vmware® viewâ„¢ security hardening guide - vmware communities

VMware® View™ Security Hardening Guide W H I T E PA P E R

VMware® View™ Security Hardening Guide

W H I T E PA P E R / 2

Table of Contents

VMware® View™ Security Hardening Guide Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3

Endpoint Hardening Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

VMware View Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

PCoIP Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

VMware View Connection Server and Security Server Hardening . . . . . . . . . . . . . . . . . 4

VMware vCenter Server & VMware ESX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Detailed Recommendations for VMware View Security Server Hardening . . . . . . . . .6

Parameter Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Component Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Operational Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

View Security Server Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

VMware View Security Server Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

VMware View Security Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Guest Operating System Hardening – Windows 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

PowerShell Execution Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Local Mode Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Kiosk Mode Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Infrastructure Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Keystore Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Additional Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Role-Based Access Control (RBAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15



VMware View Security Hardening Guide Introduction This document provides general guidelines for security hardening practices across VMware® View™ components, setting role-based administration and user privileges, and deployment scenarios.

Your organization may need to meet specific security standards to satisfy regulatory requirements based on your vertical industry. Since these standards and other compliance and regulatory requirements change frequently, this document does not attempt to address them; however, it is strongly advised that you understand these standards, why they are established, and how to adhere to them.

Endpoint Hardening Practices

VMware® View™ Client

VMware View Client always runs on the existing operating system (for example, Windows, MAC OS, or Linux) at the endpoint device. A good hardening practice is to enable and enforce endpoint 128-bit AES encryption. Endpoint devices such as thin clients, zero clients, mobile devices, and tablets are less vulnerable by nature because of the reduced attack surface and lockdown environment; however, it is recommended to keep the devices up to date with the latest firmware and security fixes.

Specific recommendations for devices running soft clients include the following:

•UtilizestandardWindowshardeningpractices

•Create,deploy,andmaintainpasswordprotectionpolicies

•Keepsoftwareandsecuritypatchinguptodate

•Verifyfirewallrequirements

• Installareliableantivirussolution

•UtilizeendpointintrusionpreventionsystemssuchasCiscoSecurityAgent

•UseActiveDirectory,RSASecurIDorsmartcardauthentication

•DeployVMwareViewADMtemplatestoenablethelistofbrokerstrustedfordelegation,todisablethird-partyterminal services plugins, and to disable single-sign-on (extreme security precaution)



PCoIP Endpoints

ThePCoIPManagementConsoleenablesadministratorstocentrallymanagePCoIPendpointsequippedwithTarachipsets.ItrunsasaslimapplianceonVMware®Player™orVMware®vSphere™infrastructureandcanbeused to do the following:

•AccessandupdatetheconfigurationofallPCoIPdevices

•Applythesameconfigurationdatatogroupsofdevices

•Updatedevicefirmware

•Resetdevices

•Controlthepowerstateofhostdevices

•Viewstatusinformation

•Managethemonitoringofdeviceeventlogs

ThePCoIPManagementConsolehasasimpleandintuitivewebinterfacefordeviceadministration.Differentprofile templates can be created and applied to those management groups.

VMware View Connection Server and Security Server HardeningInaVMwareViewarchitecture,bothConnectionServerandSecurityServerservicesarerunonWindowsServerplatforms and are therefore subject to the OS attack surface. The same hardening techniques utilized for your common Windows Server infrastructure should be used here and they include (but are not limited to) the following:

•UtilizestandardWindowshardeningpractices

•Create,deploy,andmaintainpasswordprotectionpolicies

•Keepsoftwareandsecuritypatchinguptodate

•Verifyfirewallrequirements

•Installareliableantivirussolution

•Disableunneededciphers

•Disableunneededservicesandnetworkprotocols(onlyIPv4needed)

ItisverycommontoseeadministratorsdisablingservicesintheGuestOStooptimizetheend-userexperienceas well as to reduce the attack surface. Additional recommended practices include:

•Replacedefaultself-signedcertificateswiththosefromatrustedcertificationauthority(eitheracommercialCA or an organizational CA)

•MakesureallcommunicationsbetweenViewClientsandSecurityServersorConnectionServersuseHTTPover SSL3/TLS1

SecurityserversareacriticalpieceinyourDMZandexposetheWindowsattacksurfacetotheexternalworld.Make sure all hardening guidelines are strictly followed and that neither the virtual or physical Windows are members of the domain. All items listed above will apply to the Security Servers but in addition, if possible, utilizeadifferentvSphereinfrastructuretosupportyourDMZ.Thereason:despitethecreationofmultiplevSwitches, in a single host the virtual switching happens in a single process. And of course, make sure your security advisory board is comfortable with the solution.



Additional global security settings related to the overall VMware View solution that you might need to consider include:

•Authenticationmethod

•UsingSecurityServerorVPNforremoteaccess

•Firewallrequirements

•SetupofadministrativeRBACs

•LimitingtheRootAdministratorroletoasmallnumberofindividuals

•Workingwithmorerestrictivebuilt-inroleswheneverpossible

•Usingcustomrolesforspecificneeds

Forlargedeployments,organizeresources(pools)intofoldersanddelegateadministrativerolestothefolders(by geographical location, business unit, function, or compliance):

•Userentitlements

•Desktopzoninganduserdatazoning

•Multi-tenancy

VMware vCenter Server & VMware ESX Server

BecausevCenterServerrunsonaWindowshost,itisespeciallycriticaltoprotectthishostagainstvulnerabilities and attacks. The standard set of recommendations applies: install antivirus agents, spyware filters, password protection, intrusion detection systems, and any other security measures. Verify your firewall requirements,andmakesuretokeepallsecuritymeasuresup-to-date,includingapplicationofpatches.Inaddition:

• LimitvCenterServertohighlyprivilegedadministrators,andthenonlyforthepurposeofadministeringvCenter Server or the host operating system

• InstallvCenterServerusingaserviceaccountinsteadofabuilt-inWindowsaccount

•RestrictusageofthevSphereAdministratorPrivilege

•BlockaccesstoportsnotbeingusedbyvCenter

•Replacedefaultself-signedcertificateswiththosefromatrustedcertificationauthority(eitheracommercialCA or an organizational CA)

•MonitorandrestrictaccesstoSSLcertificates—thedirectorythatcontainstheSSLcertificatesonlyneedsto be accessed by the service account user on a regular basis; occasionally, the vCenter Server system administrator might need to access them for support purposes

•Disableunneededservicesandnetworkprotocols

There are a number of hardening recommendations for vCenter Server and ESX Server that are covered in the vSphere 4.0 Security Hardening Guide published by VMware. You can consider running the “vmwarevSphereSecurityHardeningReportCheck” Perl script to retrieve the security check and email notifications.

http://communities.vmware.com/servlet/JiveServlet/downloadBody/12306-102-1-12833/vSphere Hardening Guide April 2010.pdf;jsessionid=9CB0F925C9D349B6633371D0E412D9AC

http://communities.vmware.com/docs/DOC-11901



Detailed Recommendations for VMware View Security Server Hardening

VMwareViewSecurityServerisrecommendedforDMZdeploymentsorenvironmentswithdistinctnetworks.IthelpsconnecttoaVMwareViewConnectionServer(VCS)andhandlesthesecuretunnelterminationfromthe VMware View Client installed at the endpoint device using packet-oriented AJPv13 and JMS communication with the VMware Connection Server. VMware View Security Server ensures only authenticated users to gain access from one network to another.

With the correct firewall rules in place, virtual desktop access is possible only for authenticated users. Only authenticatedusersonanallowedprotocolcanaccessthedatacenter.Inaddition,VMwareViewSecurityServer ensures that users can access only those virtual desktop resources for which they are authorized or entitled.

AVMwareViewSecurityServeractsasanSSLoffload,handlingallHTTPSprocessingandalldesktopprotocoltraffic that would otherwise occur on the VMware View Connection Server.

Forlargedeploymentscalabilityandhighavailability(HA),pleaserefertotheVMwareViewArchitectureandPlanningGuide.

Parameter Setting

Specific products allow you to set (or not set) parameters, for example, VMware View Connection Server parameters such as authentication methods, or VMware View Security Server SSL settings. VMware is developingrecommendationsandbestpracticesfortheseparametersettings.Forexample:

•ConfiguringaConnectionServersessiontimeout:Havingaverylongsessiontimeoutcanincreasetheriskofneglected session hijacking. The Connection Server session timeout controls how long users can keep their session open after logging onto a Connection Server, after which time they need to re-authenticate to the Connection Server. The default is 10 hours and is specified in minutes. This setting is defined through VMware ViewAdministratorinVMwareViewConfigurationGlobalSettings.ItappliestoallConnectionServersinareplicated group. The default value of 600 minutes is recommended. After the session timeout has expired, a userconnectedtoVMwareViewConnectionServerwillbeloggedoffandwillberequiredtologonagain.

Component Configuration

These recommendations apply to certain configurations of components, either to reduce risk or to provide a compensating control. Typically, they involve setting a parameter to a site-specific value or installing components in a manner that satisfy appropriate constraints, and so there is no definitive value to be checked against. Examples include configuring a time synchronization server, or protecting VMware View Security Servers with an external firewall. VMware is developing recommendations and best practices for these componentconfigurations.Forexample:

•UseatimesynchronizationserverforVMwareViewSecurityServers.EveryVMwareViewSecurityServershouldsynchronizeitstimeclockfromatimesynchronizationserver.Havinganincorrecttimeclockona Security Server makes SSL server certificate validation periods inaccurate and log analysis difficult. The recommendation: Configure all VMware View Security Servers to use the same reliable external time synchronizationserver.UsethedateandtimesettingontheWindowsOStospecifythenameofanexternaltime synchronization server. To test, verify on each Security Server that the clock is accurate and that it is set to synchronize from an external time source.



Operational Patterns

These recommendations apply to operating or interacting with the system administrative components, i.e. use SSL server certificates signed by a certificate authority, and use OCSP to manage certificate revocation when using smart card authentication. Again, VMware is developing recommendations and best practices for these operationalpatterns.Forexample:

•Donotusethedefaultself-signedservercertificatesonaVMwareViewSecurityServer.WhenVMwareViewSecurity Server is first installed, the SSL server defaults to self-signed certificates. These should be replaced by SSL server certificates signed by a commercial certificate authority (CA) or an organizational CA. The use of default certificates leaves the SSL connection more vulnerable to man-in-the-middle attacks. Changing the defaultcertificatestotrustedCAsignedcertificatesmitigatesthepotentialforthistypeofattack.UseaWebbrowsertomakeanHTTPSconnectiontotheVMwareViewSecurityServer,usingthecapabilitieswithinthebrowser to view the server SSL certificate. To test, verify that it is signed by the appropriate CA.

View Security Server Host

ViewSecurityServerrunsonWindowsServer2003orWindowsServer2008.Itiscriticaltoprotectthishostagainst normal operating system vulnerabilities and attacks. The standard set of recommendations applies: install antivirus agents, spyware filters, intrusion detection systems, and other security measures according to your organization’s policies; and make sure to keep all security measures up-to-date, including the application of operating system patches. The following additional recommendations apply:

•KeepVMwareViewSecurityServersystemproperlypatched.BystayinguptodateonWindowspatches,vulnerabilities in the OS can be mitigated. Employ a system to keep the VMware View Security Server system up to date with patches, in accordance with industry-standard guidelines, or internal guidelines where appropriate.

•ProvideWindowssystemprotectionontheVMwareViewSecurityServerhost.Attackerswhocanobtainaccess and elevate privileges on the VMware View Security Server system can then take over the entire vSpheredeployment.ByprovidingOS-levelprotection,vulnerabilitiesintheOScanbemitigated.Thisprotection includes antivirus, anti-malware, and other similar measures. Provide Windows system protection, such as antivirus, in accordance with industry-standard guidelines, or internal guidelines where appropriate.

•RestrictadministrativeWindowslogin.Thenumberofadministratorswithrightstoperformadministrativelogin to a VMware View Security Server should be minimized and carefully controlled. Create specific administrative login accounts for individuals and make those accounts a member of the local administrator’s group.

•Implementanadministrativepasswordpolicy.IfanunauthorizedadministratorgainsaccesstotheSecurityServer, then it is vulnerable to unauthorized modification. Therefore, set a password policy for all VMware View Security Servers. This should include minimum length, character types, and requirements to periodically change passwords. Set a password policy on each VMware View Security Server.

•Removeunnecessarynetworkprotocols.Ifunnecessaryprotocolsareenabled,theVMwareViewSecurityServercanbemorevulnerabletonetworkattack.ViewSecurityServeronlyusesIPv4communication;otherprotocolssuchasfileandprintersharingforMicrosoftNetworksandNovellIPXshouldberemoved.IntheControl Panel on each VMware View Security Server, look at the properties of each network adapter and remove or uninstall protocols that are not required.

•DisableunnecessaryWindowsservices.IfunnecessaryWindowsservicesarerunning,theViewSecurityServer can be more vulnerable to network attack. View Security Server only requires a small number of Windows services to be running. Security is enhanced when unnecessary services are disabled in Windows. Thispreventsthemfromautomaticallystartingatboottime.EnsurethatnoServerrolesareenabled.Disableany Windows services that are not required.



VMware View Security Server Deployment

ViewSecurityServersareusuallydeployedinaDMZtocarefullycontrolaccessfromVMwareViewclientsaccessingVMwareViewoverahostilenetworksuchastheInternet.InaDMZitisimportanttocontrolnetworkprotocolaccessusingafirewall.Inaddition,adheretothefollowingrecommendations:

•UseatimesynchronizationserverforVMwareSecurityServers.AnincorrecttimeclockonaSecurityServermakes SSL server certificate validation periods inaccurate and makes log analysis difficult. Therefore every VMware View Security Server should synchronize its time clocks from a time synchronization server. Configure allVMwareViewSecurityServerstousethesamereliableexternaltimesynchronizationserver.Usethedateand time setting on the Windows OS to specify the name of an external time synchronization server. To test, verify on each Security Server that the clock is accurate and that it is set to synchronize from an external time source.

•UseanexternalfirewallintheDMZtocontrolnetworkaccess.VMwareViewSecurityServersarenormallydeployedinaDMZ.Itisimportanttocarefullycontrolwhichprotocolsandnetworkportsareallowedsothat communication with VMware View Security Server is restricted to the minimum required. VMware View Security Server automatically handles TCP forwarding to virtual desktops within a datacenter and ensures that all forwarded traffic is only on behalf of authenticated users. Configure a firewall on either side of a VMware View Security Server to restrict protocols and network ports to the minimum set required between VMware View clients and the VMware View Security Server. Similarly, for communication between the VMware View Security Server and the datacenter, limit the protocols and network ports from the VMware View Security Server. To limit the scope of frame broadcasts, VMware View Security Servers should be deployed on an isolated network. This topology can help prevent a malicious user on the internal network from monitoring communication between the security servers and VMware View Connection Server instances. You may want to use advanced security features on your network switch to prevent malicious monitoring of VMware View Security Server communication with VMware View Connection Servers, and to guard against monitoring attackssuchasARPCachePoisoning.Seetheadministrationdocumentationforyournetworkingequipmentfor more information.

Vmware View Security Server Configuration

•Donotusethedefaultself-signedservercertificatesonaVMwareViewSecurityServer.WhenVMwareViewSecurity Server is first installed, the SSL server defaults to self-signed certificates. These should be replaced by SSL server certificates signed by a commercial Certificate Authority (CA) or an organizational CA. The use of default certificates leaves the SSL connection more vulnerable to man-in-the-middle attacks. Changing thedefaultcertificatestotrustedCASignedcertificatesmitigatesthepotentialfortheseattacks.Informationon how to replace VMware View Security Server SSL certificates can be found in the VMware View AdministrationGuide.Totest,useaWebbrowsertomakeanHTTPSconnectiontotheVMwareViewSecurityServer and use the capabilities within the browser to view the server SSL certificate. Verify that it is signed by the appropriate CA.

Insummary,VMwareSecurityServersplayacriticalroleinyourDMZ.MakesureallhardeningguidelinesarestrictlyfollowedandthatthevirtualorphysicalWindowssystemsarenotinthesamedomainastheDMZ.AllrecommendationsfromthisdocumentwillapplytotheVMwareViewSecurityServers.Ifpossible,utilizeadditionalVMwarevSphereinfrastructureproducts,suchasVMwarevShield,tosupportyourDMZinsteadofjust creating or virtualizing multiple vSwitches. The reason for this is despite the creation of multiple vSwitches in a single host, virtual switching executes in a single kernel process.

Ingeneral,youshouldminimizeallowableportsandservicesavailablebeyondthenecessaryportsrequiredfordisplayprotocol(suchasPCoIP),andfollowthestrictestfirewallpracticestohardenyourdeployment.Forlarge deployments, you should consider organizing resources pools into folders, then delegating administrative roles to the folders by geographic location, business unit, function, compliance, and so on.



Guest Operating System Hardening – Windows 7WhendeployingWindows7,Office2010,andWindowsServer2008R2withtheMicrosoftDeploymentToolkit2010Update1,MDTistherecommendedprocessandtoolsetforautomatingdesktopandserverdeployment.Fordetailedinformationsee:

•MasteringVDITemplatesupdatedforWindows7andPCoIP(http://myvirtualcloud.net/?p=929)

•VMwareViewOptimizationGuideforWindows7(http://www.vmware.com/resources/techresources/10157)

You will need to select among a large number of features and determine what will or will not be available to yourusers.InmostcasesadministratorswillautomatetheinstallationoftheVMwareViewClient.Itisimportantto know the command line parameters and features available to customize the deployment. There is essential informationintheAdministrator’sGuideandVMware View 4.5 Command Line Usage for deploying only the feature set required.

As a guideline, here are the key items to consider when hardening the parent VM:

•BaseOShardening

•Refreshintervals(recompose/refresh)

•Antivirus(http://www.vmware.com/resources/techresources/10089)

•PatchbaseOS

•Viewagent

-USBdevicesandredirection

-Driveredirection

- Clipboard redirection

- Printer redirection

-GINAchaining

- Offline/Local Mode

- Single sign-on

-Displayprotocolsavailable

- Smartcards

When you are automating the installation of the VMware View Client, it is important to know the command line parametersandfeaturesavailabletocustomizethedeployment.Referto“VMware View 4.5 Command Line Usage” (http://myvirtualcloud.net/?p=1368P) for a rundown of almost all properties available do deploy and execute View components. Additional considerations include:

•SomesettingsaremanagedbyViewAgentandothersaremanagedbyActiveDirectoryGPO.UtilizetheMastering VDI Templates updated for Windows7 to know what you can manage in each level.

•Guest/Hostcut&pasteandUSBAccessarecontrolledbytheViewManager.Readthecommunityarticle“Disabling Copy & Paste in PCoIP”.

•Defineyourpatchmanagementstrategy.PerhapsyouwillapplypatchestotheparentVMandrecomposeallvirtual desktops once a month or every week, but what will you do in regards to critical updates? Your patch management strategy may or may not include a combination of recompose and standard patch management toolssuchasWSUS,SCCMandAltiris.

http://myvirtualcloud.net/?p=929

http://www.vmware.com/resources/techresources/10157


http://www.vmware.com/resources/techresources/10089



http://myvirtualcloud.net/?p=1368P




W H I T E PA P E R / 1 0

PowerShell Execution PolicyIfyouadministeredWindowsXP,WindowsPowerShellmightnothavebeenonthesystem,sothepossibilitiesformanagement were limited. With Windows Vista and Windows Server 2008, Windows PowerShell 1.0 is available in the operating system. With Windows 7 and Windows Server 2008 r2, Windows PowerShell 2.0 is provided by default. Windows PowerShell provides a great deal of flexibility in using the shell for your automations and administrative tasks, but it also means that you need to consider a safe way to prevent users from running untrusted scripts.

The AllSigned execution policy is the setting that most people consider to be the safe option. AllSigned requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.

Ifyouareasystemadministrator,youmightwanttosettheexecutionpolicytoAllSignedforyournon-technicaluserssothattheyareallowedtorunasubsetofsafescripts.Non-technicaluserswhoareadministeredbyyouwill then be allowed to execute only the scripts that you have signed for them.

When Windows PowerShell is first installed, it can be used interactively, but it won’t run scripts because the executionpolicyissettothedefaultofrestricted.YoucanviewtheexecutionpolicywiththeGet-ExecutionPolicycmdlet. Accounts with administrator privileges can modify the policy with the following code:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

Thisisagoodcompromisebecauseitallowslocalscriptstorun,butitblocksscriptsfromtheInternetorUNCmapped drives unless they are signed with a code-signing certificate that the system can accept.

FormoreinformationaboutPowerShellexecutionpolicysettings,youcanrefertoMicrosoftPowerShell2.0BestPractices published by Microsoft Press.



Local Mode Hardening Malware on the host is the most common security concern and it is a legitimate one. As of today, the best practice advice for a customer with concerns in this area would be to pair the use of Local Mode with leading SSLVPNsolutionsonthehost.ThediagrambelowillustratestheLocalModecheckoutflowwithTransferServer (TS) repository.

Figure 1: Local Mode deployment and provisioning

Iftheremotecomputerpassesapre-loginassessmentassociatedwithaparticularendpointprofileconfiguredon the security appliance, a scan of the antivirus, anti-spyware, personal firewall, and other optional keylogger, file, registry, and process checks occurs. An advanced endpoint assessment option is available to automate theprocessofrepairingout-of-complianceapplications.Thisscancanbeturnedonoroffbythesystemadministrator.

The administrator will then be able to configure rules that will be enforced on the endpoint machine for remediation purposes. These rules include:

•Antivirus:brandandversion,forcefilesystemprotection(iftheprogramsupportsthisaction),forcevirusdefinitions update - if not updated in last x days (if the program supports this action)

•PersonalFirewall:brandandversion,firewallaction(none,enableordisable;ifthefirewallsupportsthataction),rules-allowordisallowapplicationsorports(iftheFWprogramsupportsthisaction)

•Anti-spyware:brandandversion,forcespywaredefinitionsupdate-ifnotupdatedinlastxdays(iftheASprogram supports this action)

Inaddition,sophisticatedrole-basedposturecheckswithquarantineandremediationfunctionscouldbeprovidedusingthemainstreamSSLVPNsolutions.



To meet the special security requirements of employee departure and information retrieval, Local Mode has three synergistic capabilities:

•AESencryptionofthevirtualmachine

•Maxtimewithoutservercontactpolicy

•ADbasedentitlements

The virtual machines in Local Mode are all encrypted and the end user does not have direct access to the keys tounlockthem.ThekeysarestoredintheADAMdatabaseontheserver.Theuser’saccessisthengatedandgranted access by the View Connection. A special keystore that is encrypted with the user’s own credentials is stored on disk for offline access.

Itisalsopossibletoconfigurea“maxtimewithoutservercontact”toanumberthatisthelongesttimetheycan accept a user getting access to checked-out data post termination (and balancing that against how long certainusersneedtobeoffnetwork,ontheplane,businesstrips,andsoon)withoutservercontact.

Whenanemployeeorcontractorisnotwithacompany,theirentitlementtothedesktopwillberevokedinADand View. At this point, the next time that system comes in contact with the server and the user attempts to log in, their access to the encrypted virtual machine will be revoked and their cached keystore will be removed.

Ifauserneverattemptstologin,oravoidsnetworkcontactwiththedatacenter,theiraccesstothevirtualmachine will be automatically blocked after the “max time without server contact” expires. At this point, the View Client itself will block access to the virtual machine, and the user will find the AES-encrypted virtual machine useless.

Foradvancedsuperusers,considerusingsmart-card/PIN-basedauthenticationratherthanusername/password. The superuser’s attack is based on them knowing the credentials they used to login before. Without the smart cards, all the encrypted data left on the hard drive (or copy they made) is useless since users will no longer have a means to decrypt the keystore.

Kiosk Mode Hardening KioskModereferstousingclientIDorMACaddressestotietogetherwiththevirtualdesktopandbypassanymanuallogonprocessinViewClient.Dependingontheusecases,abasichardeningprocesscanbeputinplacesuchasusingGPOtodisableUSBdevicesnotrequiredinthekioskstation,ortodisablecut-and-pastefeaturessincethekioskisstandalonewithoutstaffattendance.

Infrastructure Hardening Forgeneralsecurityhardeningpractices,itisalwaysrecommendedtokeepthenumberofportsopentoa minimum in a firewall-protected deployment environment, and to have a policy to manage ports in such environments.Inaddition,forapplicationsinbasevirtualmachine,considerthefollowing:

•Removeunneededdefaultapplications

•Restrictaccesstoadministrativeapplications

•Restrictaccesstodeployedapplications



Keystore Hardening Objects needed for SSL communication, including private keys, digital certificates, and trusted CA certificates, are stored in keystores. To meet security requirements, administrators should do the following:

•Managecertificatesinakeystorefile

•Securethemusingfilesystempermissionsonthedirectoryinstall_directory\VMware\VMwareView\Server\sslgateway\conf\

Additional Security Practices

Network Security

On the network security side, consider using a stateful inspection network firewall or vShield virtual firewall withadefault-denyrulesetandexceptions.Also,anyInternet-facingserver,suchasSecurityServer,belongsinaDMZwithstrongdefault-denyrulesonthefirewalltopreventdataexfiltration.YoucanuseanetworkIDS/IPStomonitorandpreventknownattacks.FortheSQLserverconfiguredforeventmonitoringorViewComposer,putthedatabaseonaninternalnetwork,nottheDMZ.ThiswillalsohelphardenyourVMwareViewinstallation.

Figure 2: End-to-end security with vShield product family



ForvSphere-basedenvironments,vShieldsolutionsprovidecapabilitiestosecuretheedgeofthevDC,protect virtual applications from network-based threats, and streamline antivirus protection for VMware View deployments by offloading AV processing to dedicated security virtual machines.

Thesenewproductofferingscanstartsecuringinfrastructurealmostimmediatelysincealltheunderlyingcompute resources are already present in the vSphere environment. These same solutions in the traditional security model would have taken months to authorize and provision in the physical data center.

The diagram below is a sample View multi-tenancy proof of concept with vShield components inserted in the architecture.

ESX

SS CB CB DHCP

VM VM VM

SS CB CB DHCP

VM VM VM

WWW WWW

DHCP DC MPLS

VM VM

VM VM

VM VM

VM VMVLAN VLAN

DC DHCP

VC & SQL VC & SQLVCSQLDC

VLAN

VMware ESX

VMware ESX

VMware ESX

SAN ESX

vShield Edge: edge network security to route (vShield 2.0) and �rewall between di�erent virtual networks

vShield App: an alternative to VLANs for segmentation and L2 isolation of virtual workloads. Plus, provides �rewalling between virtual workloads

vShield Edge: can provide DHCP services to all workloads within a port group

vShield Endpoint:AV protection of View workloads

VLAN

Figure 3: Using vShield product family in View deployment for multi-tenancy

Role-Based Access Control (RBAC)

VMwareView4.5supportsRole-BasedAccessControlsystemsbasedonauser’srolesandresponsibilities.Usersaren’tgivenaccesstosystems,buttherolesare.InanRBAC,theadministratorcentrallymanagestheroles.Rolescaneffectivelybeimplementedusingsecuritygroups.Startbycreatingasecuritygrouprepresentingeachrole.Then,assignpermissionsandrightstothesegroups.Dependingontheirjobfunctions,you can add the users to the applicable security groups.

FormoreinformationabouttheRBACdeployment,refertotheChapter2,“ConfiguringRole-BasedDelegatedAdministration”intheVMwareViewAdministrator’sGuide.


VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www .vmware .comCopyright © 2011 VMware, Inc . All rights reserved . This product is protected by U .S . and international copyright and intellectual property laws . VMware products are covered by one or more patents listed athttp://www .vmware .com/go/patents . VMware is a registered trademark or trademark of VMware, Inc . in the United States and/or other jurisdictions . All other marks and names mentioned herein may be trademarks of their respective companies . Item No: VMW_11Q1_WP_SecHardeningGd_EN_P15

SummaryItisalmostimpossibletoprovideasingledocumentwithsecurityhardeningtechniquesthatwilljustfitinto your datacenter, private cloud, hybrid cloud or public cloud environment. Therefore, it is important that youknowandunderstandtherulesandregulationsthataffectyourorganization.AsthemajorityofViewcomponents are based in Windows systems, the best practices for Windows system administration should be considered for hardening practices. A large portion of security comes down to authentication, authorization, accounting,andaccesscontrol.Ineitherphysicalorvirtualenvironments,youwanttoknowwhoisaccessingyour environment and what occurred in the access. You must take the necessary precautions and institute the necessary controls to ensure that only individuals who have authorization to have access can access the environment.

ContributorsThisdocumentwasco-authoredbyAndreLeibovici,MarkBenson,GargiMitraKeelingandRobertBaesman.KeycontentwascontributedandconsolidatedbyCynthiaHsieh,whoisthetechnicalmarketingmanagerprimaryresponsibleforthesolutionmanagementandsecurityrelatedpracticesintheEndUserComputingGroupatVMware.

vmware® viewâ„¢ security hardening guide - vmware communities

Documents