{"stig":{"title":"VMware Horizon 7.13 Agent Security Technical Implementation Guide","version":"1","release":"1"},"checks":[{"vulnId":"V-246860","ruleId":"SV-246860r768540_rule","severity":"medium","ruleTitle":"The Horizon Agent must require TLS connections.","description":"The Horizon Agent has the capability to be backward compatible with legacy clients, circa View 5.2, which do not support newer TLS connections. By default, the agent can fall back to this non-TLS mode when being accessed by a legacy client. The Horizon Agent must be configured to not support these legacy clients and enforce TLS connections as mandatory.","checkContent":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Security. Double-click the \"Accept SSL encrypted framework channel\" setting.\n\nIf \"Accept SSL encrypted framework channel\" is not \"Enabled\" and set to \"Enforce\", this is a finding.","fixText":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Security. Double-click the \"Accept SSL encrypted framework channel\" policy.\n\nMake sure the policy is \"Enabled\". Choose \"Enforce\" from the drop-down. Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246861","ruleId":"SV-246861r768543_rule","severity":"medium","ruleTitle":"The Horizon Agent must only run allowed scripts on user connect.","description":"The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of such scripts should be delegated to native windows capabilities where possible. These settings are powerful and can serve as a potential space for a privileged attacker to persist. By default, this setting is unconfigured. Should the site require this setting, ensure it is audited and its configuration valid at all times.","checkContent":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the \"CommandsToRunOnConnect\" setting.\n\nIf \"CommandsToRunOnConnect\" is \"Not Configured\" or \"Disabled\", this is not a finding.\n\nClick the \"Show...\" button next to \"Commands\". If any of the listed commands are not expected, approved, and required, this is a finding.","fixText":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the \"CommandsToRunOnConnect\" setting.\n\nOption 1:\n\nClick the radio button next to \"Disabled\". Click \"OK\".\n\nOption 2:\n\nMake sure the setting is \"Enabled\".\n\nClick the \"Show...\" button next to \"Commands\". Highlight the unneeded command and press the \"delete\" key. Click \"OK\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246862","ruleId":"SV-246862r768546_rule","severity":"medium","ruleTitle":"The Horizon Agent must only run allowed scripts on user disconnect.","description":"The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of such scripts should be delegated to native windows capabilities where possible. These settings are powerful and can serve as a potential space for a privileged attacker to persist. By default, this setting is unconfigured. Should site require this setting, ensure it is audited and its configuration valid at all times.","checkContent":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the \"CommandsToRunOnDisconnect\" setting.\n\nIf \"CommandsToRunOnDisconnect\" is \"Not Configured\" or \"Disabled\", this is not a finding.\n\nClick the \"Show...\" button next to \"Commands\". If any of the listed commands are not expected, approved, and required, this is a finding.","fixText":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the \"CommandsToRunOnDisconnect\" setting.\n\nOption 1:\n\nClick the radio button next to \"Disabled\". Click \"OK\".\n\nOption 2:\n\nClick the \"Show...\" button next to \"Commands\". Highlight the unneeded command and press the \"delete\" key. Click \"OK\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246863","ruleId":"SV-246863r768549_rule","severity":"medium","ruleTitle":"The Horizon Agent must only run allowed scripts on user reconnect.","description":"The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of such scripts should be delegated to native windows capabilities where possible. These settings are powerful and can serve as a potential space for a privileged attacker to persist. By default, this setting is unconfigured. Should a site require this setting, ensure it is audited and the configuration valid at all times.","checkContent":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the \"CommandsToRunOnReconnect\" setting.\n\nIf \"CommandsToRunOnReconnect\" is \"Not Configured\" or \"Disabled\", this is not a finding.\n\nClick the \"Show...\" button next to \"Commands\". If any of the listed commands are not expected, approved, and required, this is a finding.","fixText":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the \"CommandsToRunOnReconnect\" setting.\n\nOption 1:\n\nClick the radio button next to \"Disabled\". Click \"OK\".\n\nOption 2:\n\nClick the \"Show...\" button next to \"Commands\". Highlight the unneeded command and press the \"delete\" key. Click \"OK\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246864","ruleId":"SV-246864r768552_rule","severity":"medium","ruleTitle":"The Horizon Agent must check the entire chain when validating certificates.","description":"Any time the Horizon Agent establishes an outgoing TLS connection, it verifies the server certificate revocation status. By default, it verifies all intermediates but not the root. DoD policy requires full path validation, thus this default behavior needs to be changed.","checkContent":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Common Configuration >> Security Configuration. Double-click the \"Type of certificate revocation check\" setting.\n\nIf \"Type of certificate revocation check\" is \"Not Configured\" or \"Disabled\", this is a finding.\n\nIn the drop-down under \"Type of certificate revocation check\", if \"WholeChain\" is not selected, this is a finding.","fixText":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Common Configuration >> Security Configuration. Double-click the \"Type of certificate revocation check\" setting.\n\nMake sure the setting is \"Enabled\".\n\nIn the drop-down under \"Type of certificate revocation check\", select \"WholeChain\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246865","ruleId":"SV-246865r768555_rule","severity":"medium","ruleTitle":"The Horizon Agent must set an idle timeout.","description":"Idle sessions are at increased risk of being hijacked. If a user has stepped away from their desk and is no long in positive control of their session, that session is in danger of being assumed by an attacker. Idle sessions also waste valuable datacenter resources and could potentially lead to a lack of resources for new, active users. As such, an organizationally defined idle timeout must be supplied to override the Horizon default of \"never\".","checkContent":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the \"Idle Time Until Disconnect (VDI)\" setting.\n\nIf \"Idle Time Until Disconnect (VDI)\" is \"Not Configured\" or \"Disabled\", this is a finding.\n\nIn the drop-down next to \"Idle Timeout\", if \"Never\" is selected, this is a finding.","fixText":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the \"Idle Time Until Disconnect (VDI)\" setting.\n\nClick the radio button next to \"Enabled\". \n\nIn the drop-down next to \"Idle Timeout\", select an appropriate, site-specific timeout that is not \"Never\". This is typically two hours but your configuration may vary. Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246866","ruleId":"SV-246866r768558_rule","severity":"medium","ruleTitle":"The Horizon Agent must block server to client clipboard actions for Blast.","description":"Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the Blast protocol on the Horizon Agent will block clipboard \"copy/paste\" actions from the desktop to the client but allow actions from the client to the desktop. This configuration must be validated and maintained over time.","checkContent":"Ensure the vdm_blast.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the \"Configure clipboard redirection\" setting.\n\nIf \"Configure clipboard redirection\" is \"Not Configured\" or \"Disabled\", this is not a finding.\n\nIn the drop-down under \"Configure clipboard redirection\", if \"Enabled server to client only\" or \"Enabled in both directions\" is selected, this is a finding.","fixText":"Ensure the vdm_blast.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> VMware Blast. Double-click the \"Configure clipboard redirection\" setting.\n\nClick the radio button next to \"Disabled\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246867","ruleId":"SV-246867r768561_rule","severity":"medium","ruleTitle":"The Horizon Agent must block server to client clipboard actions for PCoIP.","description":"Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the PCoIP protocol on the Horizon Agent will block clipboard \"copy/paste\" actions from the desktop to the client but allow actions from the client to the desktop. This configuration must be validated and maintained over time.","checkContent":"Ensure the pcoip.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Not Overridable Administrator Settings. Double-click the \"Configure clipboard redirection\" setting.\n\nIf \"Configure clipboard redirection\" is \"Not Configured\" or \"Disabled\", this is not a finding.\n\nIn the drop-down under \"Configure clipboard redirection\", if \"Enabled server to client only\" or \"Enabled in both directions\" is  selected, this is a finding.","fixText":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Not Overridable Administrator Settings. Double-click the \"Configure clipboard redirection\" setting.\n\nClick the radio button next to \"Disabled\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246868","ruleId":"SV-246868r768564_rule","severity":"medium","ruleTitle":"The Horizon Agent must not allow file transfers through HTML Access.","description":"Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. Additionally, data coming into the environment must be through allowed channels and inspected appropriately. By default, the Blast protocol on the Horizon Agent will allow file transfers through HTML Access only from the client to the desktop. This must be configured to disabled in both directions.","checkContent":"Ensure the vdm_blast.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. \n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the \"Configure file transfer\" setting. \n\nIf \"Configure file transfer\" is not \"Enabled\", this is a finding. \n\nIn the drop-down under \"Configure file transfer\", if \"Disabled both upload and download\" is not selected, this is a finding.","fixText":"Ensure the vdm_blast.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. \n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the \"Configure file transfer\" setting. \n\nClick the radio button next to \"Enabled\". \n\nIn the drop-down under \"Configure file transfer\", select \"Disabled both upload and download\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246869","ruleId":"SV-246869r768567_rule","severity":"medium","ruleTitle":"The Horizon Agent must not allow drag and drop for Blast.","description":"Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. Additionally, data coming into the environment must be through allowed channels and inspected appropriately. By default, the Blast protocol on the Horizon Agent will allow drag and drop actions from the client to the desktop. This must be configured to disabled in both directions.","checkContent":"Ensure the vdm_blast.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the \"Configure drag and drop direction\" setting.\n\nIf \"Configure drag and drop direction\" is not \"Enabled\", this is a finding.\n\nIn the drop-down under \"Configure drag and drop\", if \"Disabled in both directions\" is not selected, this is a finding.","fixText":"Ensure the vdm_blast.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the \"Configure drag and drop\" setting.\n\nClick the radio button next to \"Enabled\".\n\nIn the drop-down under \"Configure drag and drop\", select \"Disabled in both directions\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246870","ruleId":"SV-246870r768570_rule","severity":"medium","ruleTitle":"The Horizon Agent must not allow drag and drop for PCoIP.","description":"Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. Additionally, data coming into the environment must be through allowed channels and inspected appropriately. By default, the PCoIP protocol on the Horizon Agent will allow drag and drop actions from the client to the desktop. This must be configured to disabled in both directions.","checkContent":"Ensure the pcoip.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Overridable Administrator Settings. Double-click the \"Configure drag and drop direction\" setting.\n\nIf \"Configure drag and drop direction\" is not \"Enabled\", this is a finding.\n\nIn the drop-down under \"Configure drag and drop direction\", if \"Disabled in both directions\" is not selected, this is a finding.","fixText":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Overridable Administrator Settings. Double-click the \"Configure drag and drop direction\" setting.\n\nClick the radio button next to \"Enabled\".\n\nIn the drop-down under \"Configure drag and drop\", select \"Disabled in both directions\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246871","ruleId":"SV-246871r768573_rule","severity":"medium","ruleTitle":"The Horizon Agent must audit clipboard actions for Blast.","description":"Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the Blast protocol on the Horizon Agent will block clipboard \"copy/paste\" actions from the desktop to the client but allow actions from the client to the desktop. All such allowed actions must be audited for potential future forensic purposes.","checkContent":"Ensure the vdm_blast.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the \"Configure clipboard audit\" setting.\n\nIf \"Configure clipboard audit\" is \"Not Configured\" or \"Disabled\", this is a finding.\n\nIn the drop-down under \"Configure clipboard audit\", if \"Enabled in both directions\" is not selected, this is a finding.","fixText":"Ensure the vdm_blast.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> VMware Blast. Double-click the \"Configure clipboard audit\" setting.\n\nClick the radio button next to \"Enabled\".\n\nIn the drop-down under \"Configure clipboard audit\", select \"Enabled in both directions\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246872","ruleId":"SV-246872r768576_rule","severity":"medium","ruleTitle":"The Horizon Agent must audit clipboard actions for PCoIP.","description":"Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the PCoIP protocol on the Horizon Agent will block clipboard \"copy/paste\" actions from the desktop to the client but allow actions from the client to the desktop. All such allowed actions must be audited for potential future forensic purposes.","checkContent":"Ensure the pcoip.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Overridable Administrator Settings. Double-click the \"Configure clipboard audit\" setting.\n\nIf \"Configure clipboard audit\" is \"Not Configured\" or \"Disabled\", this is a finding.\n\nIn the drop-down under \"Configure clipboard audit\", if \"Enabled in both directions\" is not selected, this is a finding.","fixText":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Overridable Administrator Settings. Double-click the \"Configure clipboard audit\" setting.\n\nClick the radio button next to \"Enabled\".\n\nIn the drop-down under \"Configure clipboard audit\", select \"Enabled in both directions\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246873","ruleId":"SV-246873r768579_rule","severity":"medium","ruleTitle":"The Horizon Agent desktops must not allow client drive redirection.","description":"Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the Horizon Client, Agent, and guest operating systems will coordinate to allow drives local to the client to be redirected over the Client connection and mounted in the virtual desktop. This configuration must be modified to disallow drive sharing in order to protect sensitive DoD data from being maliciously, accidentally, or casually removed from the controlled environment.","checkContent":"Ensure the vdm_rdsh_server.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection. Double-click the \"Do not allow drive redirection\" setting.\n\nIf \"Do not allow drive redirection\" is not \"Enabled\", this is a finding.","fixText":"Ensure the vdm_rdsh_server.admx template is added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection. Double-click the \"Do not allow drive redirection\" setting.\n\nClick the radio button next to \"Enabled\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246874","ruleId":"SV-246874r768582_rule","severity":"medium","ruleTitle":"The Horizon Agent must block USB mass storage.","description":"The Horizon Agent has the capability to granularly control what, if any, USB devices are allowed to be passed from the local client to the agent on the virtual desktop. By default, Horizon blocks certain device families from being redirected to the remote desktop or application. For example, HID (human interface devices) and keyboards are blocked from appearing in the guest as released BadUSB code targets USB keyboard devices.\n\nWhile there are legitimate reasons to pass USB devices to the desktop, these must be carefully analyzed for necessity. At a minimum, USB Mass Storage devices must never passed through, in keeping with long-standing DoD data loss prevention policies. As thumb drives are disallowed for physical PCs, so should they be for virtual desktops. This can be accomplished in many ways, including natively in the Horizon Agent.","checkContent":"Interview the SA. USB mass storage devices can be blocked in a number of ways:\n\n1. The desktop OS\n2. A third party DLP solution\n3. The \"USB Redirection\" optional agent feature not being installed on any VDI image\n4. On the Connection Server via individual pool policies or global policies\n\nIf any of these methods are already employed, the risk is already addressed and this control is not applicable.\n\nIf USB devices are not otherwise blocked, the Horizon agent must be configured to block storage devices via allowlist or denylist.\n\nEnsure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> View USB Configuration.\n\n1. Check for denylisting:\n\nDouble-click the \"Exclude Device Family\" setting.\n\nIf \"Exclude Device Family\" is not \"Enabled\", denylisting is Not Configured.\n\nIf \"Exclude Device Family\" does not include at least \"o:storage\", denylisting is Not Configured.\n\nIf denylisting is Not Configured, continue to check for allowlisting. If denylisting is configured, this is not a finding.\n\n2. Check for allowlisting:\n\nDouble-click the \"Exclude All Devices\" setting.\n\nIf \"Exclude All Devices\" is not \"Enabled\", allowlisting is Not Configured.\n\nClick \"Cancel\". Double-click the \"Include Device Family\" setting. If \"Include Device Family\" is \"Enabled\" and includes \"storage\", allowlisting is Not Configured.\n\nIf neither denylisting nor allowlisting is properly configured, this is a finding.","fixText":"Ensure the vdm_agent*.admx templates are added. Open the \"Group Policy Management\" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.\n\nNavigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> View USB Configuration.\n\nOption 1, denylist:\n\nDouble-click the \"Exclude Device Family\" setting.\n\nIf the setting is \"Disabled\" or \"Not Configured\", click the radio button next to \"Enabled\".\n\nIn the field below \"Exclude Device Family\", add the following:\n\no:storage\n\nClick \"OK\".\n\nOption 2, allowlist:\n\nDouble-click the \"Exclude All Devices\" setting.\n\nIf the setting is \"Disabled\" or \"Not Configured\", click the radio button next to \"Enabled\". Click \"OK\".\n\n(Optional)\n\nDouble-click the \"Include Device Family\" setting.\n\nMake sure the setting is \"Enabled\".\n\nIn the field below \"Include Device Family\", add the site-specific allowlisted device family strings, making sure to not include any \"storage\".\n\nClick \"OK\".","ccis":["CCI-000366"]}]}