VMware View Security

Server Hardening Guide

W H I T E PA P E R

VMware View Security Server

Hardening Guide

Table of Contents
VMware View Hardening Guide Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Recommendation Level:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

VMware View Security Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Guideline Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Guideline Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Type A: Parameter Setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Type B: Component Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Type C: Operational Patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

VMware View Security Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

View Security Server Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

VMware View Security Server Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Vmware View Security Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Session Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

W H I T E PA P E R / 2

VMware View Security Server

Hardening Guide

VMware View Hardening Guide Introduction

Scope
This document provides guidance on how to securely deploy VMware View in a production environment. The
focus is on the initial configuration of VMware View and covers only the VMware View Security Server. The
virtual desktop operating system and applications are not covered in this guide and will be in the subsequent
document release.
Hardening guidelines for VMware vSphere and VMware vCenter used in VMware View deployments are
covered in a separate VMware vSphere 4.0 Hardening Guide.

Recommendation Level:
Guideline recommendation levels consist of a rating that corresponds to the operational environment in which
it is to be applied, from the lowest to highest security levels:
Enterprise: This includes most enterprise production environments. The recommendations are meant to
protect against most security attacks and provide protection of confidential information to the level required
by most major security and compliance standards.
DMZ: This includes environments that are particularly susceptible to targeted attacks. Examples include:
Internet-facing hosts, internal systems with highly confidential data, and so on. Note that, despite the name,
this level should not be restricted only to DMZ hosts; each organization should make its own determination as
to the applicability of this level.
Specialized Security Limited Functionality (SSLF): This represents specialized environments that have some
unique aspect that makes them especially vulnerable to sophisticated attacks. Recommendations at this level
might result in loss of functionality, and careful consideration must be used to determine the applicability of
these recommendations, including the possibility of using alternate compensating controls.
Unless otherwise specified, higher security levels include all recommendations from lower levels. For example,
a DMZ environment should implement all level Enterprise and DMZ recommendations, except when otherwise
specified (such as a parameter which should be set to one value at the Enterprise level, but a different value at
the DMZ level).

VMware View Security Server Overview

VMware View Security Server is recommended for DMZ deployments or environments with distinct networks.
It helps connect to a VMware View Connection Server (VCS) and handles the secure tunnel termination from
the VMware View Client installed at the endpoint device using packet-oriented AJPv13 and JMS communication
with the VMware Connection Server. VMware View Security Server ensures only authenticated users to gain
access from one network to another.
With the correct firewall rules in place, virtual desktop access is possible only for authenticated users. Only
authenticated users on an allowed protocol can access the datacenter. In addition, VMware View Security
Server ensures that users can access only those virtual desktop resources for which they are authorized or
entitled.
A VMware View Security Server acts as an SSL offload, handling all HTTPS processing and all desktop protocol
traffic that would otherwise occur on the VMware View Connection Server.
For large deployment scalability and high-availability (HA), you can refer to the
VMware View Architecture and Planning Guide.

W H I T E PA P E R / 3

VMware View Security Server

Hardening Guide

Figure 1 VMware View 4.5 Security Server Connection

With the introduction of the VMware View with PCoIP, the VMware View Security Server now forwards the
encrypted PCoIP session to authenticated or entitled desktop.

Figure 2: VMware View Security Server Connection with PCoIP support

W H I T E PA P E R / 4

VMware View Security Server

Hardening Guide

About this Guide

Guideline Organization
All recommendations are annotated using a code that consists of three letters followed by a two-digit number
(starting with 01). The three-letter codes are as follows.
VSS: VMware View Security Server
VCS: VMware View Connection Server standard and replica instances
VTS: VMware View Transfer Server

Guideline Templates
The following templates are used to define the guidelines. Since a particular security issue might have
different recommendations for different operating environments, it is possible that one guideline might have
multiple recommendations. The templates below use shading to indicate which parts are common to all
recommendations, and which parts are unique.

Type A: Parameter Setting

Use this template type when the recommendation specifies a configuration parameter to set (or not set) in
specific products.
Examples:
VMware View Connection Server parameters such as authentication methods.
VMware View Security Server SSL settings.
PARAMETER
ELEMENT

DESCRIPTION

Code

Code String.

Name

Short name of guideline.

Description

Description of the interface or feature that the parameter governs.

Threat

Description of the specific threat exposed by this feature. Include characterization of

the vulnerability.

Recommendation level

Such as Enterprise, DMZ, SSLF

Parameter setting

Parameter definitions, including, recommended and not-recommended values.

Indicate if there are preferred ways of setting the value, such as for a COS parameter,
using the API instead of directly editing a configuration file.

Effect on functionality

If this setting is adopted, what possible effects does it have on functionality? Do

some features stop working, is there information missing from a UI, or other effects?

W H I T E PA P E R / 5

VMware View Security Server

Hardening Guide

Example:
PARAMETER
ELEMENT

DESCRIPTION

Code

VCS01

Name

Configure a Connection Server session timeout.

Description

The Connection Server session timeout controls how long users can keep their
session open after logging onto a Connection Server after which time they need to
re-authenticate to the Connection Server. The default is 10 hours and is specified in
minutes.

Threat

Having a very long session timeout can increase the risk of neglected session
hijacking.

Recommendation level

Enterprise.

Parameter setting

This setting is defined through VMware View Administrator in VMware View

Configuration Global Settings. It applies to all Connection Servers in a replicated
group. The default value of 600 minutes is recommended.

Effect on functionality

After the session timeout has expired, a user connected to VMware View Connection
Server will be logged off and will be required to log on again.

Type B: Component Configuration

Use this template type when the guideline recommends a certain configuration of components, either to
reduce risk or to provide a compensating control. Typically, these involve setting a parameter to a site-specific
value or installing components in a manner that satisfy appropriate constraints, and so there is no definitive
value to be checked against.
Examples:
Configure a time synchronization server.
Protect VMware View Security Servers with an external firewall.
CONFIGURATION
ELEMENT

DESCRIPTION

Code

Code string.

Name

Short name of guideline.

Description

Description of the interface or feature that the parameter governs.

Risk or control

Description of the risk being mitigated, including characterization of the

vulnerability if applicable.

Recommendation level

Such as Enterprise, DMZ, SSLF

Parameter or objects
configuration

All the parameters or objects involved, and how they should be configured.

Test

If this setting is adopted, what possible effects does it have on functionality?

Do some features stop working, is there information missing from a UI,
or other effect?

W H I T E PA P E R / 6

VMware View Security Server

Hardening Guide

CONFIGURATION
ELEMENT

DESCRIPTION

Code

VSS01

Name

Use a time synchronization server for VMware View Security Servers.

Description

Every VMware View Security Server should synchronize its time clock from a
time synchronization server.

Risk or control

Having an incorrect time clock on a Security Server makes SSL server certificate
validation periods inaccurate and log analysis difficult.

Recommendation level

Configure all VMware View Security Servers to use the same reliable external
time synchronization server.

Parameter or objects
configuration

Use the date and time setting on the Windows OS to specify the name of an
external time synchronization server.

Test

Verify on each Security Server that the clock is accurate and that it is set to
synchronize from an external time source.

Type C: Operational Patterns

This type of template should be used to describe recommendations for how to operate or interact with the
system administrative components.
Examples:
Use SSL server certificates signed by a certificate authority.
Use OCSP to manage certificate revocation when using smart card authentication.
CONFIGURATION
ELEMENT

DESCRIPTION

Code

Code string.

Name

Short name of guideline.

Description

Description of the interface or feature that the parameter governs.

Risk or control

Description of the risk being mitigated, including characterization of

vulnerability if applicable.

Recommendation level

Such as Enterprise, DMZ, SSLF

Condition or steps

All the parameters or objects involved, and how they should be configured.

Test

Concise description of the specific conditions to meet or avoid, and/or the steps
needed to achieve this.

W H I T E PA P E R / 7

VMware View Security Server

Hardening Guide

CONFIGURATION
ELEMENT

DESCRIPTION

Code

VSS02

Name

Do not use the default self-signed server certificates on a VMware View Security
Server.

Description

When VMware View Security Server is first installed, the SSL server defaults to
self-signed certificates. These should be replaced by SSL server certificates
signed by a commercial certificate authority (CA) or an organizational CA.

Risk or control

The use of default certificates leaves the SSL connection more vulnerable to
man-in-the-middle attacks. Changing the default certificates to trusted CA
signed certificates mitigates the potential for this type of attack.

Recommendation level

Enterprise

Test

Use a Web browser to make an HTTPS connection to the VMware View Security
Server, using the capabilities within the browser to view the server SSL
certificate. Verify that it is signed by the appropriate CA.

W H I T E PA P E R / 8

VMware View Security Server

Hardening Guide

VMware View Security Server

View Security Server Host
View Security Server runs on Windows Server 2003 or Windows Server 2008. It is critical to protect this host
against normal operating system vulnerabilities and attacks.
The standard set of recommendations applies: install antivirus agents, spyware filters, intrusion detection
systems, and other security measures according to your organizations policies. Make sure to keep all security
measures up-to-date, including the application of operating system patches.

CONFIGURATION
ELEMENT

DESCRIPTION

Code

VSS01

Name

Keep VMware View Security Server system properly patched.

Description

By staying up to date on Window patches, vulnerabilities in the OS can be

mitigated.

Risk or control

If an attacker can obtain access and elevate privileges on the VMware View
Security Server system, they can take over the entire vSphere deployment.

Recommendation level

Enterprise.

Condition or steps

Employ a system to keep the VMware View Security Server system up to date
with patches, in accordance with industry-standard guidelines, or internal
guidelines where appropriate.

CONFIGURATION
ELEMENT

DESCRIPTION

Code

VSS02

Name

Provide Windows system protection on the VMware View Security Server host.

Description

By providing OS-level protection, vulnerabilities in the OS can be mitigated. This

protection includes antivirus, anti-malware, and other similar measures.

Risk or control

If an attacker can obtain access and elevate privileges on the VMware View
Security Server system, they can then take over the entire vSphere deployment

Recommendation level

Enterprise.

Condition or steps

Provide Windows system protection, such as antivirus, in accordance with

industry-standard guidelines, or internal guidelines where appropriate.

W H I T E PA P E R / 9

VMware View Security Server

Hardening Guide

CONFIGURATION
ELEMENT

DESCRIPTION

Code

VSS03

Name

Restrict administrative Windows login.

Description

The number of administrators with rights to perform administrative login to a

VMware View Security Server should be minimized and carefully controlled.

Risk or control

If an unauthorized administrator gains access to the Security Server then it is

vulnerable to unauthorized modification.

Recommendation Level

Enterprise.

Condition or steps

Create specific administrative login accounts for individuals and make those
accounts a member of the local administrators group.

CONFIGURATION
ELEMENT

DESCRIPTION

Code

VSS04

Name

Implement an administrative password policy.

Description

Set a password policy for all VMware View Security Servers. This should include
minimum length, character types, and requirements to periodically change
passwords.

Risk or control

If an unauthorized administrator gains access to the Security Server, then it is

vulnerable to unauthorized modification.

Recommendation level

Enterprise.

Condition or steps

Set a password policy on each VMware View Security Server.

CONFIGURATION
ELEMENT

DESCRIPTION

Code

VSS05

Name

Remove unnecessary network protocols.

Description

View Security Server only uses IPv4 communication. Other protocols such as file
and printer sharing for Microsoft Networks and Novell IPX etc should be
removed.

Risk or control

If unnecessary protocols are enabled, the VMware View Security Server can be
more vulnerable to network attack.

Recommendation level

Enterprise.

Condition or steps

In the Control Panel on each VMware View Security Server, look at the
properties of each network adapter and remove or uninstall protocols that are
not required.

W H I T E PA P E R / 1 0

VMware View Security Server

Hardening Guide

CONFIGURATION
ELEMENT

DESCRIPTION

Code

VSS06

Name

Disable unnecessary Windows services.

Description

View Security Server only requires a small number of Windows services to be

running. Security is enhanced when unnecessary services are disabled in
Windows. This prevents them from automatically starting at boot time.

Risk or control

If unnecessary Windows services are running, the View Security Server can be
more vulnerable to network attack.

Recommendation level

Enterprise.

Condition or steps

Ensure that no Server roles are enabled. Disable any Windows services that are
not required. The following list shows Windows services on Server 2008 that are
started by default and are not required. These should be disabled.
Windows Server 2008 R2 Standard
Application Experience
Application Management
Certificate Propagation
Com+ Event System
DHCP Client
Distributed Link Tracking Client
Distributed Transaction Coordinator
Diagnostic Policy Service
IPsec Policy Agent
Print Spooler
System Event Notification

Windows Server 2003 Standard Edition

Alerter
Application Management
ClipBook
Computer Browser
DHCP Client
Distributed Link Tracking Client
Distributed Link Tracking Server
Distributed Transaction Coordinator
File Replication
IPSEC Services
License Logging
Messenger
NetMeeting Remote Desktop Sharing
Network DDE
Network DDE DSDM
Print Spooler
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Registry Service
Smart Card
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Telnet

W H I T E PA P E R / 1 1

VMware View Security Server

Hardening Guide

VMware View Security Server Deployment

View Security Servers are usually deployed in a DMZ to carefully control access from VMware View clients
accessing VMware View over a hostile network such as the Internet. In a DMZ it is important to control network
protocol access using a firewall.
CONFIGURATION
ELEMENT

DESCRIPTION

Code

VSS07

Name

Use a time synchronization server for VMware Security Servers.

Description

Every VMware View Security Server should synchronize its time clocks from a
time synchronization server.

Risk or control

An incorrect time clock on a Security Server makes SSL server certificate

validation periods inaccurate and makes log analysis difficult.

Recommendation level

Configure all VMware View Security Servers to use the same reliable external
time synchronization server.

Parameter or objects
configuration

Use the date and time setting on the Windows OS to specify the name of an
external time synchronization server.

Test

Verify on each Security Server that the clock is accurate and that it is set to
synchronize from an external time source.

CONFIGURATION
ELEMENT

DESCRIPTION

Code

VSS08

Name

Use an external firewall in the DMZ to control network access.

Description

VMware View Security Servers are normally deployed in a DMZ. It is important

to carefully control which protocols and network ports are allowed so that
communication with VMware View Security Server is restricted to the minimum
required. VMware View Security Server automatically handles TCP forwarding to
virtual desktops within a datacenter and ensures that all forwarded traffic is only
on behalf of authenticated users.

Risk or control

Allowing unnecessary protocols and ports can result in a greater possibility of

attack by a malicious user. This is particularly true of protocols and ports for
network communication from the Internet.

Recommendation level

Configure a firewall on either side of a VMware View Security Server to restrict

protocols and network ports to the minimum set required between VMware
View clients and the VMware View Security Server. Similarly, for communication
between the VMware View Security Server and the datacenter, limit the
protocols and network ports from the VMware View Security Server.
To limit the scope of frame broadcasts, VMware View Security Servers should be
deployed on an isolated network. This topology can help prevent a malicious
user on the internal network from monitoring communication between the
security servers and VMware View Connection Server instances.
You may want to use advanced security features on your network switch to
prevent malicious monitoring of VMware View Security Server communication
with VMware View Connection Servers, and to guard against monitoring attacks
such as ARP Cache Poisoning. See the administration documentation for your
networking equipment for more information.

W H I T E PA P E R / 1 2

VMware View Security Server

Hardening Guide

Parameter or objects
configuration

Refer to the VMware View Administration guide for a description of the firewall
rules that are needed for a VMware View DMZ deployment.
It is important that network access from the Internet to a VMware View Security
Server is not allowed until the server is hardened.

Test

Use a port scanner or similar to verify that the firewalls allow only the minimum
of communication as required.

Vmware View Security Server Configuration

CONFIGURATION
ELEMENT

DESCRIPTION

Code

VSS09

Name

Do not use the default self-signed server certificates on a VMware View Security
Server.

Description

When VMware View Security Server is first installed, the SSL server defaults to
self-signed certificates. These should be replaced by SSL server certificates
signed by a commercial Certificate Authority (CA) or an organizational CA.

Risk or control

The use of default certificates leaves the SSL connection more vulnerable to
man-in-the-middle attacks. By changing the default certificates to trusted CA
Signed certificates, mitigates the potential for these attacks.

Recommendation level

Enterprise.

Condition or steps

Information on how to replace VMware View Security Server SSL certificates can
be found in the VMware View Administration Guide.

Test

Use a Web browser to make an HTTPS connection to the VMware View Security
Server and use the capabilities within the browser to VMware View the server
SSL certificate. Verify that it is signed by the appropriate CA.

W H I T E PA P E R / 1 3

VMware View Security Server

Hardening Guide

Session Summary
To recap, most common components in a VMware View architecture are listed below; however, some
organizations will also have load balancers, identity management, self-service password systems, GINA chaining
components, VPN, and other components and devices. These components should be hardened according to your
organizations best practices.
VMware View Client (Windows Workstation) / Thin Client
VMware View Security Servers
VMware View Connection Servers
VMware vCenter Server and VMware ESX Servers
Windows Guest OS

View Client

View Client

HTTPS
traffic

Firewa
Firewall

Fault tolerant
load balancing
mechanism

HTTPS
traffic

DMZ

View
Security
Server

View
Security
Server

Firewall

View
Connection
Server

View
Connection
Server

Internal
Network
VMware
vCenter

Active
Directory
VMware
ESX Servers

W H I T E PA P E R / 1 4

VMware View Security Server

Hardening Guide

VMware View Security Server provides the following benefits for VMware View environments:
A hardened security deployment in DMZ with including Federal
Information Processing Standards (FIPS) and Common Criteria solutions
A single platform for all access methods
A complete range of authentication methods: RSA tokens, certificates, LDAP, etc.
SSO capability
Support for PCoIP protocol and RDP
Wide range of supported platforms
Endpoint security scanning and validation
Detailed administrative and user logging
Integrated high availability
It can be configured as a standalone security virtual desktop access point or with other network load balancers.
VMware Security Servers play a critical role in your DMZ. Improperly configured, they can expose a Windows attack
surface to the external world. Make sure all hardening guidelines are strictly followed and that the virtual or physical
Windows systems are not in the same domain as the DMZ. All recommendations from this document will apply to
the VMware View Security Servers. If possible, utilize additional VMware vSphere infrastructure products, such as
VMware vShield, to support your DMZ instead of just creating or virtualizing multiple vSwitches. The reason for this
is despite the creation of multiple vSwitches in a single host, virtual switching executes in a single kernel process.
There are many global security settings related to the overall VDI solution that you may need to consider, but that
are outside the scope of this document, such as:
Authentication method.
Security server or VPN for remote access.
Firewall requirements and rules.
Set up administrative role-based access controls (RBACs).
Limit root administrator role to small number of individuals.
Work with more restrictive built-in roles whenever possible.
Use custom roles for specific needs.
In general, you should minimize allowable ports and services available beyond the necessary ports required for
display protocol (such as PCoIP), and follow the strictest firewall practices to harden your deployment. For large
deployments, you should consider organizing resources pools into folders, then delegating administrative roles to
the folders by geographic location, business unit, function, compliance, and so on.
IT security and protection evolves rapidly to address constantly changing threats. We recommend that you stay as
up-to-date as possible in best practices to maintain system availability and maximize data protection.
If you have comments and would like to contribute, please send an email to desktop-tm@vmware.com.

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com
Copyright 2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be
trademarks of their respective companies. Item No: VMW_11Q1_View_SecSerHardening_EN_P15