Some users might have to redirect specific locally-connected USB devices so that they can perform tasks on their remote desktops or applications. For example, a doctor might have to use a Dictaphone USB device to record patients' medical information. In these cases, you cannot disable access to all USB devices. You can use group policy settings to enable or disable USB redirection for specific devices.
Before you enable USB redirection for specific devices, make sure that you trust the physical devices that are connected to client machines in your enterprise. Be sure that you can trust your supply chain. If possible, keep track of a chain of custody for the USB devices.
In addition, educate your employees to ensure that they do not connect devices from unknown sources. If possible, restrict the devices in your environment to those that accept only signed firmware updates, are FIPS 140-2 Level 3-certified, and do not support any kind of field-updatable firmware. These types of USB devices are hard to source and, depending on your device requirements, might be impossible to find. These choices might not be practical, but they are worth considering.
Each USB device has its own vendor and product ID that identifies it to the computer. By configuring Horizon Agent Configuration group policy settings, you can set an include policy for known device types. With this approach, you remove the risk of allowing unknown devices to be inserted into your environment.
For example, you can prevent all devices except a known device vendor and product ID, vid/pid=0123/abcd, from being redirected to the remote desktop or application:
ExcludeAllDevices Enabled IncludeVidPid o:vid-0123_pid-abcd
This example configuration provides protection, but a compromised device can report any vid/pid, so a possible attack could still occur.
By default, Horizon 7 blocks certain device families from being redirected to the remote desktop or application. For example, HID (human interface devices) and keyboards are blocked from appearing in the guest. Some released BadUSB code targets USB keyboard devices.
You can prevent specific device families from being redirected to the remote desktop or application. For example, you can block all video, audio, and mass storage devices:
Conversely, you can create a whitelist by preventing all devices from being redirected but allowing a specific device family to be used. For example, you can block all devices except storage devices:
ExcludeAllDevices Enabled IncludeDeviceFamily o:storage
Another risk can arise when a remote user logs into a desktop or application and infects it. You can prevent USB access to any Horizon 7 connections that originate from outside the company firewall. The USB device can be used internally but not externally.
Be aware that if you block TCP port 32111 to disable external access to USB devices, time zone synchronization will not work because port 32111 is also used for time zone synchronization. For zero clients, the USB traffic is embedded inside a virtual channel on UDP port 4172. Because port 4172 is used for the display protocol as well as for USB redirection, you cannot block port 4172. If required, you can disable USB redirection on zero clients. For details, see the zero client product literature or contact the zero client vendor.
Setting policies to block certain device families or specific devices can help to mitigate the risk of being infected with BadUSB malware. These policies do not mitigate all risk, but they can be an effective part of an overall security strategy.
These policies are included in the Horizon Agent Configuration ADMX template file (vdm_agent.admx). For more information, see Configuring Remote Desktop Features in Horizon 7.