VMware Horizon 7.13 Client Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2021-07-22
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The Horizon Client must not send anonymized usage data.
CM-6 - Medium - CCI-000366 - V-246875 - SV-246875r768585_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
HRZC-7X-000001
Vuln IDs
  • V-246875
Rule IDs
  • SV-246875r768585_rule
By default, the Horizon Client collects anonymized data from the client systems to help improve software and hardware compatibility. To eliminate any possibility of sensitive DoD configurations being known to unauthorized parties, even when anonymized, this setting must be disabled.
Checks: C-50307r768583_chk

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration. Double-click the "Allow data sharing" setting. If "Allow data sharing" is set to "Enabled" or "Not Configured", this is a finding.

Fix: F-50261r768584_fix

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration. Double-click the "Allow data sharing" setting. Make sure the setting is "Disabled". Click "OK".

b
The Horizon Client must not connect to servers without fully verifying the server certificate.
CM-6 - Medium - CCI-000366 - V-246876 - SV-246876r768588_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
HRZC-7X-000002
Vuln IDs
  • V-246876
Rule IDs
  • SV-246876r768588_rule
Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). The Horizon Client connects to the Connection Server, UAG or other gateway via a TLS connection. This initial connection must be trusted, otherwise the sensitive information flowing over the tunnel could potentially be open to interception. The Horizon Client can be configured to ignore any certificate validation errors, warn or fail. By default, the Client will warn and let the user decide to proceed or not. This decision must not be left to the end user. In a properly configured, enterprise environment, there should be no trouble with the presented certificate. On the other hand, a TLS connection could be easily intercepted and middle-manned with the assumption that a user will just click away any errors.
Checks: C-50308r768586_chk

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Certificate verification mode". If "Certificate verification mode" is "Not Configured" or "Disabled", this is a finding. If "Certificate verification mode" is not set to "Full Security", this is a finding.

Fix: F-50262r768587_fix

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Certificate verification mode". Make sure the setting is "Enabled". In the dropdown below "Certificate verification mode", select "Full Security". Click "OK".

b
The Horizon Client must not show the Log in as current user option.
CM-6 - Medium - CCI-000366 - V-246877 - SV-246877r768591_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
HRZC-7X-000003
Vuln IDs
  • V-246877
Rule IDs
  • SV-246877r768591_rule
The Horizon Connection Server STIG disabled the "Log in as current user" option, for reasons described there. Displaying this option and allowing users to select it would lead to unnecessary confusion and therefore must be disabled.
Checks: C-50309r768589_chk

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Display option to Log in as current user". If "Display option to Log in as current user" is not set to "Disabled", this is a finding.

Fix: F-50263r768590_fix

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Display option to Log in as current user". Make sure the setting is "Disabled". Click "OK".

b
The Horizon Client must not ignore certificate revocation problems.
CM-6 - Medium - CCI-000366 - V-246878 - SV-246878r768594_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
HRZC-7X-000004
Vuln IDs
  • V-246878
Rule IDs
  • SV-246878r768594_rule
When the Horizon Client connects to the server, by default, the server TLS certificate will be validated on the client side. If the revocation status cannot be determined or if the certificate is revoked, the connection will fail due to an untrusted connection. This default behavior can be overridden, however, to ignore revocation errors and proceed with revoked or certificates of unknown status. The default, secure, configuration must be validated and maintained.
Checks: C-50310r768592_chk

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Ignore certificate revocation problems". If "Ignore certificate revocation problems" is set to "Enabled", this is a finding.

Fix: F-50264r768593_fix

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Ignore certificate revocation problems". Make sure the setting is "Disabled". Click "OK".

b
The Horizon Client must require TLS connections.
CM-6 - Medium - CCI-000366 - V-246879 - SV-246879r768597_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
HRZC-7X-000005
Vuln IDs
  • V-246879
Rule IDs
  • SV-246879r768597_rule
In older versions of Horizon, before 5.0, remote desktop connections could be established without TLS encryption. In order to protect data-in-transit when potentially connecting to very old Horizon servers, TLS tunnels must be mandated. The default configuration attempts TLS but will fall back to no encryption if it is not supported. This must be corrected and maintained over time.
Checks: C-50311r768595_chk

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Enable SSL encrypted framework channel". If "Enable SSL encrypted framework channel" is set to "Disabled" or "Not Configured", this is a finding. In the dropdown beneath "Enable SSL encrypted framework channel", if "Enforce" is not selected, this is a finding.

Fix: F-50265r768596_fix

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Enable SSL encrypted framework channel". Make sure the setting is "Enabled". In the dropdown beneath "Enable SSL encrypted framework channel", select "Enforce". Click "OK".

b
The Horizon Client must use approved ciphers.
CM-6 - Medium - CCI-000366 - V-246880 - SV-246880r768600_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
HRZC-7X-000006
Vuln IDs
  • V-246880
Rule IDs
  • SV-246880r768600_rule
The Horizon Client disables the older TLS v1.0 protocol and the SSL v2 and SSL v3 protocols by default. TLS v1.1 is still enabled in the default configuration, despite known shortcomings, for the sake of backward compatibility with older servers and clients. The Horizon Connection Server STIG mandates TLS v1.2 in order to protect sensitive data-in-flight and the Client must follow suite. Note: Mandating TLS 1.2 may affect certain thin and zero clients. Test and implement carefully.
Checks: C-50312r768598_chk

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Configures SSL protocols and cryptographic algorithms". If "Configures SSL protocols and cryptographic algorithms" is set to "Disabled" or "Not Configured", this is a finding. If the field beneath "Configures SSL protocols and cryptographic algorithms", is not set to "TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES", this is a finding.

Fix: F-50266r768599_fix

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Configures SSL protocols and cryptographic algorithms". Make sure the setting is "Enabled". In the field beneath "Configures SSL protocols and cryptographic algorithms", type the following: TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES Click "OK".

b
The Horizon Client must not allow command line credentials.
CM-6 - Medium - CCI-000366 - V-246881 - SV-246881r768603_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
HRZC-7X-000007
Vuln IDs
  • V-246881
Rule IDs
  • SV-246881r768603_rule
The Horizon Client has a number of command line options including authentication parameters, by default. This can include a smart card PIN, if so configured by the end user. This would normally be implemented by a script, which would mean plain text sensitive authenticators sitting on disk. Hard coding of credentials of any sort, but especially smart card PINs, must be explicitly disallowed.
Checks: C-50313r768601_chk

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Allow command line credentials". If "Allow command line credentials" is "Not Configured" or "Enabled", this is a finding.

Fix: F-50267r768602_fix

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Allow command line credentials". Make sure the setting is "Disabled". Click "OK".