{"stig":{"title":"VMware Horizon 7.13 Connection Server Security Technical Implementation Guide","version":"1","release":"2"},"checks":[{"vulnId":"V-246882","ruleId":"SV-246882r879511_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must limit the number of concurrent client sessions.","description":"The Horizon Connection Server has the ability to limit the number of simultaneous client connections. This capability is helpful in limiting resource exhaustion risks related to denial of service attacks. By default, in code, the Connection Server allows up to 2000 client connections at one time, over all protocol types. For larger deployments, this limit can be increased to a tested and supported maximum of 4000 by making modifications to the \"locked.properties\" file.\n\nEnsure any changes to the number of allowed simultaneous connections is supported by VMware for the choice of protocols and that this value is documented as part of the SSP.\n\nSatisfies: SRG-APP-000001-AS-000001, SRG-APP-000435-AS-000163","checkContent":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nIf a file named \"locked.properties\" does not exist in this path, this is NOT a finding.\n\nOpen \"locked.properties\" in a text editor. Find the \"maxConnections\" setting.\n\nThe \"maxConnections\" setting may be set higher than the default of \"2000\" (up to 4000) in certain, large Horizon deployments.\n\nIf there is no \"maxConnections\" setting, this is NOT a finding.\n\nIf \"maxConnections\" is set to more than \"4000\", this is a finding.","fixText":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nOpen \"locked.properties\" in a text editor. Add or change the following line:\n\nmaxConnections=2000\n\nThe default value of \"2000\" may be increased to no more than 4000 if required and properly documented. Otherwise, keep the default value of \"2000\".\n\nSave and close the file. Restart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-000054"]},{"vulnId":"V-246883","ruleId":"SV-246883r879520_rule","severity":"high","ruleTitle":"The Horizon Connection Server must be configured to only support TLS 1.2 connections.","description":"Preventing the disclosure of transmitted information requires that the application server take measures to employ strong cryptographic mechanisms to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS).\n\nTLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems.\n\nAccording to NIST and as of publication, TLS 1.1 must not be used and TLS 1.2 will be configured.\n\nNote: Mandating TLS 1.2 may affect certain client types. Test and implement carefully.\n\nSatisfies: SRG-APP-000015-AS-000010, SRG-APP-000014-AS-000009, SRG-APP-000156-AS-000106, SRG-APP-000172-AS-000120, SRG-APP-000439-AS-000155, SRG-APP-000439-AS-000274 , SRG-APP-000440-AS-000167, SRG-APP-000442-AS-000259","checkContent":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nIf a file named \"locked.properties\" does not exist in this path, confirm with the SA if TLS 1.2 was enforced at a global level via ADSI EDIT. If no such global change was made, this is a finding.\n\nOpen \"locked.properties\" in a text editor. Find the \"secureProtocols.1\" and \"preferredSecureProtocol\" settings. Ensure they are set as follows:\n\nsecureProtocols.1=TLSv1.2\npreferredSecureProtocol=TLSv1.2\n\nIf there is a \"secureProtocols.2\" or \"secureProtocols.3\" setting, this is a finding.\n\nIf the \"secureProtocols.1\" and \"preferredSecureProtocol\" are not exactly as above, this is a finding.","fixText":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nOpen \"locked.properties\" in a text editor. Remove any \"secureProtocols.2\" or \"secureProtocols.3\" settings. Add or change the following lines:\n\nsecureProtocols.1=TLSv1.2\npreferredSecureProtocol=TLSv1.2\n\nSave and close the file. Restart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-001453"]},{"vulnId":"V-246884","ruleId":"SV-246884r879520_rule","severity":"high","ruleTitle":"The Blast Secure Gateway must be configured to only support TLS 1.2 connections.","description":"Preventing the disclosure of transmitted information requires that the application server take measures to employ strong cryptographic mechanisms to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS).\n\nTLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems.\n\nAccording to NIST and as of publication, TLS 1.1 must not be used and TLS 1.2 will be configured.\n\nNote: Mandating TLS 1.2 may affect certain client types. Test and implement carefully.","checkContent":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\appblastgateway\".\n\nIf a file named \"absg.properties\" does not exist in this path, this is a finding.\n\nOpen \"absg.properties\" in a text editor. Find the \"localHttpsProtocolLow\" and \"localHttpsProtocolHigh\" settings.\n\nEnsure they are set as follows:\n\nlocalHttpsProtocolLow=tls1.2\nlocalHttpsProtocolHigh=tls1.2\n\nIf the \"localHttpsProtocolLow\" or \"localHttpsProtocolHigh\" settings do not exist, this is a finding.\n\nIf the \"localHttpsProtocolLow\" and \"localHttpsProtocolHigh\" are not exactly as above, this is a finding.","fixText":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\appblastgateway\".\n\nOpen \"absg.properties\" in a text editor. Add or change the following lines:\n\nlocalHttpsProtocolLow=tls1.2\nlocalHttpsProtocolHigh=tls1.2\n\nSave and close the file. Restart the \"VMware Horizon 7 Blast Secure Gateway\" service for changes to take effect.","ccis":["CCI-001453"]},{"vulnId":"V-246885","ruleId":"SV-246885r879520_rule","severity":"high","ruleTitle":"The Horizon Connection Server must force server cipher preference.","description":"By default, during the initial setup of a Transport Layer Security (TLS) connection to the Horizon Connection Server, the client sends a list of supported cipher suites in order of preference. The Connection Server replies with the cipher suite it will use for communication, chosen from the client list. This is not ideal since the untrusted client is setting the boundaries and conditions for the connection to proceed. The client could potentially specify known weak cipher combinations that would make the communication more susceptible to interception. By adding the \"honorClientOrder\" setting to the locked.properties file, the Connection Server will reject the client preference and force the client to choose from the server ordered list of preferred ciphers.","checkContent":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nIf a file named \"locked.properties\" does not exist in this path, confirm with the SA if forcing server-side cipher order was enforced at a global level via ADSI EDIT. If no such global change was made, this is a finding.\n\nOpen \"locked.properties\" in a text editor. Find the \"honorClientOrder\" setting. Ensure they are set as follows:\n\nsecureProtocols.1=TLSv1.2\npreferredSecureProtocol=TLSv1.2\n\nIf there is no \"honorClientOrder\" setting, this is a finding.\n\nIf the \"honorClientOrder\" is not set to \"false\", this is a finding.","fixText":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nOpen \"locked.properties\" in a text editor. Remove any existing \"honorClientOrder\" settings. Add or change the following line:\n\nhonorClientOrder=false\n\nSave and close the file. Restart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-001453"]},{"vulnId":"V-246886","ruleId":"SV-246886r879521_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must be configured to debug level logging.","description":"To ensure that all security-relevant information and events are logged, the Horizon Connection Server must be configured with the \"debug\" logging level. This is the default value but since it could be changed to \"info\", this configuration must be verified and maintained.","checkContent":"On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to \"HKLM\\Software\\VMware, Inc.\\VMware VDM\". Locate the \"DebugEnabled\" key.\n\nIf \"DebugEnabled\" does not exist, this is NOT a finding.\n\nIf \"DebugEnabled\" does not have a value of \"true\", this is a finding.","fixText":"On the Horizon Connection Server, open the Start menu. Find and launch the \"Set Horizon 7 Connection Server Log Levels\" shortcut. The precise location will vary depending on the Windows Server version and Start menu options; type the name to find it.\n\nIn the resulting command window, select option 2, \"View Debug\". Press any key to exit the command prompt window.","ccis":["CCI-000067"]},{"vulnId":"V-246887","ruleId":"SV-246887r879530_rule","severity":"medium","ruleTitle":"The Horizon Connection Server administrators must be limited in terms of quantity, scope, and permissions.","description":"Role based access and least privilege are two fundamental security concepts that must be properly implemented in Horizon View to ensure the right user and groups have the right permissions on the right objects. Horizon View allows for assigning of roles (pre-defined sets of permissions) to specific users and groups and on a specific Access Group (set of objects). Administrators must ensure that minimal permissions are assigned to the right entities, in the right scope, and stay so over time.\n\nSatisfies: SRG-APP-000033-AS-000024, SRG-APP-000118-AS-000078, SRG-APP-000121-AS-000081, SRG-APP-000122-AS-000082, SRG-APP-000123-AS-000083, SRG-APP-000290-AS-000174, SRG-APP-000315-AS-000094, SRG-APP-000340-AS-000185, SRG-APP-000343-AS-000030","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Administrators. From the \"Administrators and Groups\" tab, review each user and group in the left pane and their associated roles in the right pane.\n\nAnyone with any privilege can log on to the Console and view potentially sensitive configurations, system details, and events.\n\nIf there are any users or groups that should not be viewed as trusted \"Administrators\" of the Horizon system, this is a finding.\n\nPermissions must be as restrictive as possible and their scope (Access Group) as limited as possible. Ensure no user or group has unnecessary permissions and that their Access Group is appropriately limited. Pay special attention to the \"Local Administrator\" and \"Administrator\" roles on the root Access Group as those user and groups have total control over the environment local and global environment, respectively.\n\nIf any user or group has permissions that are greater than the minimum necessary, this is a finding.\n\nIf any user or group has any permissions on an overly broad access group, this is a finding.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Administrators.\n\nTo remove users or groups:\n\nFrom the \"Administrators and Groups\" tab, select the unnecessary users or groups in the left pane and click the \"Remove User or Group\" button. Click \"OK'\" to confirm removal.\n\nTo modify assigned permissions:\n\nFrom the \"Administrators and Groups\" tab, select the appropriate user or group in the left pane. From the right pane, select the role to remove and click \"Remove Permission\". Click \"OK\" to confirm removal.\n\nTo create a new role with more limited permissions:\n\nFrom the \"Role Permissions\" tab, click \"Add Role\". Provide a descriptive name and select the minimum required permissions. Click \"OK\". Highlight the new role. Click \"Add Permission\". Click \"Add\". Find the relevant user(s). Click \"OK\". Click \"Finish\".","ccis":["CCI-000213"]},{"vulnId":"V-246888","ruleId":"SV-246888r879554_rule","severity":"high","ruleTitle":"The Horizon Connection Server must require DoD PKI for administrative logins.","description":"The Horizon Connection Server console supports CAC login as required for cryptographic non-repudiation. CAC login can be configured as disabled, optional or required but for maximum assurance it must be set to \"required\". Setting CAC login as \"optional\" may be appropriate at some sites to support a \"break glass\" scenario where PKI is failing but there is an emergency access account configured with username/password.\n\nSatisfies: SRG-APP-000080-AS-000045, SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103, SRG-APP-000153-AS-000104, SRG-APP-000177-AS-000126, SRG-APP-000392-AS-000240, SRG-APP-000391-AS-000239, SRG-APP-000403-AS-000248","checkContent":"Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the \"Connection Servers\" tab. For each Connection Server listed, select the server and click \"Edit\". Click the \"Authentication\" tab. Scroll down to \"Horizon Administrator Authentication\". Find the value in the drop down next to \"Smart card authentication for administrators\".\n\nIf \"Smart card authentication for administrators\" is not set to \"Required\", this is a finding.\n\nNOTE: If another form of DoD approved PKI is used, and configured to be required for administrative logins, this is not a finding.","fixText":"Log in to Horizon Connection Server Console and copy all root and intermediate certificates, in base-64 '.cer' format, required for CAC authentication to ‘C:\\Certs’. If \"C:\\Certs” does not exist, create it.\n\nCopy the provided make_keystore.txt to the Horizon Connection Server in \"\\VMware\\VMware View\\Server\\sslgateway\\conf\". Rename \"make_keystore.txt\" to “makekeystore.ps1”. The \"make_keystore.txt\" content is provided in this STIG package.\n\nLaunch PowerShell as an administrator on the Horizon Connection Server and execute the following commands:\n\ncd \"\\VMware\\VMware View\\Server\\sslgateway\\conf\"\nSet-ExecutionPolicy unrestricted\n(type ‘Y’ when prompted)\n.\\make_keystore.ps1 -CertDir C:\\Certs -Password -KeyStore keystore -LockedProperties locked.properties’\n\nCopy the created \"locked.properties\" and \"keystore\" files to any Horizon Connection Server that shares the same trusted issuers. Omit this step if multiple connections servers are not utilized.\n\nLog in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the \"Connection Servers\" tab. For each Connection Server listed, select the server and click \"Edit\". Select the \"Authentication\" tab. Scroll down to \"View Administrator Authentication\". Select \"Required\" for the \"Smart card authentication for administrators\". Click \"OK\". Repeat for all other Horizon Connection Servers.\n\nRestart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-000166"]},{"vulnId":"V-246889","ruleId":"SV-246889r879559_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must be configured with an events database.","description":"The Horizon Connection Server stores application level events and actions in a dedicated database versus log files. This makes day-to-day administration easier while offloading these events to a separate system for resiliency.\n\nAn events database is configured after Connection Server deployment. It need only be done once, in the case of multiple grouped Connection Servers, as the configuration will be applied to the other servers automatically.\n\nSatisfies: SRG-APP-000089-AS-000050, SRG-APP-000091-AS-000052, SRG-APP-000095-AS-000056, SRG-APP-000096-AS-000059, SRG-APP-000097-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000100-AS-000063, SRG-APP-000101-AS-000072, SRG-APP-000266-AS-000168, SRG-APP-000380-AS-000088, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000503-AS-000228, SRG-APP-000504-AS-000229, SRG-APP-000505-AS-000230, SRG-APP-000509-AS-000234","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Monitor >> Events.\n\nIf the right pane is empty or shows \"Events DB is not configured.\", this is a finding.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Event Configuration. In the right pane, under \"Event Database\", click \"Edit\". Enter the necessary database information in the fields provided. Click \"OK\".\n\nNote: Horizon Connection Server support MSSQL and Oracle database types. Create a database with an appropriate, descriptive name. Create a user with permission to create tables, views, Oracle triggers and sequences (if Oracle) and permission to read from and write to these objects. Consult VMware documentation for more detailed database setup information and minimum required privileges.","ccis":["CCI-000169"]},{"vulnId":"V-246890","ruleId":"SV-246890r879560_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must limit access to the global configuration privilege.","description":"The Horizon Connection Server comes with pre-defined privileges that can be combined in any combination into a role. That role is then assigned to a user or group. Any role that has the \"Manage Global Configuration and Policies\" has the ability to change the configuration of the Connection Server, including the events database. This privilege must be restricted and monitored over time.","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Administrators. From the \"Role Privileges\" tab, review each role in the left pane and their associated privileges in the right pane.\n\nNote any role with the \"Manage Global Configuration and Policies\" privilege. Switch to the \"Role Permissions\" tab. For each noted role, if there are any users or group listed who are not permitted to change the events database configuration, this is a finding.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Administrators. Select each user or group with inappropriate access to the \"Manage Global Configuration and Policies\" privilege. Remove access or modify permissions as appropriate.\n\nTo remove users or groups:\n\nFrom the \"Administrators and Groups\" tab, select the unnecessary users or groups in the left pane and click the \"Remove User or Group\" button. Click \"OK'\" to confirm removal.\n\nTo modify assigned permissions:\n\nFrom the \"Administrators and Groups\" tab, select the appropriate user or group in the left pane. From the right pane, select the role to remove and click the \"Remove Permission\" button. Click \"OK\" to confirm removal.","ccis":["CCI-000171"]},{"vulnId":"V-246891","ruleId":"SV-246891r879612_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must perform full path validation on server-to-server TLS connection certificates.","description":"The Horizon Connection Server performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. If a SAML 2.0 authenticator is configured for use by a Connection Server instance, the Connection Server also performs certificate revocation checking on the SAML 2.0 server certificate. By default, all certificates in the chain are checked except the root certificate. This must be changed so that the full path, including the root, is validated.","checkContent":"On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to \"HKLM\\Software\\VMware, Inc.\\VMware VDM\\Security\". Locate the \"CertificateRevocationCheckType\" key.\n\nIf the \"CertificateRevocationCheckType\" key does not exist, this is a finding.\n\nIf the \"CertificateRevocationCheckType\" key does not have a value of \"3\", this is a finding.","fixText":"On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to \"HKLM\\Software\\VMware, Inc.\\VMware VDM\\Security\". \n\nIf the \"CertificateRevocationCheckType\" key exists:\n\nRight click \"CertificateRevocationCheckType\", select \"Modify...\" and set the value to \"3\" (without quotes). Click \"OK\".\n\nOtherwise:\n\nRight-click on the \"Security\" folder and select New >> DWORD (32 bit) Value. Set the name to \"CertificateRevocationCheckType\" (without quotes). Right-click \"CertificateRevocationCheckType\", select \"Modify...\" and set the value to \"3\" (without quotes). Click \"OK\".\n\nRestart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-000185"]},{"vulnId":"V-246892","ruleId":"SV-246892r879612_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must validate client and administrator certificates.","description":"The Horizon Connection Server can be configured to check the revocation status of PKI certificates over both OCSP and CRL. This capability is disabled by default and must be enabled post-deployment. There are a number of other configurations that are supported, including OCSP and CRL location override but those will be site and architecture specific. The suggested configuration is OCSP with failover to CRL and override the AIA locations via a local OCSP responder, if present. See below:\n\nenableRevocationChecking=true\nocspCRLFailover=true\nocspSendNonce=true\nenableOCSP=true\nallowCertCRLs=false\ncrlLocation=http://\nocspURL=http://\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nIf a file named \"locked.properties\" does not exist in this path, this is a finding.\n\nOpen \"locked.properties\" in a text editor. Find the \"enableRevocationChecking\" setting.\n\nIf \"enableRevocationChecking\" does not exist, this is a finding.\n\nIf \"enableRevocationChecking\" is not set to \"true\", this is a finding.","fixText":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nOpen \"locked.properties\" in a text editor. Add or change the following line:\n\nenableRevocationChecking=true\n\nSave and close the file. Restart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-000185"]},{"vulnId":"V-246893","ruleId":"SV-246893r879616_rule","severity":"high","ruleTitle":"The Horizon Connection Server must only use FIPS 140-2 validated cryptographic modules.","description":"Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms or poor implementation.\n\nThe Horizon Connection Server can be configured to exclusively use FIPS 140-2 validated cryptographic modules but only at installation time, not post deployment. Reference VMware documentation for up-to-date requirements for enabling FIPS in Horizon View.\n\nSatisfies: SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000416-AS-000140","checkContent":"On the Horizon Connection Server, launch an elevated command prompt. Run the following commands:\n\n# cd C:\\ProgramData\\VMware\\VDM\n# findstr /C:\"Broker started in FIPS mode\" log-*.txt\n\nIf the \"findstr\" command produces no output, this is a finding.","fixText":"FIPS mode can only be implemented during installation. Reinstall the Horizon Connection server and select the option to enable FIPS mode (after the IP configuration).\n\nNote: The Connection Server can only be installed in FIPS mode if Windows Server itself is running in FIPS mode.","ccis":["CCI-000803"]},{"vulnId":"V-246894","ruleId":"SV-246894r879637_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must time out administrative sessions after 15 minutes or less.","description":"If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the system.\n\nHorizon 7 Console sessions can and must be limited in the amount of idle time that will be allowed before automatic logoff. By default, 30 minutes of idle time is allowed but this must be changed to 15 minutes or less for DoD systems. This configuration must be verified and maintained over time.\n\nSatisfies: SRG-APP-000220-AS-000148, SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the \"General Settings\" tab. Find the “Connection Server Session Timeout” value.\n\nIf \"Connection Server Session Timeout\" is set to more than 15 minutes, this is a finding.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the \"General Settings\" tab. Click \"Edit\". Set \"Connection Server Session Timeout\" to \"15\" minutes (or less). Click \"OK\".","ccis":["CCI-001185"]},{"vulnId":"V-246895","ruleId":"SV-246895r879656_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must protect log files from unauthorized access.","description":"Error logs can contain sensitive information about system errors and system architecture that need to be protected from unauthorized access and modification. By default, Horizon Connection Server logs are only accessible by local windows Administrators. This configuration must be verified and maintained.","checkContent":"On the Horizon Connection Server, navigate to \"C:\\ProgramData\\VMware\\VDM\". Right-click the \"logs\" folder and select \"Properties\". Change to the \"Security\" tab. By default, only built-in system accounts such as \"SYSTEM\" and \"NETWORK SERVICE\" plus the local \"Administrators\" group have access to the \"logs\" folder.\n\nIf any other groups have any permissions on this folder, this is a finding.","fixText":"On the Horizon Connection Server, navigate to \"C:\\ProgramData\\VMware\\VDM\". Right-click the \"logs\" folder and select \"Properties\". Change to the \"Security\" tab. Click \"Edit…\". Highlight any groups or users that are not built-in system administrative accounts or the local \"Administrators\" group. Click \"Remove\". Click \"OK\". Click \"OK\".","ccis":["CCI-001314"]},{"vulnId":"V-246896","ruleId":"SV-246896r879731_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must offload events to a central log server in real time.","description":"Information system logging capability is critical for accurate forensic analysis. Centralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records.\n\nThe Horizon Connection Server can be configured to send all events to a syslog receiver. Multiple servers can be configured but only the UDP protocol is supported at this time.\n\nSatisfies: SRG-APP-000358-AS-000064, SRG-APP-000515-AS-000203","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Event Configuration. The configured syslog servers are located in the right pane under \"Syslog\". \n\nIf there are no valid syslog servers configured, this is a finding.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Event Configuration. In the right pane, under \"Syslog\", click \"Add\". Enter the address of your central log server and configure the port if necessary. Click \"OK\". Add other servers as necessary.","ccis":["CCI-001851"]},{"vulnId":"V-246897","ruleId":"SV-246897r879798_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must be configured with a DoD-issued TLS certificate.","description":"The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not DoD-approved, trust of this CA has not been established.\n\nThe Horizon Connection Server supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools, focusing on the certificate with the \"vdm\"-friendly name.\n\nSatisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137","checkContent":"On the Horizon Connection Server, open \"certlm.msc or certmgr.msc\" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the \"Friendly Name\" of \"vdm\". For this certificate, locate the issuer in the \"Issued By\" column.\n\nIf the Horizon Connection Server broker certificate is not \"Issued By\" a trusted DoD CA, or other AO-approved certificate, this is a finding.","fixText":"Obtain a web server certificate from a DoD authority, specifying the common name as the \"Horizon Connection server FQDN\", the signing algorithm as \"SHA256\", and the key strength of at least \"1024 bits\".\n\nExport the certificate and private key to a password-protected PFX bundle.\n\nOn the Horizon Connection Server, open \"certlm.msc or certmgr.msc\" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the \"Friendly Name\" of \"vdm\". Right-click this certificate and select \"Properties\". Change the \"Friendly name\" to \"vdm-original\" or similar. Click \"OK.\n\nRight click on the Personal >> Certificates folder. Select All Tasks >> Import. Click \"Next\". Click \"Browse...\". Navigate to the .pfx bundle and click \"Open\". Click \"Next\". Supply the password, select \"Mark this key as exportable\" and \"Include all extended properties\". Click \"Next\". Click \"Next\". Click \"Finish\".\n\nSelect the newly imported certificate. Right-click this certificate and select \"Properties\". Change the \"Friendly name\" to \"vdm\". This name must be exact. Click \"OK.\n\nRestart the Connection Server or the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-002470"]},{"vulnId":"V-246898","ruleId":"SV-246898r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must reauthenticate users after a network interruption.","description":"Given the remote access nature of Horizon Connection Server, the client must be ensured to be under positive control as much as is possible from the server side. As such, whenever a network interruption causes a client disconnect, that session must be reauthenticated upon reconnection. To allow a session resumption would be convenient but would allow for the possibility of the endpoint being taken out of the control of the intended user and reconnected to a different network, in control of a bad actor who could then resume the disconnected session.","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the \"Security Settings\" tab. Locate the \"Reauthenticate Secure Tunnel Connections After Network Interruption\" setting.\n\nIf the \"Reauthenticate Secure Tunnel Connections After Network Interruption\" setting is set to \"No\", this is a finding.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the \"Security Settings\" tab. Click \"Edit\". Check the box next to \"Reauthenticate secure tunnel connections after network interruption\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246899","ruleId":"SV-246899r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must disconnect users after a maximum of ten hours.","description":"Horizon Connection Server is intended to provide remote desktops and applications, generally during working hours and for no more than an extended workday. Leaving sessions active for more than what is reasonable for a work day leaves open the possibility of a session becoming unoccupied and insecure on the client side. For example, if a client connection is opened at 0900, there are few day-to-day reasons that the connection should still be open after 1900, therefore the connection must be terminated. If the user is still active, they can reauthenticate immediately and get back on for another ten hours.","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the \"General Settings\" tab. Locate the \"Forcibly Disconnect Users\" setting.\n\nIf the \"Forcibly Disconnect Users\" setting is set to \"Never\", this is a finding.\n\nIf the \"Forcibly Disconnect Users\" setting is set to greater than \"600\" minutes (ten hours), this is a finding.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the \"General Settings\" tab. Click \"Edit\". Next to \"Forcibly Disconnect Users\", select \"After\" from the dropdown and fill in \"600\" minutes in the text field. Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246900","ruleId":"SV-246900r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must disconnect applications after two hours of idle time.","description":"Horizon View is intended to provide remote desktops and applications during for more or less continuous use. If an application is open and goes used for more than two hours, that application must be closed to eliminate the risk of that idle application being usurped. For desktops, sessions will not be disconnected after two hours but the credentials stored with Horizon will be invalidated. Subsequent desktop connection attempts will require reauthentication.","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the \"General Settings\" tab. Locate the \"Disconnect Applications and Discard SSO Credentials for Idle Users\" setting.\n\nIf the \"Disconnect Applications and Discard SSO Credentials for Idle Users\" setting is set to \"Never\", this is a finding.\n\nIf the \"Disconnect Applications and Discard SSO Credentials for Idle Users\" setting is set to greater than \"120\" minutes (two hours), this is a finding.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the \"General Settings\" tab. Click \"Edit\". Next to \"Disconnect Applications and Discard SSO Credentials for Idle Users\", select \"After\" from the dropdown and fill in \"120\" minutes in the text field. Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246901","ruleId":"SV-246901r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must discard SSO credentials after 15 minutes.","description":"Horizon Connection Server caches user credentials temporarily to ensure that the user can connect to their desktop pools without reauthenticating, right after logging in to the broker. However, this grace period must be restricted so that SSO credentials are only retained for 15 minutes before being discarded. Subsequent desktop connection attempts will require reauthentication, even if the user is still connected to the broker.","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the \"General Settings\" tab. Locate the \"Discard SSO credentials\" setting.\n\nIf the \"Discard SSO Credentials\" setting is set to \"Never\", this is a finding.\n\nIf the \"Discard SSO Credentials\" setting is set to greater than \"15 minutes\", this is a finding.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the \"General Settings\" tab. Click \"Edit\". Next to \"Discard SSO Credentials\", select \"After\" from the dropdown and fill in \"15\" minutes in the text field. Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246902","ruleId":"SV-246902r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must not accept pass-through client credentials.","description":"Horizon Connection Server has the ability to allow clients to authenticate using the local session credentials of their local endpoint. While convenient, this must be disabled for DoD deployments as the server cannot ascertain the method of endpoint login, whether that user's client certificate has since been revoked, etc.","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the \"Connection Servers\" tab. For each Connection Server listed, select the server and click \"Edit\". Click the \"Authentication\" tab. Scroll down to the \"Current User Authentication\" and note the \"Accept logon as current user\" checkbox.\n\nIf the \"Accept logon as current user\" checkbox is checked, this is a finding.\n\nNote: If \"Smart card authentication for users\" is set to \"Required\", this setting is automatically disabled and greyed out. This would be not applicable.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. Select the Connection Servers tab in the right pane. Click \"Edit\". Click the \"Authentication\" tab. Scroll down to the \"Current User Authentication\". Uncheck the checkbox next to \"Accept logon as current user\". Click \"OK\".\n\nNote: When smart card authentication required, this setting will be unchecked and greyed out automatically.","ccis":["CCI-000366"]},{"vulnId":"V-246903","ruleId":"SV-246903r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must require DoD PKI for client logins.","description":"Before clients can pick a desktop or app to access, they must first authenticate to the broker, the Connection Server itself. If the client is accessing the broker directly, then the allowed authentication methods must be specified. These include RADIUS, SecurID, user/pass and smart card. In the DoD, CAC login must be enforced at all times, for all client connections.\n\nIf the client is connecting through a Security Server or the UAG appliance, this requirement does not apply.","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the \"Connection Servers\" tab. For each Connection Server listed, select the server and click \"Edit\". Click the \"Authentication\" tab. Under \"Horizon Authentication\", find the value in the dropdown below \"Smart card authentication for users\".\n\nIf \"Smart card authentication for users\" is set to \"Optional\" or \"Not Allowed\", a SAML Authenticator must be configured and that external IdP must be configured to require CAC authentication. If these requirements are not met, this is a finding.\n\nIf \"Smart card authentication for users\" is set to \"Required\" on each of the listed Connection Servers, this is not a finding.\n\nNote: If the Connection Server is paired with a Security Server, this requirement is not applicable on the Connection Server but is applicable on the Security Server.\n\nNOTE: If another form of DoD approved PKI is used, and configured to be required for client logins, this is not a finding.\n\nIf the Connection Server is paired with a Unified Access Gateway (UAG) that is performing authentication, this requirement is not applicable.","fixText":"Option One:\n\nUse Horizon's native CAC authentication.\n\nLog in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the \"Connection Servers\" tab. For each Connection Server listed, select the server and click \"Edit\". Click the \"Authentication\" tab. Under \"Horizon Authentication\", in the dropdown below \"Smart card authentication for users\", select \"Required\". Click \"OK\".\n\nOption Two:\n\nDelegate CAC authentication to an external IdP.\n\nLog in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the \"Connection Servers\" tab. For each Connection Server listed, select the server and click \"Edit\". Click the \"Authentication\" tab. Under \"Horizon Authentication\", in the dropdown next to \"Smart card authentication for users\", select \"Optional\" or \"Not Allowed\".\n\nIn the dropdown under \"Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator)\", select \"Allowed\" or \"Required\", depending on what you set the native capability to in the previous step. Click \"Manage SAML Authenticators\". Click \"Add\". Complete the necessary fields. Ensure \"Enabled for Connection Server\" is checked. Click \"OK\". Click \"OK\".\n\nClick \"OK\".\n\nRestart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-000366"]},{"vulnId":"V-246904","ruleId":"SV-246904r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must backup its configuration daily.","description":"Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the \"Connection Servers\" tab. For each Connection Server listed, select the server and click \"Edit\". Select the \"Backup\" tab. Validate that \"Automatic backup frequency\" is set to a least \"Every day\".\n\nIf the Connection Server is not set to be backed up daily (or less), this is a finding.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the \"Connection Servers\" tab. For each Connection Server listed, select the server and click \"Edit\". Select the \"Backup\" tab. Set \"Automatic backup frequency:\" to \"Every day\" or more frequently. Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246905","ruleId":"SV-246905r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server Instant Clone domain account must be configured with limited permissions.","description":"Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Instant Clone Domain Accounts. In the right pane, validate that the accounts listed are User accounts in Active Directory and have only the following permissions on the container for the instant-clone computer account:\n\nList Contents\nRead All Properties\nWrite All Properties\nRead Permissions\nReset Password\nCreate Computer Objects\nDelete Computer Objects\n\nEnsure the permissions apply to the correct container and to all child objects of the container.\n\nIf the Instant Clone domain account has more than the minimum required permissions, this is a finding.\n\nNote: If Instant Clones is not used, this is not applicable.","fixText":"Log in to Active Directory Users and Computers. Set the permission for Instant Clone Domain Account to:\n\nList Contents\nRead All Properties\nWrite All Properties\nRead Permissions\nReset Password\nCreate Computer Objects\nDelete Computer Objects\n\nEnsure the permissions apply to the correct container and to all child objects of the container.","ccis":["CCI-000366"]},{"vulnId":"V-246906","ruleId":"SV-246906r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.","description":"Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.","checkContent":"On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to \"HKLM\\Software\\VMware, Inc.\\VMware VDM\\Plugins\\wsnm\\TunnelService\\Params\". Locate the \"JvmOptions\" key.\n\nIf \"JvmOptions\" does not exist, or the path does not exist, this is NOT a finding.\n\nIf \"JvmOptions\" does not include the \"-Djdk.tls.rejectClientInitiatedRenegotiation=true\" option, this is a finding.","fixText":"On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to \"HKLM\\Software\\VMware, Inc.\\VMware VDM\\plugins\n\\wsnm\\TunnelService\\Params\". Locate the \"JvmOptions\" key.\n\nIf \"JvmOptions\" exists:\n\nRight-click \"JvmOptions\", select \"Modify...\". Remove the following option, if it exists:\n\n-Djdk.tls.rejectClientInitiatedRenegotiation=false\n\nAdd the following to the end of the string:\n\n-Djdk.tls.rejectClientInitiatedRenegotiation=true\n\nClick \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246907","ruleId":"SV-246907r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must have X-Frame-Options enabled.","description":"RFC 7034 HTTP Header Field X-Frame-Options, also known as counter clickjacking, is enabled by default on the Horizon Connection Server. It can be disabled by adding the entry \"x-frame-options=OFF\" to the\nlocked.properties file, usually for troubleshooting purposes. The default configuration must be verified and maintained.","checkContent":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nIf a file named \"locked.properties\" does not exist in this path, this is NOT a finding.\n\nOpen \"locked.properties\" in a text editor. Find the \"X-Frame-Options\" setting.\n\nIf there is no \"X-Frame-Options\" setting, this is NOT a finding.\n\nIf \"X-Frame-Options\" is set to \"OFF\", this is a finding.","fixText":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nOpen \"locked.properties\" in a text editor. Remove the following line:\n\nX-Frame-Options=OFF\n\nSave and close the file. Restart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-000366"]},{"vulnId":"V-246908","ruleId":"SV-246908r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must have Origin Checking enabled.","description":"RFC 6454 Origin Checking, which protects against cross-site request forging, is enabled by default on the Horizon Connection Server. When an administrator opens the Horizon 7 Console or a user connects to Blast HTML Access, the server checks that the origin URL for the web request matches the configured secure tunnel URL or \"localhost\".\n\nWhen the Connection Server is load balanced or front-ended by a Unified Access Gateway (UAG) appliance, origin checking will fail. This is commonly resolved by disabling origin checking entirely by specifying \"checkOrigin=false\" in the \"locked.properties\" file. This is not the proper solution. Instead, origin checking must be enabled and the load balancer and UAG appliances must be allowlisted via the \"balancedHost\" and \"portalHost.X\" settings in \"locked.properties\", respectively.\n\nOrigin checking can be disabled by adding the entry \"checkOrigin=false\" to locked.properties, usually for troubleshooting purposes. The default, \"checkOrigin=true\" or unspecified configuration must be verified and maintained.","checkContent":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nIf a file named \"locked.properties\" does not exist in this path, this is NOT a finding.\n\nOpen \"locked.properties\" in a text editor. Find the \"checkOrigin\" setting.\n\nIf there is no \"checkOrigin\" setting, this is NOT a finding.\n\nIf \"checkOrigin\" is set to \"false\", this is a finding.","fixText":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nOpen \"locked.properties\" in a text editor. Remove the following line:\n\ncheckOrigin=false\n\nTo allowlist a load balancer in front of the Connection Server, add the following line:\n\nbalancedHost=load-balancer-name-here\n\nTo allowlist Unified Access Gateway (UAG) gateways, add every address using the following format and pattern:\n\nportalHost.1=access-point-name-1\nportalHost.2=access-point-name-2\n...\n\nSave and close the file. Restart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-000366"]},{"vulnId":"V-246909","ruleId":"SV-246909r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must enable the Content Security Policy.","description":"The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server defines the policy and the client browser enforces the policy. This feature is enabled by default but must be validated and maintained over time.","checkContent":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nIf a file named \"locked.properties\" does not exist in this path, this is NOT a finding.\n\nOpen \"locked.properties\" in a text editor. Find the \"enableCSP\" setting.\n\nIf there is no \"enableCSP\" setting, this is NOT a finding.\n\nIf \"enableCSP\" is set to \"false\", this is a finding.","fixText":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nOpen \"locked.properties\" in a text editor. Remove the following line:\n\nenableCSP=false\n\nSave and close the file. Restart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-000366"]},{"vulnId":"V-246910","ruleId":"SV-246910r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must enable the proper Content Security Policy directives.","description":"The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server has default CSP directives that block XSS attacks, enable x-frame restrictions and more. If the default configurations are overridden, the protections may be disabled even though the CSP itself is still enabled. This default policy must be validated and maintained over time.","checkContent":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nIf a file named \"locked.properties\" does not exist in this path, this is NOT a finding.\n\nOpen \"locked.properties\" in a text editor. Find the following settings:\n\ncontent-security-policy\ncontent-security-policy-newadmin\ncontent-security-policy-portal\ncontent-security-policy-rest\n\nIf any of the above settings are present, this is a finding.","fixText":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nIf a file named \"locked.properties\" does not exist in this path, this is NOT a finding.\n\nOpen \"locked.properties\" in a text editor. Find and remove the following settings:\n\ncontent-security-policy\ncontent-security-policy-newadmin\ncontent-security-policy-portal\ncontent-security-policy-rest\n\nSave and close the file. Restart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-000366"]},{"vulnId":"V-246911","ruleId":"SV-246911r879887_rule","severity":"medium","ruleTitle":"The PCoIP Secure Gateway must be configured with a DoD-issued TLS certificate.","description":"The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe Blast Secure Gateway supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools. For simplicity, it is recommended to use the same certificate as previously configured for Connection Server itself via the \"vdm\" common name.","checkContent":"On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Teradici\\SecurityGateway\". Locate the \"SSLCertWinCertFriendlyName\" key.\n\nIf \"SSLCertWinCertFriendlyName\" does not exist, this is a finding.\n\nIf \"SSLCertWinCertFriendlyName\" is set to \"vdm\", this is not a finding.\n\nNote the value of \"SSLCertWinCertFriendlyName\". This is the friendly name of the PCoIP Secure Gateway certificate.\n\nOn the Horizon Connection Server, open \"certlm.msc or certmgr.msc\" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the \"Friendly Name\" of the previously noted value of \"SSLCertWinCertFriendlyName\". For this certificate, locate the issuer in the \"Issued By\" column.\n\nIf the PCoIP Secure Gateway certificate is not \"Issued By\" a trusted DoD CA, this is a finding.\n\nNote: If the PCoIP Secure Gateway is not enabled, this is not applicable.","fixText":"On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Teradici\\SecurityGateway\".\n\nOption One:\n\nUse the same certificate as the Connection Server.\n\nCreate a new String (REG_SZ) key named \"SSLCertWinCertFriendlyName\". Set its value to \"vdm\". Close the Registry Editor. Restart the \"VMware Horizon View PCoIP Secure Gateway\" service for changes to take effect.\n\nOption Two:\n\nUse a different certificate for the PCoIP Secure Gateway.\n\nCreate a new String (REG_SZ) key named \"SSLCertWinCertFriendlyName\". Set its value to \"pcoip\". Close the Registry Editor.\n\nObtain a web server certificate from a DoD authority, specifying the common name as the Horizon Connection server FQDN, the signing algorithm as SHA256 and the key strength of at least 1024 bits.\n\nExport the certificate and private key to a password-protected PFX bundle.\n\nRight-click on the Personal >> Certificates folder. Select All Tasks >> Import. Click \"Next\". Click \"Browse...\". Navigate to the .pfx bundle and click \"Open\". Click \"Next\". Supply the password, select \"Mark this key as exportable\" and \"Include all extended properties\". Click \"Next\". Click \"Next\". Click \"Finish\".\n\nSelect the newly imported certificate. Right-click this certificate and select \"Properties\". Change the \"Friendly name\" to \"pcoip\". This name must be exact. Click \"OK.\n\nRestart the \"VMware Horizon View PCoIP Secure Gateway\" service for changes to take effect.","ccis":["CCI-000366"]},{"vulnId":"V-246912","ruleId":"SV-246912r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must not allow unauthenticated access.","description":"When the Horizon native smart card capability is not set to \"Required\", the option for \"Unauthenticated Access\" is enabled. This would be true in the case of an external IdP providing authentication via SAML. The \"Unauthenticated Access\" option allows users to access published applications from a Horizon Client without requiring AD credentials. This is typically implemented as a convenience when serving up an application that has its own security and user management. This configuration is not acceptable in the DoD and must be disabled.","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the \"Connection Servers\" tab. For each Connection Server listed, select the server and click \"Edit\". Click the \"Authentication\" tab. Under \"Horizon Authentication\", find the value in the drop-down below \"Unauthenticated Access\".\n\nIf \"Unauthenticated Access\" is set to \"Enabled\", this is a finding.\n\nNote: If \"Smart card authentication for users\" is set to \"Required\", this setting is automatically disabled and greyed out. This would be not applicable.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the \"Connection Servers\" tab. For each Connection Server listed, select the server and click \"Edit\". Click the \"Authentication\" tab. In the drop-down below Horizon Authentication >> Unauthenticated Access, select \"Disabled\". Click \"OK\".\n\nRestart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-000366"]},{"vulnId":"V-246913","ruleId":"SV-246913r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must require CAC reauthentication after user idle timeouts.","description":"If a user VDI session times out due to activity, the user must be assumed to not be active and have their resource locked. These resources should only be made available again upon the user reauthenticating versus reusing the initial connection. This ensures that the connection has not been hijacked and re-stablishes nonrepudiation.","checkContent":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the \"General Settings\" tab. Locate the \"Enable 2-Factor Reauthentication\" setting.\n\nIf the \"Enable 2-Factor Reauthentication\" setting is set to \"No\", this is a finding.","fixText":"Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the \"General Settings\" tab. Click \"Edit\". Select the checkbox next to \"Enable 2-Factor Reauthentication\". Click \"OK\".","ccis":["CCI-000366"]},{"vulnId":"V-246914","ruleId":"SV-246914r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must be configured to restrict USB passthrough access.","description":"One of the many benefits of VDI is the separation of the end user from the \"desktop\" they are accessing. This helps mitigate the risks imposed by physical access. In a traditional desktop scenario, and from a security perspective, physical access is equivalent to ownership. USB devices are physical devices that interact at the driver layer with the guest operating system and are inherently problematic. There are numerous risks posed by USB including the driver stack, data loss prevention, malicious devices, etc. Client USB devices are not necessary for general purpose VDI desktops and must be disabled broadly and enabled selectively.\n\nNote: USB mouse, keyboard and smart card devices are abstracted by Horizon and are not affected by any of these Horizon configurations.","checkContent":"Interview the SA. USB devices can be blocked in a number of ways:\n\n1. The desktop OS\n2. A third party DLP solution\n3. Horizon Agent configuration and GPOs\n4. Horizon Connection Server global policies\n5. Horizon Connection Server per-pool policies\n\nIf 1, 2, or 3 are implemented in this environment, this control is not applicable. Number three is addressed in the Horizon Agent STIG.\n\nStep One - Disable USB Access Globally:\n\nLog in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Policies. In the right pane, confirm that \"USB Access\" is set to \"Deny\".\n\nIf \"USB Access\" is not set to \"Deny\", this is a finding.\n\nStep Two - Confirm per-pool settings:\n\nLog in to the Horizon 7 Console. From the left pane, navigate to Inventory >> Desktops. In the right pane, click the name of each pool that does not explicitly require access to USB devices. In the next screen, click the \"Policies\" tab. Confirm that \"Applied Policy\" is set to \"Deny\".\n\nIf \"Applied Policy\" is not set to \"Deny\", this is a finding.\n\nClick the \"Policy Overrides\" tab. Highlight each user. If \"USB Access\" is set to \"Allow\" for any user, ensure the exception is required and authorized. If any user has an override configured that is not required or authorized, this is a finding.","fixText":"Step One - Disable USB Access Globally:\n\nLog in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Policies. In the right pane, click \"Edit Policies\". In the drop-down next to \"USB Access\", select \"Deny\". Click \"OK\".\n\nStep Two - Confirm per-pool settings:\n\nLog in to the Horizon 7 Console. From the left pane, navigate to Inventory >> Desktops. In the right pane, click the name of each pool that does not explicitly require access to USB devices. In the next screen, click the \"Policies\" tab. Click \"Edit Policies\". In the dropdown next to \"USB Access\", select \"Inherit\". Click \"OK\".\n\nClick the \"Policy Overrides\" tab. \"Edit\" or \"Remove\" as necessary to ensure that configured users with \"USB Access\" set to \"Allow\" are as limited as possible.","ccis":["CCI-000366"]},{"vulnId":"V-246915","ruleId":"SV-246915r879887_rule","severity":"medium","ruleTitle":"The Horizon Connection Server must prevent MIME type sniffing.","description":"MIME types define how a given type of file is intended to be processed by the browser. Modern browsers are capable of determining the content type of a file by byte headers and content inspection and can then override the type dictated by the server. An example would be a \".js\" that was sent as the \"jpg\" mime type vs the JavaScript mime type. The browser would \"correct\" this and process the file as JavaScript. The danger is that a given file could be disguised as something else on the server, like JavaScript, opening up the door to cross-site scripting. To disable browser \"sniffing\" of content type, the Connection Server sends the \"x-content-type-options: nosniff\" header by default. This configuration must be validated and maintained over time.","checkContent":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nIf a file named \"locked.properties\" does not exist in this path, this is NOT a finding.\n\nOpen \"locked.properties\" in a text editor. Find the \"x-content-type-options\" setting.\n\nIf there is no \"x-content-type-options\" setting, this is NOT a finding.\n\nIf \"x-content-type-options\" is set to \"false\", this is a finding.","fixText":"On the Horizon Connection Server, navigate to \"\\VMware\\VMware View\\Server\\sslgateway\\conf\".\n\nOpen \"locked.properties\" in a text editor. Remove the following line:\n\nx-content-type-options=false\n\nSave and close the file. Restart the \"VMware Horizon View Connection Server\" service for changes to take effect.","ccis":["CCI-000366"]},{"vulnId":"V-246916","ruleId":"SV-246916r951010_rule","severity":"high","ruleTitle":"All Horizon components must be running supported versions.","description":"Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.\n\nOrganization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).\n\nThis requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","checkContent":"Horizon 7.x is no longer supported by the vendor. If any of the system components are running Horizon 7.x, this is a finding.","fixText":"Install a supported version of Horizon.","ccis":["CCI-002605"]}]}