weemidden
Contributor
Contributor

Horizon Events Database SQL authentication

I would like to know why it is that the VMware Horizon Events Database can only operate using SQL authentication? It has been like this for years and is a noticeable vulnerability in this product's security armour. I've worked with banks, defence organisations and governments, all of whom lament the fact that the events database can only allow SQL authentication.

After pressing our VMware account manager on it a week or two ago, our organisation was told that VMware are not going to develop Horizon to allow Windows / AD based authentication because "hardly anyone is asking for it". That doesn't mean that organisations don't want it. I've found in the past that there are challenges speaking to the right people at VMware to get this sort of stuff done or getting the message through.

One stand out question I have is why has it been possible (for years) for VMware to do Windows / AD authentication in the Windows version of vCentre but not for the events database in Horizon? I am a highly experienced IT contractor, having worked with over 70 organisations over the last 24 years. Prior to that I was a professional software developer. I still code now and I know 100% that enabling Windows authentication for the Horizon events database would not be that big of a deal. I also know that many government organisations / agencies and defence companies would celebrate the day when the events database functionality supports Windows authentication, which is more markedly more secure. Even NCSC recommend not using SQL authentication if you can use Windows / AD.

Before you ask, piping the logs into a syslogger is a non-starter as we can't run the right sort of analysis on these logs - the events database HAS to be used and therefore, until this functionality is implemented, we're consigned to changing the SQL password every ~30 days, just like every other org that values security. There are regular stories in the computer press regarding exploits against "mature" products, this potential security hole is crying out for being repaired before it too gets exploited. Maybe then, that functionality will be realised.

 

0 Kudos
0 Replies