by Xisheng Zhang, VMware End-User Computing (EUC) staff engineer
VMware Horizon FLEX allows companies to remotely control and manage virtual machines (VMs). The Horizon FLEX security policies are primarily for managing the virtual ports and controlling the flow of data in and out of the virtual desktop container, for instance blocking copy/paste, drag and drop and USB device sharing. However, you may also want to limit your FLEX virtual machines to specified websites or limited firewall rules.
If you’re running Windows inside the virtual machines, you can still use all the finer controls that come with Windows. Below are instructions for some of the network settings you can apply to domain-joined Horizon FLEX virtual machines. These settings are not specific to Horizon FLEX but we thought our customers would appreciate having them handy.
These instructions work whether the end user is an administrator or standard user on the virtual machine operating system (OS).
Step 1: Create an Organizational Unit (OU).
Create a dedicated OU in Active Directory (AD) for all FLEX-managed computers. We will apply the new policies to this OU.
Create an OU policy in the AD group policy management console.
- Setup a Windows Firewall. With this configuration, no users, including administrators, will be able to turn off the Windows firewall.
- On your AD server, navigate through “Computer Configuration” > “Policies” > “Administrative Template” > “Network” > “Network Connections” > “Windows Firewall.”
- Enable “Windows Firewall: Protect all network connections” for “Domain Profile” and “Standard Profile.”
- Force Firewall Services. With this configuration, no users, except domain administrators, can stop firewall services.
- On your AD server, navigate through “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “System Service.”
- In the service windows, find “Windows Firewall Service.” Edit its properties to be “Automatic.”
- Change the permission to only give domain admin full control through “Edit Security.”
Step 3: Delete the Local User.
Typically when an administrator sets up the virtual machine image, he installs the OS and provisions a local user. It is not necessary to delete this user, but this “dummy” local user is no longer necessary and deleting it can prevent end-user confusion.
- On your AD server, navigate through “Computer Configuration” > “Preference” > “Local Users and Groups.”
- In the right click menu, select “New” > “Local User.”
- Input the local user name and set “Action” to “Delete.”
Step 4: Limit Connections to an IP Address.
Configure a Windows firewall policy to only allow the virtual machine to access a specified IP address. This configuration works if the user is a common user or local user. To enforce this even if the user is an administrator, follow the instructions in step 5 below.
- On your AD server, navigate through “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “Windows Firewall with Advanced Security.”
- Add new rules for “Inbound Rule” and “Outbound Rule.” For example: add an outbound rule to only allow the VM to access 10.117.160.233 and 10.117.160.234.
- In the Windows firewall policy, a “Block rule” always has higher priority than an “Allow rule.” We can create a block rule to exclude all IP addresses other than the allowed list, eg: Block 0.0.0.0—10.117.160.232 and 10.117.160.235—255.255.255.255. p
For additional firewall rule information, please refer to Microsoft’s Order of Windows Firewall with Advanced Security Rules Evaluation.
Step 5: Enforce Domain Membership.
If the end user can remove the virtual machine from the domain, none of these group policies (GPOs) will be enforced. You will want to protect the register key to prevent the virtual machine from leaving the domain.
- On your AD server, navigate through “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “Registry.”
- Add the key “MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters.”
- Edit security to only allow the domain admin to have full access. Administrators and other users only have read permission.
We hope these instructions gives you some ideas for how you can control a Horizon FLEX virtual machine using the standard Windows controls you already use for physical systems. There are other registry keys an administrator can set for additional security, of course. We hope you will use Horizon FLEX to give your users maximum online/offline flexibility while still meeting your company’s security goals.