Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Security. Double-click the "Accept SSL encrypted framework channel" setting. If "Accept SSL encrypted framework channel" is not "Enabled" and set to "Enforce", this is a finding.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Security. Double-click the "Accept SSL encrypted framework channel" policy. Make sure the policy is "Enabled". Choose "Enforce" from the drop-down. Click "OK".
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the "CommandsToRunOnConnect" setting. If "CommandsToRunOnConnect" is "Not Configured" or "Disabled", this is not a finding. Click the "Show..." button next to "Commands". If any of the listed commands are not expected, approved, and required, this is a finding.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the "CommandsToRunOnConnect" setting. Option 1: Click the radio button next to "Disabled". Click "OK". Option 2: Make sure the setting is "Enabled". Click the "Show..." button next to "Commands". Highlight the unneeded command and press the "delete" key. Click "OK". Click "OK".
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the "CommandsToRunOnDisconnect" setting. If "CommandsToRunOnDisconnect" is "Not Configured" or "Disabled", this is not a finding. Click the "Show..." button next to "Commands". If any of the listed commands are not expected, approved, and required, this is a finding.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the "CommandsToRunOnDisconnect" setting. Option 1: Click the radio button next to "Disabled". Click "OK". Option 2: Click the "Show..." button next to "Commands". Highlight the unneeded command and press the "delete" key. Click "OK". Click "OK".
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the "CommandsToRunOnReconnect" setting. If "CommandsToRunOnReconnect" is "Not Configured" or "Disabled", this is not a finding. Click the "Show..." button next to "Commands". If any of the listed commands are not expected, approved, and required, this is a finding.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the "CommandsToRunOnReconnect" setting. Option 1: Click the radio button next to "Disabled". Click "OK". Option 2: Click the "Show..." button next to "Commands". Highlight the unneeded command and press the "delete" key. Click "OK". Click "OK".
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Common Configuration >> Security Configuration. Double-click the "Type of certificate revocation check" setting. If "Type of certificate revocation check" is "Not Configured" or "Disabled", this is a finding. In the drop-down under "Type of certificate revocation check", if "WholeChain" is not selected, this is a finding.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Common Configuration >> Security Configuration. Double-click the "Type of certificate revocation check" setting. Make sure the setting is "Enabled". In the drop-down under "Type of certificate revocation check", select "WholeChain". Click "OK".
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the "Idle Time Until Disconnect (VDI)" setting. If "Idle Time Until Disconnect (VDI)" is "Not Configured" or "Disabled", this is a finding. In the drop-down next to "Idle Timeout", if "Never" is selected, this is a finding.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the "Idle Time Until Disconnect (VDI)" setting. Click the radio button next to "Enabled". In the drop-down next to "Idle Timeout", select an appropriate, site-specific timeout that is not "Never". This is typically two hours but your configuration may vary. Click "OK".
Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the "Configure clipboard redirection" setting. If "Configure clipboard redirection" is "Not Configured" or "Disabled", this is not a finding. In the drop-down under "Configure clipboard redirection", if "Enabled server to client only" or "Enabled in both directions" is selected, this is a finding.
Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> VMware Blast. Double-click the "Configure clipboard redirection" setting. Click the radio button next to "Disabled". Click "OK".
Ensure the pcoip.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Not Overridable Administrator Settings. Double-click the "Configure clipboard redirection" setting. If "Configure clipboard redirection" is "Not Configured" or "Disabled", this is not a finding. In the drop-down under "Configure clipboard redirection", if "Enabled server to client only" or "Enabled in both directions" is selected, this is a finding.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Not Overridable Administrator Settings. Double-click the "Configure clipboard redirection" setting. Click the radio button next to "Disabled". Click "OK".
Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the "Configure file transfer" setting. If "Configure file transfer" is not "Enabled", this is a finding. In the drop-down under "Configure file transfer", if "Disabled both upload and download" is not selected, this is a finding.
Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the "Configure file transfer" setting. Click the radio button next to "Enabled". In the drop-down under "Configure file transfer", select "Disabled both upload and download". Click "OK".
Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the "Configure drag and drop direction" setting. If "Configure drag and drop direction" is not "Enabled", this is a finding. In the drop-down under "Configure drag and drop", if "Disabled in both directions" is not selected, this is a finding.
Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the "Configure drag and drop" setting. Click the radio button next to "Enabled". In the drop-down under "Configure drag and drop", select "Disabled in both directions". Click "OK".
Ensure the pcoip.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Overridable Administrator Settings. Double-click the "Configure drag and drop direction" setting. If "Configure drag and drop direction" is not "Enabled", this is a finding. In the drop-down under "Configure drag and drop direction", if "Disabled in both directions" is not selected, this is a finding.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Overridable Administrator Settings. Double-click the "Configure drag and drop direction" setting. Click the radio button next to "Enabled". In the drop-down under "Configure drag and drop", select "Disabled in both directions". Click "OK".
Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the "Configure clipboard audit" setting. If "Configure clipboard audit" is "Not Configured" or "Disabled", this is a finding. In the drop-down under "Configure clipboard audit", if "Enabled in both directions" is not selected, this is a finding.
Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> VMware Blast. Double-click the "Configure clipboard audit" setting. Click the radio button next to "Enabled". In the drop-down under "Configure clipboard audit", select "Enabled in both directions". Click "OK".
Ensure the pcoip.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Overridable Administrator Settings. Double-click the "Configure clipboard audit" setting. If "Configure clipboard audit" is "Not Configured" or "Disabled", this is a finding. In the drop-down under "Configure clipboard audit", if "Enabled in both directions" is not selected, this is a finding.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Overridable Administrator Settings. Double-click the "Configure clipboard audit" setting. Click the radio button next to "Enabled". In the drop-down under "Configure clipboard audit", select "Enabled in both directions". Click "OK".
Ensure the vdm_rdsh_server.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection. Double-click the "Do not allow drive redirection" setting. If "Do not allow drive redirection" is not "Enabled", this is a finding.
Ensure the vdm_rdsh_server.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection. Double-click the "Do not allow drive redirection" setting. Click the radio button next to "Enabled". Click "OK".
Interview the SA. USB mass storage devices can be blocked in a number of ways: 1. The desktop OS 2. A third party DLP solution 3. The "USB Redirection" optional agent feature not being installed on any VDI image 4. On the Connection Server via individual pool policies or global policies If any of these methods are already employed, the risk is already addressed and this control is not applicable. If USB devices are not otherwise blocked, the Horizon agent must be configured to block storage devices via allowlist or denylist. Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> View USB Configuration. 1. Check for denylisting: Double-click the "Exclude Device Family" setting. If "Exclude Device Family" is not "Enabled", denylisting is Not Configured. If "Exclude Device Family" does not include at least "o:storage", denylisting is Not Configured. If denylisting is Not Configured, continue to check for allowlisting. If denylisting is configured, this is not a finding. 2. Check for allowlisting: Double-click the "Exclude All Devices" setting. If "Exclude All Devices" is not "Enabled", allowlisting is Not Configured. Click "Cancel". Double-click the "Include Device Family" setting. If "Include Device Family" is "Enabled" and includes "storage", allowlisting is Not Configured. If neither denylisting nor allowlisting is properly configured, this is a finding.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> View USB Configuration. Option 1, denylist: Double-click the "Exclude Device Family" setting. If the setting is "Disabled" or "Not Configured", click the radio button next to "Enabled". In the field below "Exclude Device Family", add the following: o:storage Click "OK". Option 2, allowlist: Double-click the "Exclude All Devices" setting. If the setting is "Disabled" or "Not Configured", click the radio button next to "Enabled". Click "OK". (Optional) Double-click the "Include Device Family" setting. Make sure the setting is "Enabled". In the field below "Include Device Family", add the site-specific allowlisted device family strings, making sure to not include any "storage". Click "OK".