To achieve greater security, you can ensure that communications that use the SSL/TLS protocol between Horizon Clients and virtual machine-based desktops or RDS hosts do not allow weak cyphers.

About this task

The configuration for disabling weak ciphers is stored in the Windows registry. Changes to these settings must be done on all machines that run View Agent Direct-Connection Plug-In.

Note:

These settings affect all use of SSL/TLS on the operating system.

Both SSL 3.0 and TLS 1.0 (RFC2246) with INTERNET-DRAFT 56-bit Export Cipher Suites For TLS draft-ietf-tls-56-bit-ciphersuites-00.txt provide options to use different cipher suites. Each cipher suite determines the key exchange, authentication, encryption, and MAC algorithms used within a SSL/TLS session.

Prerequisites

You need to have experience editing Windows registry keys using the Regedt32.exe registry editor.

Procedure

  1. Start Registry Editor Regedt32.exe, and locate this registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  2. Make modifications to the registry.
    • In subkey \Hashes create a subkey MD5.

    • In subkey \Hashes\MD5 add a DWORD value Enabled with a value of 0x0.

Results

The registry changes ensure that only the following ciphers are available:

  • TLSv1 256 bits AES256-SHA

  • TLSv1 128 bits AES128-SHA

  • TLSv1 168 bits DES-CBC3-SHA

  • TLSv1 128 bits RC4-SHA

Note:

If Horizon Client is not configured to support any cipher that is supported by the virtual desktop operating system, the TLS/SSL negotiation will fail and the client will be unable to connect.

For information on configuring supported cipher suites in Horizon Clients, refer to Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.