3496 vmw view secserhardening
TRANSCRIPT
-
7/23/2019 3496 VMW View SecSerHardening
1/15
VMware View SecurityServer Hardening GuideW H I T E P A P E R
-
7/23/2019 3496 VMW View SecSerHardening
2/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 2
Table of Contents
VMware View Hardening Guide Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recommendation Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VMware View Security Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Guideline Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Guideline Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Type A Parameter Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Type B Component Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Type C Operational Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VMware View Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View Security Server Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VMware View Security Server Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Vmware View Security Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Session Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
-
7/23/2019 3496 VMW View SecSerHardening
3/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 3
VMware View Hardening Guide Introduction
Scope
This document provides guidance on how to securely deploy VMware View in a production environment. The
focus is on the initial configuration of VMware View and covers only the VMware View Security Server. The
virtual desktop operating system and applications are not covered in this guide and will be in the subsequent
document release.
Hardening guidelines for VMware vSphere and VMware vCenter used in VMware View deployments are
covered in a separate VMware vSphere 4.0 Hardening Guide.
Recommendation Level:
Guideline recommendation levels consist of a rating that corresponds to the operational environment in which
it is to be applied, from the lowest to highest security levels:
Enterprise:This includes most enterprise production environments. The recommendations are meant toprotect against most security attacks and provide protection of confidential information to the level required
by most major security and compliance standards.
DMZ:This includes environments that are particularly susceptible to targeted attacks. Examples include:
Internet-facing hosts, internal systems with highly confidential data, and so on. Note that, despite the name,
this level should not be restricted only to DMZ hosts; each organization should make its own determination as
to the applicability of this level.
Specialized Security Limited Functionality (SSLF):This represents specialized environments that have some
unique aspect that makes them especially vulnerable to sophisticated attacks. Recommendations at this level
might result in loss of functionality, and careful consideration must be used to determine the applicability of
these recommendations, including the possibility of using alternate compensating controls.
Unless otherwise specified, higher security levels include all recommendations from lower levels. For example,
a DMZ environment should implement all level Enterprise and DMZ recommendations, except when otherwise
specified (such as a parameter which should be set to one value at the Enterprise level, but a different value at
the DMZ level).
VMware View Security Server Overview
VMware View Security Server is recommended for DMZ deployments or environments with distinct networks.
It helps connect to a VMware View Connection Server (VCS) and handles the secure tunnel termination from
the VMware View Client installed at the endpoint device using packet-oriented AJPv13 and JMS communication
with the VMware Connection Server. VMware View Security Server ensures only authenticated users to gain
access from one network to another.
With the correct firewall rules in place, virtual desktop access is possible only for authenticated users. Only
authenticated users on an allowed protocol can access the datacenter. In addition, VMware View Security
Server ensures that users can access only those virtual desktop resources for which they are authorized orentitled.
A VMware View Security Server acts as an SSL offload, handling all HTTPS processing and all desktop protocol
traffic that would otherwise occur on the VMware View Connection Server.
For large deployment scalability and high-availability (HA), you can refer to the
VMware View Architecture and Planning Guide.
http://communities.vmware.com/docs/DOC-12306http://%20http//www.vmware.com/pdf/view45_architecture_planning.pdfhttp://%20http//www.vmware.com/pdf/view45_architecture_planning.pdfhttp://communities.vmware.com/docs/DOC-12306 -
7/23/2019 3496 VMW View SecSerHardening
4/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 4
Figure 1 VMware View 4.5 Security Server Connection
With the introduction of the VMware View with PCoIP, the VMware View Security Server now forwards the
encrypted PCoIP session to authenticated or entitled desktop.
Figure 2:VMware View Security Server Connection with PCoIP support
-
7/23/2019 3496 VMW View SecSerHardening
5/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 5
About this Guide
Guideline Organization
All recommendations are annotated using a code that consists of three letters followed by a two-digit number
(starting with 01). The three-letter codes are as follows.
VSS: VMware View Security Server
VCS:VMware View Connection Server standard and replica instances
VTS: VMware View Transfer Server
Guideline Templates
The following templates are used to define the guidelines. Since a particular security issue might have
different recommendations for different operating environments, it is possible that one guideline might have
multiple recommendations. The templates below use shading to indicate which parts are common to all
recommendations, and which parts are unique.
Type A: Parameter Setting
Use this template type when the recommendation specifies a configuration parameter to set (or not set) in
specific products.
Examples:
VMware View Connection Server parameters such as authentication methods.
VMware View Security Server SSL settings.
PARAMETER
ELEMENT
DESCRIPTION
Code Code String.
Name Short name of guideline.
Description Description of the interface or feature that the parameter governs.
Threat Description of the specific threat exposed by this feature. Include characterization of
the vulnerability.
Recommendation level Such as Enterprise, DMZ, SSLF
Parameter setting Parameter definitions, including, recommended and not-recommended values.
Indicate if there are preferred ways of setting the value, such as for a COS parameter,
using the API instead of directly editing a configuration file.
Effect on functionality If this setting is adopted, what possible effects does it have on functionality? Do
some features stop working, is there information missing from a UI, or other effects?
-
7/23/2019 3496 VMW View SecSerHardening
6/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 6
Example:
PARAMETERELEMENT DESCRIPTION
Code VCS01
Name Configure a Connection Server session timeout.
Description The Connection Server session timeout controls how long users can keep their
session open after logging onto a Connection Server after which time they need to
re-authenticate to the Connection Server. The default is 10 hours and is specified in
minutes.
Threat Having a very long session timeout can increase the risk of neglected session
hijacking.
Recommendation level Enterprise.
Parameter setting This setting is defined through VMware View Administrator in VMware View
Configuration Global Settings. It applies to all Connection Servers in a replicatedgroup. The default value of 600 minutes is recommended.
Effect on functionality After the session timeout has expired, a user connected to VMware View Connection
Server will be logged off and will be required to log on again.
Type B: Component Configuration
Use this template type when the guideline recommends a certain configuration of components, either to
reduce risk or to provide a compensating control. Typically, these involve setting a parameter to a site-specific
value or installing components in a manner that satisfy appropriate constraints, and so there is no definitive
value to be checked against.
Examples:
Configure a time synchronization server.
Protect VMware View Security Servers with an external firewall.
CONFIGURATION
ELEMENT
DESCRIPTION
Code Code string.
Name Short name of guideline.
Description Description of the interface or feature that the parameter governs.
Risk or control Description of the risk being mitigated, including characterization of the
vulnerability if applicable.
Recommendation level Such as Enterprise, DMZ, SSLF
Parameter or objects
configuration
All the parameters or objects involved, and how they should be configured.
Test If this setting is adopted, what possible effects does it have on functionality?
Do some features stop working, is there information missing from a UI,
or other effect?
-
7/23/2019 3496 VMW View SecSerHardening
7/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 7
CONFIGURATION
ELEMENT
DESCRIPTION
Code VSS01Name Use a time synchronization server for VMware View Security Servers.
Description Every VMware View Security Server should synchronize its time clock from a
time synchronization server.
Risk or control Having an incorrect time clock on a Security Server makes SSL server certificate
validation periods inaccurate and log analysis difficult.
Recommendation level Configure all VMware View Security Servers to use the same reliable external
time synchronization server.
Parameter or objects
configuration
Use the date and time setting on the Windows OS to specify the name of an
external time synchronization server.
Test Verify on each Security Server that the clock is accurate and that it is set to
synchronize from an external time source.
Type C: Operational Patterns
This type of template should be used to describe recommendations for how to operate or interact with the
system administrative components.
Examples:
Use SSL server certificates signed by a certificate authority.
Use OCSP to manage certificate revocation when using smart card authentication.
CONFIGURATION
ELEMENT
DESCRIPTION
Code Code string.
Name Short name of guideline.
Description Description of the interface or feature that the parameter governs.
Risk or control Description of the risk being mitigated, including characterization of
vulnerability if applicable.
Recommendation level Such as Enterprise, DMZ, SSLF
Condition or steps All the parameters or objects involved, and how they should be configured.
Test Concise description of the specific conditions to meet or avoid, and/or the steps
needed to achieve this.
-
7/23/2019 3496 VMW View SecSerHardening
8/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 8
CONFIGURATION
ELEMENT
DESCRIPTION
Code VSS02
Name Do not use the default self-signed server certificates on a VMware View SecurityServer.
Description When VMware View Security Server is first installed, the SSL server defaults to
self-signed certificates. These should be replaced by SSL server certificates
signed by a commercial certificate authority (CA) or an organizational CA.
Risk or control The use of default certificates leaves the SSL connection more vulnerable to
man-in-the-middle attacks. Changing the default certificates to trusted CA
signed certificates mitigates the potential for this type of attack.
Recommendation level Enterprise
Test Use a Web browser to make an HTTPS connection to the VMware View Security
Server, using the capabilities within the browser to view the server SSL
certificate. Verify that it is signed by the appropriate CA.
-
7/23/2019 3496 VMW View SecSerHardening
9/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 9
VMware View Security Server
View Security Server Host
View Security Server runs on Windows Server 2003 or Windows Server 2008. It is critical to protect this host
against normal operating system vulnerabilities and attacks.
The standard set of recommendations applies: install antivirus agents, spyware filters, intrusion detection
systems, and other security measures according to your organizations policies. Make sure to keep all security
measures up-to-date, including the application of operating system patches.
CONFIGURATION
ELEMENT
DESCRIPTION
Code VSS01
Name Keep VMware View Security Server system properly patched.
Description By staying up to date on Window patches, vulnerabilities in the OS can be
mitigated.
Risk or control If an attacker can obtain access and elevate privileges on the VMware View
Security Server system, they can take over the entire vSphere deployment.
Recommendation level Enterprise.
Condition or steps Employ a system to keep the VMware View Security Server system up to date
with patches, in accordance with industry-standard guidelines, or internal
guidelines where appropriate.
CONFIGURATION
ELEMENT
DESCRIPTION
Code VSS02
Name Provide Windows system protection on the VMware View Security Server host.
Description By providing OS-level protection, vulnerabilities in the OS can be mitigated. This
protection includes antivirus, anti-malware, and other similar measures.
Risk or control If an attacker can obtain access and elevate privileges on the VMware View
Security Server system, they can then take over the entire vSphere deployment
Recommendation level Enterprise.
Condition or steps Provide Windows system protection, such as antivirus, in accordance with
industry-standard guidelines, or internal guidelines where appropriate.
-
7/23/2019 3496 VMW View SecSerHardening
10/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 1 0
CONFIGURATION
ELEMENT
DESCRIPTION
Code VSS03
Name Restrict administrative Windows login.
Description The number of administrators with rights to perform administrative login to a
VMware View Security Server should be minimized and carefully controlled.
Risk or control If an unauthorized administrator gains access to the Security Server then it is
vulnerable to unauthorized modification.
Recommendation Level Enterprise.
Condition or steps Create specific administrative login accounts for individuals and make those
accounts a member of the local administrators group.
CONFIGURATIONELEMENT
DESCRIPTION
Code VSS04
Name Implement an administrative password policy.
Description Set a password policy for all VMware View Security Servers. This should include
minimum length, character types, and requirements to periodically change
passwords.
Risk or control If an unauthorized administrator gains access to the Security Server, then it is
vulnerable to unauthorized modification.
Recommendation level Enterprise.
Condition or steps Set a password policy on each VMware View Security Server.
CONFIGURATION
ELEMENT
DESCRIPTION
Code VSS05
Name Remove unnecessary network protocols.
Description View Security Server only uses IPv4 communication. Other protocols such as file
and printer sharing for Microsoft Networks and Novell IPX etc should be
removed.
Risk or control If unnecessary protocols are enabled, the VMware View Security Server can be
more vulnerable to network attack.
Recommendation level Enterprise.
Condition or steps In the Control Panel on each VMware View Security Server, look at theproperties of each network adapter and remove or uninstall protocols that are
not required.
-
7/23/2019 3496 VMW View SecSerHardening
11/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 1 1
CONFIGURATION
ELEMENT
DESCRIPTION
Code VSS06
Name Disable unnecessary Windows services.
Description View Security Server only requires a small number of Windows services to be
running. Security is enhanced when unnecessary services are disabled in
Windows. This prevents them from automatically starting at boot time.
Risk or control If unnecessary Windows services are running, the View Security Server can be
more vulnerable to network attack.
Recommendation level Enterprise.
Condition or steps Ensure that no Server roles are enabled. Disable any Windows services that are
not required. The following list shows Windows services on Server 2008 that are
started by default and are not required. These should be disabled.
Windows Server 2008 R2 Standard
Application Experience
Application Management
Certificate Propagation
Com+ Event System
DHCP Client
Distributed Link Tracking Client
Distributed Transaction Coordinator
Diagnostic Policy Service
IPsec Policy Agent
Print Spooler
System Event Notification
Windows Server 2003 Standard Edition
Alerter
Application Management
ClipBook
Computer Browser
DHCP Client
Distributed Link Tracking Client
Distributed Link Tracking Server
Distributed Transaction Coordinator
File Replication
IPSEC Services
License Logging
Messenger
NetMeeting Remote Desktop Sharing
Network DDE
Network DDE DSDM
Print Spooler
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Registry Service
Smart Card
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Telnet
-
7/23/2019 3496 VMW View SecSerHardening
12/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 1 2
VMware View Security Server Deployment
View Security Servers are usually deployed in a DMZ to carefully control access from VMware View clients
accessing VMware View over a hostile network such as the Internet. In a DMZ it is important to control network
protocol access using a firewall.
CONFIGURATION
ELEMENT
DESCRIPTION
Code VSS07
Name Use a time synchronization server for VMware Security Servers.
Description Every VMware View Security Server should synchronize its time clocks from a
time synchronization server.
Risk or control An incorrect time clock on a Security Server makes SSL server certificate
validation periods inaccurate and makes log analysis difficult.
Recommendation level Configure all VMware View Security Servers to use the same reliable external
time synchronization server.
Parameter or objectsconfiguration
Use the date and time setting on the Windows OS to specify the name of anexternal time synchronization server.
Test Verify on each Security Server that the clock is accurate and that it is set to
synchronize from an external time source.
CONFIGURATION
ELEMENT
DESCRIPTION
Code VSS08
Name Use an external firewall in the DMZ to control network access.
Description VMware View Security Servers are normally deployed in a DMZ. It is important
to carefully control which protocols and network ports are allowed so that
communication with VMware View Security Server is restricted to the minimumrequired. VMware View Security Server automatically handles TCP forwarding to
virtual desktops within a datacenter and ensures that all forwarded traffic is only
on behalf of authenticated users.
Risk or control Allowing unnecessary protocols and ports can result in a greater possibility of
attack by a malicious user. This is particularly true of protocols and ports for
network communication from the Internet.
Recommendation level Configure a firewall on either side of a VMware View Security Server to restrict
protocols and network ports to the minimum set required between VMware
View clients and the VMware View Security Server. Similarly, for communication
between the VMware View Security Server and the datacenter, limit the
protocols and network ports from the VMware View Security Server.
To limit the scope of frame broadcasts, VMware View Security Servers should be
deployed on an isolated network. This topology can help prevent a malicious
user on the internal network from monitoring communication between the
security servers and VMware View Connection Server instances.
You may want to use advanced security features on your network switch to
prevent malicious monitoring of VMware View Security Server communication
with VMware View Connection Servers, and to guard against monitoring attacks
such as ARP Cache Poisoning. See the administration documentation for your
networking equipment for more information.
-
7/23/2019 3496 VMW View SecSerHardening
13/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 1 3
Parameter or objects
configuration
Refer to the VMware View Administration guide for a description of the firewall
rules that are needed for a VMware View DMZ deployment.
It is important that network access from the Internet to a VMware View Security
Server is not allowed until the server is hardened.
Test Use a port scanner or similar to verify that the firewalls allow only the minimum
of communication as required.
Vmware View Security Server Configuration
CONFIGURATION
ELEMENT
DESCRIPTION
Code VSS09
Name Do not use the default self-signed server certificates on a VMware View Security
Server.
Description When VMware View Security Server is first installed, the SSL server defaults toself-signed certificates. These should be replaced by SSL server certificates
signed by a commercial Certificate Authority (CA) or an organizational CA.
Risk or control The use of default certificates leaves the SSL connection more vulnerable to
man-in-the-middle attacks. By changing the default certificates to trusted CA
Signed certificates, mitigates the potential for these attacks.
Recommendation level Enterprise.
Condition or steps Information on how to replace VMware View Security Server SSL certificates can
be found in the VMware View Administration Guide.
Test Use a Web browser to make an HTTPS connection to the VMware View Security
Server and use the capabilities within the browser to VMware View the server
SSL certificate. Verify that it is signed by the appropriate CA.
-
7/23/2019 3496 VMW View SecSerHardening
14/15
VMware View Security ServerHardening Guide
W H I T E P A P E R / 1 4
Session Summary
To recap, most common components in a VMware View architecture are listed below; however, someorganizations will also have load balancers, identity management, self-service password systems, GINA chaining
components, VPN, and other components and devices. These components should be hardened according to your
organizations best practices.
VMware View Client (Windows Workstation) / Thin Client
VMware View Security Servers
VMware View Connection Servers
VMware vCenter Server and VMware ESX Servers
Windows Guest OS
View Client View Client
HTTPStraffic
HTTPStraffic
VMware
ESX Servers
Firewall
Firewall
Fault tolerantload balancingmechanism
ViewSecurityServer
DMZ
InternalNetwork
ViewSecurity
Server
ViewConnectionServer
ViewConnection
Server
ActiveDirectory
VMwarevCenter
HTTPStraffic
Firew
-
7/23/2019 3496 VMW View SecSerHardening
15/15
VMware View Security ServerHardening Guide
VMware, Inc.3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com
Copyright 2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be
VMware View Security Server provides the following benefits for VMware View environments:
A hardened security deployment in DMZ with including Federal
Information Processing Standards (FIPS) and Common Criteria solutions
A single platform for all access methods
A complete range of authentication methods: RSA tokens, certificates, LDAP, etc.
SSO capability
Support for PCoIP protocol and RDP
Wide range of supported platforms
Endpoint security scanning and validation
Detailed administrative and user logging
Integrated high availability
It can be configured as a standalone security virtual desktop access point or with other network load balancers.
VMware Security Servers play a critical role in your DMZ. Improperly configured, they can expose a Windows attack
surface to the external world. Make sure all hardening guidelines are strictly followed and that the virtual or physical
Windows systems are not in the same domain as the DMZ. All recommendations from this document will apply to
the VMware View Security Servers. If possible, utilize additional VMware vSphere infrastructure products, such as
VMware vShield, to support your DMZ instead of just creating or virtualizing multiple vSwitches. The reason for this
is despite the creation of multiple vSwitches in a single host, virtual switching executes in a single kernel process.
There are many global security settings related to the overall VDI solution that you may need to consider, but that
are outside the scope of this document, such as:
Authentication method.
Security server or VPN for remote access.
Firewall requirements and rules.
Set up administrative role-based access controls (RBACs).
Limit root administrator role to small number of individuals.
Work with more restrictive built-in roles whenever possible.
Use custom roles for specific needs.
In general, you should minimize allowable ports and services available beyond the necessary ports required for
display protocol (such as PCoIP), and follow the strictest firewall practices to harden your deployment. For large
deployments, you should consider organizing resources pools into folders, then delegating administrative roles to
the folders by geographic location, business unit, function, compliance, and so on.
IT security and protection evolves rapidly to address constantly changing threats. We recommend that you stay as
up-to-date as possible in best practices to maintain system availability and maximize data protection.
If you have comments and would like to contribute, please send an email [email protected].
mailto:desktop-tm%40vmware.com?subject=mailto:desktop-tm%40vmware.com?subject=