Some users might have to redirect specific locally-connected USB devices so that they can perform tasks on their remote desktops or applications. For example, a doctor might have to use a Dictaphone USB device to record patients' medical information. In these cases, you cannot disable access to all USB devices. You can use group policy settings to enable or disable USB redirection for specific devices.
Before you enable USB redirection for specific devices, make sure that you trust the physical devices that are connected to client machines in your enterprise. Be sure that you can trust your supply chain. If possible, keep track of a chain of custody for the USB devices.
In addition, educate your employees to ensure that they do not connect devices from unknown sources. If possible, restrict the devices in your environment to those that accept only signed firmware updates, are FIPS 140-2 Level 3-certified, and do not support any kind of field-updatable firmware. These types of USB devices are hard to source and, depending on your device requirements, might be impossible to find. These choices might not be practical, but they are worth considering.
Each USB device has its own vendor and product ID that identifies it to the computer. By configuring Horizon Agent Configuration group policy settings, you can set an include policy for known device types. With this approach, you remove the risk of allowing unknown devices to be inserted into your environment.
Option | Description |
---|---|
ExcludeAllDevices |
Excludes all devices from being redirected. |
ExcludeDeviceFamily |
Prevents specific device families from being redirected. For example, you can block all video, audio, and mass storage devices: ExcludeDeviceFamily o:video;audio;storage |
ExcludeVidPid |
Prevents devices with specified vendor and product IDs from being redirected. The format of the setting is:vid-xxx1_pid-yyy1[;vid-xxx2_pid-yyy2]... `You must specify the VID or PID with a hexadecimal. You can use the wildcard character (`*`) in place of individual digits in an ID. For example: |
ExcludeVidPidRel |
Prevents devices with specified vendor ID, product ID, and release number from being redirected. The format of the setting is:vid-xxx1_pid-yyy1_rel-zzz1[;vid-xxx2_pid-yyy2_rel-zzz2]... `You must specify the VID or PID with a hexadecimal and specify REL with a binary-coded decimal. You can use the wildcard character (`*`) in place of individual digits in an ID. For example: |
Option | Description |
---|---|
IncludeAllDevices |
All devices are redirected. |
IncludeDeviceFamily |
All device families are redirected. |
IncludeVidPid |
Devices with specified vendor and product IDs are redirected. The format of the setting is `vid-xxx1_pid-yyy1[;vid-xxx2_pid-yyy2]... `You must specify the VID or PID with a hexadecimal. You can use the wildcard character (`*`) in place of individual digits in an ID. For example: |
IncludeVidPidRel |
Devices with specified vendor ID, product ID, and release number are redirected. The format of the setting is `vid-xxx1_pid-yyy1_rel-zzz1[;vid-xxx2_pid-yyy2_rel-zzz2]... `You must specify the VID or PID with a hexadecimal and specify REL with a binary-coded decimal. You can use the wildcard character (`*`) in place of individual digits in an ID. For example: |
By default, Horizon blocks certain device families from being redirected to the remote desktop or application. For example, HID (human interface devices) and keyboards are blocked from appearing in the guest. Some released BadUSB code targets USB keyboard devices.
You can prevent USB access to any Horizon connections that originate from outside the company firewall. The USB device can be used internally but not externally.
Be aware that if you block TCP port 32111 to disable external access to USB devices, time zone synchronization will not work because port 32111 is also used for time zone synchronization. For zero clients, the USB traffic is embedded inside a virtual channel on UDP port 4172. Because port 4172 is used for the display protocol as well as for USB redirection, you cannot block port 4172. If required, you can disable USB redirection on zero clients. For details, see the zero client product literature or contact the zero client vendor.
Setting policies to block certain device families or specific devices can help to mitigate the risk of being infected with BadUSB malware. These policies do not mitigate all risk, but they can be an effective part of an overall security strategy.
Device Filtering Examples
- Block a single device:
ExcludeVidPidRel o:vid-0781_pid-5591_rel-0100
Note: This example configuration provides protection, but a compromised device can report any vid/pid, so a possible attack could still occur. - Block all devices with the same vendor and product ID except one with a specific release number:
ExcludeVidPid o:vid-0781_pid-5591
IncludeVidPidRel o:vid-0781_pid-5591_rel-0100
- Include all devices with the same vendor and product ID except one with a specific release number:
IncludeVidPid o:vid-0781_pid-5591
ExcludeVidPidRel o:vid-0781_pid-5591_rel-0100
Using Device Filtering Options
- Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\VMware, Inc.\VMware VDM\Agent\USB
- Group Policy Object
Local Computer Policy\Computer Configuration\Administrative Templates\VMware View Agent Configuration\View USB Configuration