinator

Diagnostic Policy Service

IPsec Policy Agent

Print Spooler

System Event Notification

Windows Server 2003 Standard Edition

Alerter

Application Management

ClipBook

Computer Browser

DHCP Client

Distributed Link Tracking Client

Distributed Link Tracking Server

Distributed Transaction Coordinator

File Replication

IPSEC Services

License Logging

Messenger

NetMeeting Remote Desktop Sharing

Network DDE

Network DDE DSDM

Print Spooler

Remote Access Auto Connection Manager

Remote Access Connection Manager

Remote Registry Service

Smart Card

Task Scheduler

TCP/IP NetBIOS Helper

Telephony

Telnet


12/15



VMware View Security Server Deployment

View Security Servers are usually deployed in a DMZ to carefully control access from VMware View clients

accessing VMware View over a hostile network such as the Internet. In a DMZ it is important to control network

protocol access using a firewall.

CONFIGURATION

ELEMENT

DESCRIPTION

Code VSS07

Name Use a time synchronization server for VMware Security Servers.

Description Every VMware View Security Server should synchronize its time clocks from a


Risk or control An incorrect time clock on a Security Server makes SSL server certificate

validation periods inaccurate and makes log analysis difficult.

Recommendation level Configure all VMware View Security Servers to use the same reliable external


Parameter or objectsconfiguration

Use the date and time setting on the Windows OS to specify the name of anexternal time synchronization server.

Test Verify on each Security Server that the clock is accurate and that it is set to

synchronize from an external time source.

CONFIGURATION

ELEMENT

DESCRIPTION

Code VSS08

Name Use an external firewall in the DMZ to control network access.

Description VMware View Security Servers are normally deployed in a DMZ. It is important

to carefully control which protocols and network ports are allowed so that

communication with VMware View Security Server is restricted to the minimumrequired. VMware View Security Server automatically handles TCP forwarding to

virtual desktops within a datacenter and ensures that all forwarded traffic is only

on behalf of authenticated users.

Risk or control Allowing unnecessary protocols and ports can result in a greater possibility of

attack by a malicious user. This is particularly true of protocols and ports for

network communication from the Internet.

Recommendation level Configure a firewall on either side of a VMware View Security Server to restrict

protocols and network ports to the minimum set required between VMware

View clients and the VMware View Security Server. Similarly, for communication

between the VMware View Security Server and the datacenter, limit the

protocols and network ports from the VMware View Security Server.

To limit the scope of frame broadcasts, VMware View Security Servers should be

deployed on an isolated network. This topology can help prevent a malicious

user on the internal network from monitoring communication between the

security servers and VMware View Connection Server instances.

You may want to use advanced security features on your network switch to

prevent malicious monitoring of VMware View Security Server communication

with VMware View Connection Servers, and to guard against monitoring attacks

such as ARP Cache Poisoning. See the administration documentation for your

networking equipment for more information.


13/15




configuration

Refer to the VMware View Administration guide for a description of the firewall

rules that are needed for a VMware View DMZ deployment.

It is important that network access from the Internet to a VMware View Security

Server is not allowed until the server is hardened.

Test Use a port scanner or similar to verify that the firewalls allow only the minimum

of communication as required.

Vmware View Security Server Configuration

CONFIGURATION

ELEMENT

DESCRIPTION

Code VSS09

Name Do not use the default self-signed server certificates on a VMware View Security

Server.

Description When VMware View Security Server is first installed, the SSL server defaults toself-signed certificates. These should be replaced by SSL server certificates

signed by a commercial Certificate Authority (CA) or an organizational CA.

Risk or control The use of default certificates leaves the SSL connection more vulnerable to

man-in-the-middle attacks. By changing the default certificates to trusted CA

Signed certificates, mitigates the potential for these attacks.


Condition or steps Information on how to replace VMware View Security Server SSL certificates can

be found in the VMware View Administration Guide.

Test Use a Web browser to make an HTTPS connection to the VMware View Security

Server and use the capabilities within the browser to VMware View the server

SSL certificate. Verify that it is signed by the appropriate CA.


14/15



Session Summary

To recap, most common components in a VMware View architecture are listed below; however, someorganizations will also have load balancers, identity management, self-service password systems, GINA chaining

components, VPN, and other components and devices. These components should be hardened according to your

organizations best practices.

VMware View Client (Windows Workstation) / Thin Client

VMware View Security Servers

VMware View Connection Servers

VMware vCenter Server and VMware ESX Servers

Windows Guest OS

View Client View Client

HTTPStraffic

HTTPStraffic

VMware

ESX Servers

Firewall

Firewall

Fault tolerantload balancingmechanism

ViewSecurityServer

DMZ

InternalNetwork

ViewSecurity

Server

ViewConnectionServer

ViewConnection

Server

ActiveDirectory

VMwarevCenter

HTTPStraffic

Firew


15/15


VMware, Inc.3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com

Copyright 2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be

VMware View Security Server provides the following benefits for VMware View environments:

A hardened security deployment in DMZ with including Federal

Information Processing Standards (FIPS) and Common Criteria solutions

A single platform for all access methods

A complete range of authentication methods: RSA tokens, certificates, LDAP, etc.

SSO capability

Support for PCoIP protocol and RDP

Wide range of supported platforms

Endpoint security scanning and validation

Detailed administrative and user logging

Integrated high availability

It can be configured as a standalone security virtual desktop access point or with other network load balancers.

VMware Security Servers play a critical role in your DMZ. Improperly configured, they can expose a Windows attack

surface to the external world. Make sure all hardening guidelines are strictly followed and that the virtual or physical

Windows systems are not in the same domain as the DMZ. All recommendations from this document will apply to

the VMware View Security Servers. If possible, utilize additional VMware vSphere infrastructure products, such as

VMware vShield, to support your DMZ instead of just creating or virtualizing multiple vSwitches. The reason for this

is despite the creation of multiple vSwitches in a single host, virtual switching executes in a single kernel process.

There are many global security settings related to the overall VDI solution that you may need to consider, but that

are outside the scope of this document, such as:

Authentication method.

Security server or VPN for remote access.

Firewall requirements and rules.

Set up administrative role-based access controls (RBACs).

Limit root administrator role to small number of individuals.

Work with more restrictive built-in roles whenever possible.

Use custom roles for specific needs.

In general, you should minimize allowable ports and services available beyond the necessary ports required for

display protocol (such as PCoIP), and follow the strictest firewall practices to harden your deployment. For large

deployments, you should consider organizing resources pools into folders, then delegating administrative roles to

the folders by geographic location, business unit, function, compliance, and so on.

IT security and protection evolves rapidly to address constantly changing threats. We recommend that you stay as

up-to-date as possible in best practices to maintain system availability and maximize data protection.

If you have comments and would like to contribute, please send an email [email protected].
mailto:desktop-tm%40vmware.com?subject=mailto:desktop-tm%40vmware.com?subject=

3496 vmw view secserhardening

Documents