Home > Blogs > VMware End-User Computing Blog > Category Archives: End-User Computing Overview

Category Archives: End-User Computing Overview

How Bad Is BadUSB with USB Redirection in VMware Horizon with View?

By Peter Brown, Senior Research & Development Manager, VMware, London, United Kingdom

BadUSB has been getting a lot of press lately. For those of you who have not heard, this is a new security threat in which the firmware on some USB devices can be hijacked and replaced with malware. For example, a device can be made to redirect network traffic, or emulate a keyboard and capture keystrokes, or worse. A number of Web pages are talking about BadUSB, for example When Good USB Devices Go Bad, The Unpatchable Malware That Infects USBs Is Now on the Loose, and the original Blackhat presentation, BadUSB—On accessories that turn evil.

Scary stuff, and unfortunately we have no magic cure. We have all been using USB devices for years, and we all probably have many such devices at home and in the office. So how can an enterprise using VMware Horizon with View for VDI protect itself, or what can it do to minimize the risk? This blog post aims to answer those questions!

Disabling All USB Devices

For the ultimate protection, all USB devices should be disabled. This is quite hard to do on desktop machines, especially if the enterprise has a desktop machine on every user’s desk. However, when using View, this is relatively easy to achieve in one of three ways.

Do Not Install the USB Component on the View Agent

You can configure the desktop guest image (in the data center) so that the View Agent has the USB component “not installed.” This entirely prevents USB devices from being used in that desktop image. Then refresh all your desktop images so that the USB component is removed.

Disable USB Devices for Specific Desktop Pools

If you do not want to change the desktop image, from the View Administrator UI, navigate to Desktop Pools and select a specific pool. Next, select Policies within that pool. Finally, select Desktop Pool Policies and click Edit Policies, and disable USB redirection for a specific pool or pools.

VMware_Horizon_View_Administrator_Disable_USB_Devices

You can also apply user overrides to enable or disable USB redirection on a per user basis in a specific pool. This is also done by way of the same View Administrator window, with the User Overrides choice (next to Desktop Pool Policies in the window).

Use GPOs to Disable All USB Devices on the View Agent

Alternatively, you can apply the ExcludeAllDevices configuration option on the View Agent by way of GPO configuration to prevent any devices from being forwarded.

Disabling Specific USB Devices

Disabling USB devices entirely is certainly the best way to completely avoid the risk of BadUSB. In some cases, however, disabling USB devices entirely might not be feasible because you may need specific USB devices to function for your use cases; an example might be doctors using Dictaphone-type USB devices to record patients’ records. In this case, it is not possible to entirely block USB devices, and so the following strategies should be employed to help mitigate the risk.

Educate Employees About Types of USB Devices to Connect

It is important that you completely trust any device connected to your enterprise, regardless of settings, and that includes trusting your supply chain and ideally having some sort of chain of custody as well. You should educate your employees to ensure that they do not connect devices from unknown sources. If possible, try to restrict the devices used in the environment to devices that accept only signed firmware updates, are ideally FIPS 140-3 Level 3-certified, and do not support any kind of field-updatable firmware. These types of USB devices are definitely hard to source and, depending on your specific device requirements, may be impossible to find. This may not be a practical solution to the problem, but certainly worth considering.

Exclude Some Devices Through the Group Policy Editor

You can allow only specific USB devices to be used. Each USB device has its own vendor and product ID that uniquely identifies it to the computer. Rather than allowing View to forward any USB device into the guest virtual machine, you set an Include policy for known device types. Then you can remove the risk of unknown devices being inserted, which might compromise the system. Of course, there will be ways around this, but you do reduce that risk.

Here is an example of how you can configure View to block all devices from being forwarded to the View virtual desktop, except for a known device vendor and product ID (vid/pid = 0123/abcd in this case):

ExcludeAllDevices   Enabled

IncludeVidPid       o:vid-0123_pid-abcd

Note: We should point out that while this sample configuration provides some protection, a compromised device can report any vid/pid, and so there is still a possible attack vector here.

You set these Global Policy Object (GPO) values in the View Agent Group Policy editor.

Note: By default, View blocks certain device families from being forwarded to the View desktop, for example, HID (human interface devices) and keyboards. So with the default filter policy enabled in View, such keyboard devices would be automatically blocked from appearing in the guest. Some of the released BadUSB code targets USB keyboard devices, and this default in View already protects these devices from the malware.

Specific device families can instead be blocked if required. For example, the following GPO value would block all video, audio, and mass storage devices:

ExcludeDeviceFamily o:video;audio;storage

Another configuration example is to block all devices, but only allow a specific device family (whitelist). For example, block all devices, but enable storage devices. This could be done as follows:

ExcludeAllDevices       Enabled

IncludeDeviceFamily     o:storage

Another risk might be someone from outside your office logging in to a desktop and infecting it. Again, this cannot be seen as a complete mitigation, but you can block USB access completely to any View connections that originate from outside the company firewall. The USB device could be used internally, but not externally.

To do this, block the TCP port 32111 from the View security server to the View desktops. Zero clients are slightly different, as the USB traffic for those is embedded inside a virtual channel on UDP port 4172. Because port 4172 is not used only for USB (it also carries the display protocol), it is not possible to block that port. You can disable USB on zero clients if required. Look at the zero client product literature or contact the zero client vendor for specific details.

Blocking certain device families or specific devices can help to mitigate the risk of BadUSB malware, but not completely solve it.

If you want to know more about USB redirection in View, check out my white paper USB Device Redirection, Configuration, and Usage in VMware Horizon with View.

Calling All Citrix XenApp Customers! Make the Move to VMware Horizon 6

By Mark Ewert, End-User Computing Solutions Architect, VMware

This summer we released VMware Horizon 6, the latest version of our leading end-user computing platform. Perhaps the most exciting feature of Horizon 6 is its expanded support for Microsoft Remote Desktop Services, including hosted applications. Whether users need virtual desktops, hosted apps, or shared desktop sessions, VMware Horizon is the only platform you need. This means it is now possible to migrate off your Citrix XenApp infrastructure! Summer 2015 marks both the termination of support for Microsoft Windows Server 2003 and the end of life for XenApp 5.0. If you are still running XenApp 5 on Windows 2003, the timing is perfect for a migration to VMware Horizon. And we are working feverishly to release tools, guidance, and services to provide what you need to make your migration a success. Continue reading

Introducing VMware Horizon FLEX

By Gina Daly, Technical Writer for Technical Marketing, End-User Computing, VMware

Do your employees want to use Macs in the workplace? Do you want to say ‘Yes’ to a BYO program? Perhaps you are hiring more temporary and contract staff? However, you struggle with balancing corporate access and corporate compliance…

VMware Horizon FLEX is an exciting new product that addresses these use cases and more! Horizon FLEX was announced at VMworld Europe 2014 and will be generally available soon. The VMware Horizon FLEX Solution Brief discusses the enterprise use cases solved by Horizon FLEX, as well as how it works and a sample of some of the functionality. Continue reading

VMware Horizon Client for Mac Is Ready for OS X 10.10

By Kristina De Nike, Product Line Manager, End-User Computing, VMware

No need to be alarmed. Apple has announced that Mac OS X 10.10 is available. But if you are running the latest Horizon Client for Mac, version 3.1, you do not need to change anything. The current client works beautifully with Yosemite and looks beautiful doing it.

Horizon_Client_for_Mac

Figure 1: Horizon Client for Mac in Front of Seamless Horizon Hosted Application (Windows Chrome)

For weeks, we have been testing the Horizon Client 3.1 with the OS X Yosemite beta. Now that OS X 10.10 has shipped, we can confirm that the Horizon Client for Mac that we shipped in September is fully compatible.

If you are not running the latest Horizon Client, download the Mac client from the Horizon Client download page.

For more information about the Horizon Client and View virtual desktops, see Horizon with View.

VMware Fast Track 2.0 Program: New Proven Storage Solutions to Accelerate Your Horizon Deployment

By Mason Uyeda, Senior Director, Industry Solutions and Technical Enablement, End-User Computing, VMware

Horizon has long been recognized for its ease of deployment, manageability, and predictability…all critical factors in the world of IT. These attributes have helped make Horizon with View the market-leading VDI product that it is. But the importance of these same factors applies to other infrastructure components, especially storage. Feedback from customers has typically been that storage is one area where they would like to see improvements in ease of deployment, predictable scale and performance, and, of course, lower costs.

To help tackle these challenges, we have created Proven Storage solutions in the VMware Horizon Fast Track 2.0 program. Continue reading

VMware Horizon FLEX Makes VMware the Vendor With the Most Comprehensive Virtual Desktop and App Portfolio

Sumit DhawanBy Sumit Dhawan, SVP and GM, Desktop Products, End-User Computing

Coming off of the tremendous momentum of VMworld U.S., here we are at VMworld Europe 2014! I have been to Barcelona about half a dozen times and it is always great to spend time here – great vibe with interesting architecture, delicious tapas, beautiful flamenco and more. In the midst of all this, I am pleased to share some exciting announcements we made today for End User Computing products and services.

Barcelona

 

It’s only been 6 weeks since our last VMworld where EUC made several exciting announcements that included the introduction of the brand new VMware Workspace™ Suite, an integrated platform that combines AirWatch mobile and content management with Horizon virtual desktop and applications to deliver a unified end-user experience. Also, we announced our acquisition of CloudVolumes to provide real time application delivery and in conjunction, showcased our next-generation desktop paradigm with Project Meteor to deliver Just-In-Time (JIT) Desktops.

We continue to believe that mobility is driving change from traditional PC-centric architectures to the mobile-cloud architecture. In the new world of mobile-cloud, customers can easily adopt a device agnostic strategy and deliver their corporate apps and data securely from any cloud. We are continuing to push the pace of innovation and keeping our foot on the pedal to deliver the best solutions to our customers for this journey.

Today, we made several announcements including the introduction of a new product in the VMware Horizon® family ­– Horizon FLEX™, a new service – VMware Horizon Air™ Desktop DR, integration of VMware App Volumes with Horizon Enterprise, and the further expansion into Europe (France and Germany) of our cloud hosted end-user computing services.

Continue reading

VMware Horizon Air Adds New Cloud Service for End-Users

Erik FriebergBy Erik Frieberg, VP of Marketing, End-User Computing, VMware

Hola from Barcelona! It’s about 70 degrees and a bit humid here in the city… and it feels like I haven’t left Palo Alto. Regardless of how similar the weather might be, Barcelona is one of a kind when it comes to its food and hospitality. That’s why this has always been one of my favorite cities to visit every year.

Today at VMworld Europe, we introduced VMware App Volumes and VMware Horizon® FLEX™, and Sumit Dhawan has written a great, high level wrap up of the these new products. If you want a deeper dive into the new VMware App Volumes product or Horizon FLEX, you can read a blog post by Harry Labana and Kit Colbert.

What I’d like to do is give you more insight into our hosted cloud services and a brand new service, VMware Horizon Air™ Desktop DR.

Continue reading

Real-Time Application Delivery and Lifecycle Management with VMware App Volumes

harry-labana headshotBy Harry Labana, vice president of products, End-User Computing, VMware

Tectonic shifts are taking place globally that require businesses to quickly adapt to change and shift cost to activities that increase productivity. Traditional approaches to application delivery and lifecycle management, designed for the distributed computing era will not scale for modern enterprises.

This is placing new demands on IT that require them to provide instant service delivery in a world in which change is constant.  This requires reimagining application delivery and lifecycle management for the enterprise.

I’m delighted to share that following the acquisition of CloudVolumes in August 2014, we will be launching a VMware-branded version of CloudVolumes called VMware App Volumes in late Q4 2014, the fastest integration in VMware End-User Computing (EUC) history.

Continue reading

Mirage Large-Scale Reference Architecture Available

By Stephane Asselin, End-User Computing Architect, Technical Enablement, End-User Computing, VMware, and Gary Sloane, Consultant, VMware End-User Computing

The long-awaited VMware Mirage Large-Scale Reference Architecture is now available!

It reflects over five months of testing and includes data that will be useful to anybody planning to migrate large numbers of desktops—think hundreds or thousands—from XP to Windows 7. By “anybody” we mean not only the large customers we originally had in mind but also those who can apply our large-scale techniques and results to medium-sized implementations.

It will also be useful for those who need to migrate from Windows 7 to Window 8 or perform related tasks, such as backup management and image management.

We should note that large-scale backup and migration require substantial investments in IT, historically requiring separate tools for backup and for PC lifecycle management. This paper demonstrates how Mirage eliminates the need for separate tools, while protecting the customization, applications, and data that personalize each end-user system. Mirage also minimizes end-user downtime and time required from IT resources. Continue reading

VMware Horizon 6 Supports Application Delivery by RDS Hosting

By Cindy Heyer, Technical Writer, Technical Marketing, End-User Computing at VMware

To meet the demand for hosted applications, VMware Horizon 6 supports an app-remoting option based on Microsoft RDS. The Application-Delivery Options in VMware Horizon 6.0 white paper describes this new option, as well as additional application-delivery options available in Horizon 6. You can publish and manage RDS-hosted applications through Horizon with View in the Horizon Advanced Edition and Horizon Enterprise Edition. That includes setting policies and entitlement. You can also integrate VMware Workspace with View, which enables you to present your hosted applications in Workspace, where they are displayed alongside applications from ThinApp repositories, Citrix XenApp farms, and SaaS and Web application providers.

1

RDS is the Microsoft architecture that supports the use of remote machines and applications through a network connection. The application-hosting option in Horizon 6 provides the essentials for publishing applications based on RDS. You can install one instance of an application on an RDS host instead of on multiple individual desktops, and make that application available to many end users. Continue reading