AWS workspaces medium security documentation change
Summary
Updated WebAuthn redirection documentation with enhanced features, added process compatibility controls, and revised terminology from 'enable/disable' to 'configure' for multiple settings
Security assessment
The changes introduce Enhanced WebAuthn redirection which eliminates browser extension requirements (reducing attack surface) and adds process compatibility lists to restrict WebAuthn usage to approved applications. Specific security evidence includes the requirement to maintain 'dcvwebauthnnativemsghost.exe' in compatibility lists and guidance to remove browser extensions when upgrading to Enhanced WebAuthn.
Diff
diff --git a/workspaces/latest/adminguide/group_policy.md b/workspaces/latest/adminguide/group_policy.md index 0c5211499..4161551bf 100644 --- a//workspaces/latest/adminguide/group_policy.md +++ b//workspaces/latest/adminguide/group_policy.md @@ -40 +40 @@ Group Policy settings can affect the experience of your WorkSpace users as follo -For more information about enabling or disabling audio-in redirection, see Enable or disable audio-in redirection for PCoIP or Enable or disable audio-in redirection for DCV. +For more information about enabling or disabling audio-in redirection, see Enable or disable audio-in redirection for PCoIP or Configure audio-in redirection for DCV. @@ -254 +254 @@ By default, WorkSpaces supports redirecting data from a local camera. If needed -###### To enable or disable video-in redirection for Windows WorkSpaces +###### To configure video-in redirection for Windows WorkSpaces @@ -275 +275 @@ By default, WorkSpaces supports redirecting data from a local microphone. If nee -###### To enable or disable audio-in redirection for Windows WorkSpaces +###### To configure audio-in redirection for Windows WorkSpaces @@ -296 +296 @@ By default, WorkSpaces redirects data to a local speaker. If needed for Windows -###### To enable or disable audio-out redirection for Windows WorkSpaces +###### To configure audio-out redirection for Windows WorkSpaces @@ -429 +429 @@ To enable the use of smart cards with Windows WorkSpaces, additional steps are r -###### To enable or disable smart card redirection for Windows WorkSpaces +###### To configure smart card redirection for Windows WorkSpaces @@ -444 +444 @@ To enable the use of smart cards with Windows WorkSpaces, additional steps are r -By default, Amazon WorkSpaces enables the use of WebAuthn authenticators for in-session authentication. In-session authentication refers to WebAuthn authentication that's performed after logging in and requested by the web applications running within the session. +By default, Amazon WorkSpaces enables WebAuthn redirection, allowing users to use their local FIDO2-compatible security keys and biometric authenticators with applications running inside their WorkSpace. This feature securely redirects authentication requests from applications in the WorkSpace to the user's local device, providing seamless access to authentication methods including Yubikeys and Windows Hello. @@ -446 +446 @@ By default, Amazon WorkSpaces enables the use of WebAuthn authenticators for in- -#### Requirements +Amazon WorkSpaces supports two versions of WebAuthn redirection: @@ -448 +448 @@ By default, Amazon WorkSpaces enables the use of WebAuthn authenticators for in- -WebAuthn (FIDO2) redirection for DCV requires the following: + * **Standard WebAuthn** \- Requires a browser extension, supported on Windows and Linux WorkSpaces, for browser-based apps @@ -450 +450 @@ WebAuthn (FIDO2) redirection for DCV requires the following: - * DCV host agent version 2.0.0.1425 or higher + * **Enhanced WebAuthn** \- No browser extension required, with additional native application support, supported on Windows WorkSpaces only @@ -452 +451,0 @@ WebAuthn (FIDO2) redirection for DCV requires the following: - * WorkSpaces clients: @@ -454 +452,0 @@ WebAuthn (FIDO2) redirection for DCV requires the following: - * Linux Ubuntu 22.04 2023.3 or higher @@ -456 +453,0 @@ WebAuthn (FIDO2) redirection for DCV requires the following: - * Windows 5.19.0 or higher @@ -458 +455,15 @@ WebAuthn (FIDO2) redirection for DCV requires the following: - * Mac client 5.19.0 or higher +#### Standard WebAuthn redirection + +Standard WebAuthn redirection requires a browser extension to facilitate the redirection of WebAuthn prompts to the client device. + +##### Version requirements + + * **Windows WorkSpaces** : DCV host agent version 2.0.0.1425 or higher + + * **Client versions:** + + * Windows client: 5.19.0 or above + + * Mac client: 5.19.0 or above + + * Linux client: 2024.0 or above @@ -460 +471,4 @@ WebAuthn (FIDO2) redirection for DCV requires the following: - * Web browsers installed on your WorkSpaces running the Amazon DCV WebAuthn Redirection Extension: + + + +##### Supported browsers on WorkSpaces @@ -469 +483,35 @@ WebAuthn (FIDO2) redirection for DCV requires the following: -#### Enabling or disabling WebAuthn (FIDO2) redirection for Windows WorkSpaces +#### Enhanced WebAuthn redirection + +Enhanced WebAuthn redirection eliminates the need for a browser extension and provides support for WebAuthn authentication in native Windows applications that support WebAuthn authentication. + +##### Version requirements + + * **Windows WorkSpaces** : DCV host agent version 2.1.0.2000 or higher + + * **Client versions:** + + * Windows client: 5.29.0 or above + + * Mac client: 5.29.0 or above + + + + +##### Key benefits + + * No browser extension required + + * Improved performance + + * Support for WebAuthn in native Windows applications + + * Seamless authentication experience across browsers and desktop applications + + + + +##### Supported browsers on WorkSpaces + + * Google Chrome 116+ + + * Microsoft Edge 116+ @@ -471 +518,0 @@ WebAuthn (FIDO2) redirection for DCV requires the following: -If needed, you can enable or disable support for in-session authentication with WebAuthn authenticators for Windows WorkSpaces by using Group Policy settings. If you enable or do not configure this setting, WebAuthn redirection will be enabled and users can utilize local authenticators within the remote WorkSpace. @@ -473 +519,0 @@ If needed, you can enable or disable support for in-session authentication with -When feature is enabled, all WebAuthn requests from the browser in the session are redirected to the local client. Users can use Windows Hello or locally attached security devices like YubiKey or other FIDO2 compliant authenticators to complete the authentication process. @@ -475 +521,4 @@ When feature is enabled, all WebAuthn requests from the browser in the session a -###### To enable or disable WebAuthn (FIDO2) redirection for Windows WorkSpaces + +#### Configure WebAuthn redirection + +###### To configure WebAuthn redirection for Windows WorkSpaces @@ -479 +528 @@ When feature is enabled, all WebAuthn requests from the browser in the session a - 2. Open the **Enable/disable WebAuthn redirection** setting. + 2. Open the **Configure WebAuthn redirection** setting. @@ -481 +530 @@ When feature is enabled, all WebAuthn requests from the browser in the session a - 3. In the **Enable/disable WebAuthn redirection** dialog box, choose **Enabled** or **Disabled**. + 3. In the **Configure WebAuthn redirection** dialog box, choose **Enabled** or **Disabled**. @@ -485 +534,47 @@ When feature is enabled, all WebAuthn requests from the browser in the session a - 5. The Group Policy setting change takes effect after the WorkSpace session is restarted. To apply the Group Policy changes, reboot the WorkSpace by going to the Amazon WorkSpaces console and selecting the WorkSpace. Then, choose **Actions** , **Reboot WorkSpaces**). + 5. The Group Policy setting change takes effect after the WorkSpace session is restarted. To apply the Group Policy changes, reboot the WorkSpace by going to the Amazon WorkSpaces console and selecting the WorkSpace. Then, choose **Actions** , **Reboot WorkSpaces**. + + + + +###### Note + +This Group Policy setting enables WebAuthn redirection. The version used (Standard or Enhanced) depends on your host agent version and operating system support. + +#### Configure WebAuthn process compatibility + +When WebAuthn redirection is enabled, you can configure which applications and processes are allowed to use WebAuthn redirection through the **WebAuthn Process Compatibility List**. + +##### Default process compatibility list + +By default, the following processes are enabled for WebAuthn redirection: + + + ['chrome.exe','msedge.exe','island.exe','firefox.exe','dcvwebauthnnativemsghost.exe','msedgewebview2.exe','Microsoft.AAD.BrokerPlugin.exe'] + +##### Required process for Standard WebAuthn + + * `dcvwebauthnnativemsghost.exe` \- This process is **required** for Standard WebAuthn functionality and must remain in the compatibility list when using Standard WebAuthn. + + + + +###### To configure the WebAuthn process compatibility list + + 1. In the Group Policy Management Editor, choose **Computer Configuration** , **Policies** , **Administrative Templates** , **Amazon** , and **DCV**. + + 2. Open the **Configure WebAuthn Redirection** setting. + + 3. Choose **Enabled**. + + 4. In the **WebAuthn process compatibility list** field, specify the list of process names that are compatible with WebAuthn redirection. + + * Use the default list as a starting point + + * Add additional process names as needed for your environment + + 5. Choose **OK**. + + 6. The Group Policy setting change takes effect after the WorkSpace session is restarted. + + + @@ -486,0 +582 @@ When feature is enabled, all WebAuthn requests from the browser in the session a +##### Process compatibility list guidelines @@ -487,0 +584 @@ When feature is enabled, all WebAuthn requests from the browser in the session a + * **For Standard WebAuthn** : Always include `dcvwebauthnnativemsghost.exe` in the list @@ -488,0 +586 @@ When feature is enabled, all WebAuthn requests from the browser in the session a + * **Custom Applications** : Add any additional `.exe` process names that need WebAuthn support in your environment @@ -490 +588 @@ When feature is enabled, all WebAuthn requests from the browser in the session a -#### Installing the Amazon DCV WebAuthn Redirection Extension + * **Format** : Use comma-separated process names enclosed in square brackets, with each process name in single quotes @@ -492 +589,0 @@ When feature is enabled, all WebAuthn requests from the browser in the session a -Users will need install the Amazon DCV WebAuthn Redirection Extension to use WebAuthn after the feature is enabled by doing either of the following: @@ -494 +591,29 @@ Users will need install the Amazon DCV WebAuthn Redirection Extension to use Web - * Your users will be prompted to enable the browser extension in their browser. + + +##### Example custom process list + + + ['chrome.exe','msedge.exe','firefox.exe','dcvwebauthnnativemsghost.exe','msedgewebview2.exe','Microsoft.AAD.BrokerPlugin.exe','myapp.exe','customapplication.exe'] + +#### Transitioning from Standard to Enhanced WebAuthn + +When upgrading from Standard WebAuthn to Enhanced WebAuthn, **users will need to uninstall or disable the Amazon DCV WebAuthn Redirection browser extension** they previously installed for Standard WebAuthn before using Enhanced WebAuthn. + +##### Why this step is important + + * Enhanced WebAuthn handles redirection natively without browser extensions + + * Leaving the extension enabled will default to Standard WebAuthn redirection + + + + +#### Installing the Amazon DCV WebAuthn Redirection Extension (Standard WebAuthn Only) + +###### Note + +This section only applies to Standard WebAuthn. Enhanced WebAuthn does not require browser extensions.