VMware Horizon 7.13 Connection Server STIG
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide. Version v1 r2, released April 24, 2024.
HRZV-7X-000008: The Horizon Connection Server must be configured with an events database.
Log in to the Horizon 7 Console. From the left pane, navigate to Monitor >> Events. If the right pane is empty or shows "Events DB is not configured.", this is a finding.
Discussion
The Horizon Connection Server stores application level events and actions in a dedicated database versus log files. This makes day-to-day administration easier while offloading these events to a separate system for resiliency. An events database is configured after Connection Server deployment. It need only be done once, in the case of multiple grouped Connection Servers, as the configuration will be applied to the other servers automatically. Satisfies: SRG-APP-000089-AS-000050, SRG-APP-000091-AS-000052, SRG-APP-000095-AS-000056, SRG-APP-000096-AS-000059, SRG-APP-000097-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000100-AS-000063, SRG-APP-000101-AS-000072, SRG-APP-000266-AS-000168, SRG-APP-000380-AS-000088, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000503-AS-000228, SRG-APP-000504-AS-000229, SRG-APP-000505-AS-000230, SRG-APP-000509-AS-000234
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Event Configuration. In the right pane, under "Event Database", click "Edit". Enter the necessary database information in the fields provided. Click "OK". Note: Horizon Connection Server support MSSQL and Oracle database types. Create a database with an appropriate, descriptive name. Create a user with permission to create tables, views, Oracle triggers and sequences (if Oracle) and permission to read from and write to these objects. Consult VMware documentation for more detailed database setup information and minimum required privileges.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000021: The Horizon Connection Server must not accept pass-through client credentials.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Scroll down to the "Current User Authentication" and note the "Accept logon as current user" checkbox. If the "Accept logon as current user" checkbox is checked, this is a finding. Note: If "Smart card authentication for users" is set to "Required", this setting is automatically disabled and greyed out. This would be not applicable.
Discussion
Horizon Connection Server has the ability to allow clients to authenticate using the local session credentials of their local endpoint. While convenient, this must be disabled for DoD deployments as the server cannot ascertain the method of endpoint login, whether that user's client certificate has since been revoked, etc.
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. Select the Connection Servers tab in the right pane. Click "Edit". Click the "Authentication" tab. Scroll down to the "Current User Authentication". Uncheck the checkbox next to "Accept logon as current user". Click "OK". Note: When smart card authentication required, this setting will be unchecked and greyed out automatically.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000003: The Blast Secure Gateway must be configured to only support TLS 1.2 connections.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\appblastgateway". If a file named "absg.properties" does not exist in this path, this is a finding. Open "absg.properties" in a text editor. Find the "localHttpsProtocolLow" and "localHttpsProtocolHigh" settings. Ensure they are set as follows: localHttpsProtocolLow=tls1.2 localHttpsProtocolHigh=tls1.2 If the "localHttpsProtocolLow" or "localHttpsProtocolHigh" settings do not exist, this is a finding. If the "localHttpsProtocolLow" and "localHttpsProtocolHigh" are not exactly as above, this is a finding.
Discussion
Preventing the disclosure of transmitted information requires that the application server take measures to employ strong cryptographic mechanisms to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems. According to NIST and as of publication, TLS 1.1 must not be used and TLS 1.2 will be configured. Note: Mandating TLS 1.2 may affect certain client types. Test and implement carefully.
Fix
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\appblastgateway". Open "absg.properties" in a text editor. Add or change the following lines: localHttpsProtocolLow=tls1.2 localHttpsProtocolHigh=tls1.2 Save and close the file. Restart the "VMware Horizon 7 Blast Secure Gateway" service for changes to take effect.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
HRZV-7X-000022: The Horizon Connection Server must require DoD PKI for client logins.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", find the value in the dropdown below "Smart card authentication for users". If "Smart card authentication for users" is set to "Optional" or "Not Allowed", a SAML Authenticator must be configured and that external IdP must be configured to require CAC authentication. If these requirements are not met, this is a finding. If "Smart card authentication for users" is set to "Required" on each of the listed Connection Servers, this is not a finding. Note: If the Connection Server is paired with a Security Server, this requirement is not applicable on the Connection Server but is applicable on the Security Server. NOTE: If another form of DoD approved PKI is used, and configured to be required for client logins, this is not a finding. If the Connection Server is paired with a Unified Access Gateway (UAG) that is performing authentication, this requirement is not applicable.
Discussion
Before clients can pick a desktop or app to access, they must first authenticate to the broker, the Connection Server itself. If the client is accessing the broker directly, then the allowed authentication methods must be specified. These include RADIUS, SecurID, user/pass and smart card. In the DoD, CAC login must be enforced at all times, for all client connections. If the client is connecting through a Security Server or the UAG appliance, this requirement does not apply.
Fix
Option One: Use Horizon's native CAC authentication. Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", in the dropdown below "Smart card authentication for users", select "Required". Click "OK". Option Two: Delegate CAC authentication to an external IdP. Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", in the dropdown next to "Smart card authentication for users", select "Optional" or "Not Allowed". In the dropdown under "Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator)", select "Allowed" or "Required", depending on what you set the native capability to in the previous step. Click "Manage SAML Authenticators". Click "Add". Complete the necessary fields. Ensure "Enabled for Connection Server" is checked. Click "OK". Click "OK". Click "OK". Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000016: The Horizon Connection Server must be configured with a DoD-issued TLS certificate.
On the Horizon Connection Server, open "certlm.msc or certmgr.msc" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the "Friendly Name" of "vdm". For this certificate, locate the issuer in the "Issued By" column. If the Horizon Connection Server broker certificate is not "Issued By" a trusted DoD CA, or other AO-approved certificate, this is a finding.
Discussion
The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not DoD-approved, trust of this CA has not been established. The Horizon Connection Server supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools, focusing on the certificate with the "vdm"-friendly name. Satisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137
Fix
Obtain a web server certificate from a DoD authority, specifying the common name as the "Horizon Connection server FQDN", the signing algorithm as "SHA256", and the key strength of at least "1024 bits". Export the certificate and private key to a password-protected PFX bundle. On the Horizon Connection Server, open "certlm.msc or certmgr.msc" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the "Friendly Name" of "vdm". Right-click this certificate and select "Properties". Change the "Friendly name" to "vdm-original" or similar. Click "OK. Right click on the Personal >> Certificates folder. Select All Tasks >> Import. Click "Next". Click "Browse...". Navigate to the .pfx bundle and click "Open". Click "Next". Supply the password, select "Mark this key as exportable" and "Include all extended properties". Click "Next". Click "Next". Click "Finish". Select the newly imported certificate. Right-click this certificate and select "Properties". Change the "Friendly name" to "vdm". This name must be exact. Click "OK. Restart the Connection Server or the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000029: The Horizon Connection Server must enable the proper Content Security Policy directives.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the following settings: content-security-policy content-security-policy-newadmin content-security-policy-portal content-security-policy-rest If any of the above settings are present, this is a finding.
Discussion
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server has default CSP directives that block XSS attacks, enable x-frame restrictions and more. If the default configurations are overridden, the protections may be disabled even though the CSP itself is still enabled. This default policy must be validated and maintained over time.
Fix
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find and remove the following settings: content-security-policy content-security-policy-newadmin content-security-policy-portal content-security-policy-rest Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000005: The Horizon Connection Server must be configured to debug level logging.
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM". Locate the "DebugEnabled" key. If "DebugEnabled" does not exist, this is NOT a finding. If "DebugEnabled" does not have a value of "true", this is a finding.
Discussion
To ensure that all security-relevant information and events are logged, the Horizon Connection Server must be configured with the "debug" logging level. This is the default value but since it could be changed to "info", this configuration must be verified and maintained.
Fix
On the Horizon Connection Server, open the Start menu. Find and launch the "Set Horizon 7 Connection Server Log Levels" shortcut. The precise location will vary depending on the Windows Server version and Start menu options; type the name to find it. In the resulting command window, select option 2, "View Debug". Press any key to exit the command prompt window.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000009: The Horizon Connection Server must limit access to the global configuration privilege.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Administrators. From the "Role Privileges" tab, review each role in the left pane and their associated privileges in the right pane. Note any role with the "Manage Global Configuration and Policies" privilege. Switch to the "Role Permissions" tab. For each noted role, if there are any users or group listed who are not permitted to change the events database configuration, this is a finding.
Discussion
The Horizon Connection Server comes with pre-defined privileges that can be combined in any combination into a role. That role is then assigned to a user or group. Any role that has the "Manage Global Configuration and Policies" has the ability to change the configuration of the Connection Server, including the events database. This privilege must be restricted and monitored over time.
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Administrators. Select each user or group with inappropriate access to the "Manage Global Configuration and Policies" privilege. Remove access or modify permissions as appropriate. To remove users or groups: From the "Administrators and Groups" tab, select the unnecessary users or groups in the left pane and click the "Remove User or Group" button. Click "OK'" to confirm removal. To modify assigned permissions: From the "Administrators and Groups" tab, select the appropriate user or group in the left pane. From the right pane, select the role to remove and click the "Remove Permission" button. Click "OK" to confirm removal.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000004: The Horizon Connection Server must force server cipher preference.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, confirm with the SA if forcing server-side cipher order was enforced at a global level via ADSI EDIT. If no such global change was made, this is a finding. Open "locked.properties" in a text editor. Find the "honorClientOrder" setting. Ensure they are set as follows: secureProtocols.1=TLSv1.2 preferredSecureProtocol=TLSv1.2 If there is no "honorClientOrder" setting, this is a finding. If the "honorClientOrder" is not set to "false", this is a finding.
Discussion
By default, during the initial setup of a Transport Layer Security (TLS) connection to the Horizon Connection Server, the client sends a list of supported cipher suites in order of preference. The Connection Server replies with the cipher suite it will use for communication, chosen from the client list. This is not ideal since the untrusted client is setting the boundaries and conditions for the connection to proceed. The client could potentially specify known weak cipher combinations that would make the communication more susceptible to interception. By adding the "honorClientOrder" setting to the locked.properties file, the Connection Server will reject the client preference and force the client to choose from the server ordered list of preferred ciphers.
Fix
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Remove any existing "honorClientOrder" settings. Add or change the following line: honorClientOrder=false Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
HRZV-7X-000028: The Horizon Connection Server must enable the Content Security Policy.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the "enableCSP" setting. If there is no "enableCSP" setting, this is NOT a finding. If "enableCSP" is set to "false", this is a finding.
Discussion
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server defines the policy and the client browser enforces the policy. This feature is enabled by default but must be validated and maintained over time.
Fix
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Remove the following line: enableCSP=false Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000033: The Horizon Connection Server must be configured to restrict USB passthrough access.
Interview the SA. USB devices can be blocked in a number of ways: 1. The desktop OS 2. A third party DLP solution 3. Horizon Agent configuration and GPOs 4. Horizon Connection Server global policies 5. Horizon Connection Server per-pool policies If 1, 2, or 3 are implemented in this environment, this control is not applicable. Number three is addressed in the Horizon Agent STIG. Step One - Disable USB Access Globally: Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Policies. In the right pane, confirm that "USB Access" is set to "Deny". If "USB Access" is not set to "Deny", this is a finding. Step Two - Confirm per-pool settings: Log in to the Horizon 7 Console. From the left pane, navigate to Inventory >> Desktops. In the right pane, click the name of each pool that does not explicitly require access to USB devices. In the next screen, click the "Policies" tab. Confirm that "Applied Policy" is set to "Deny". If "Applied Policy" is not set to "Deny", this is a finding. Click the "Policy Overrides" tab. Highlight each user. If "USB Access" is set to "Allow" for any user, ensure the exception is required and authorized. If any user has an override configured that is not required or authorized, this is a finding.
Discussion
One of the many benefits of VDI is the separation of the end user from the "desktop" they are accessing. This helps mitigate the risks imposed by physical access. In a traditional desktop scenario, and from a security perspective, physical access is equivalent to ownership. USB devices are physical devices that interact at the driver layer with the guest operating system and are inherently problematic. There are numerous risks posed by USB including the driver stack, data loss prevention, malicious devices, etc. Client USB devices are not necessary for general purpose VDI desktops and must be disabled broadly and enabled selectively. Note: USB mouse, keyboard and smart card devices are abstracted by Horizon and are not affected by any of these Horizon configurations.
Fix
Step One - Disable USB Access Globally: Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Policies. In the right pane, click "Edit Policies". In the drop-down next to "USB Access", select "Deny". Click "OK". Step Two - Confirm per-pool settings: Log in to the Horizon 7 Console. From the left pane, navigate to Inventory >> Desktops. In the right pane, click the name of each pool that does not explicitly require access to USB devices. In the next screen, click the "Policies" tab. Click "Edit Policies". In the dropdown next to "USB Access", select "Inherit". Click "OK". Click the "Policy Overrides" tab. "Edit" or "Remove" as necessary to ensure that configured users with "USB Access" set to "Allow" are as limited as possible.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000012: The Horizon Connection Server must only use FIPS 140-2 validated cryptographic modules.
On the Horizon Connection Server, launch an elevated command prompt. Run the following commands: # cd C:\ProgramData\VMware\VDM # findstr /C:"Broker started in FIPS mode" log-*.txt If the "findstr" command produces no output, this is a finding.
Discussion
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms or poor implementation. The Horizon Connection Server can be configured to exclusively use FIPS 140-2 validated cryptographic modules but only at installation time, not post deployment. Reference VMware documentation for up-to-date requirements for enabling FIPS in Horizon View. Satisfies: SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000416-AS-000140
Fix
FIPS mode can only be implemented during installation. Reinstall the Horizon Connection server and select the option to enable FIPS mode (after the IP configuration). Note: The Connection Server can only be installed in FIPS mode if Windows Server itself is running in FIPS mode.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
HRZV-7X-000030: The PCoIP Secure Gateway must be configured with a DoD-issued TLS certificate.
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway". Locate the "SSLCertWinCertFriendlyName" key. If "SSLCertWinCertFriendlyName" does not exist, this is a finding. If "SSLCertWinCertFriendlyName" is set to "vdm", this is not a finding. Note the value of "SSLCertWinCertFriendlyName". This is the friendly name of the PCoIP Secure Gateway certificate. On the Horizon Connection Server, open "certlm.msc or certmgr.msc" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the "Friendly Name" of the previously noted value of "SSLCertWinCertFriendlyName". For this certificate, locate the issuer in the "Issued By" column. If the PCoIP Secure Gateway certificate is not "Issued By" a trusted DoD CA, this is a finding. Note: If the PCoIP Secure Gateway is not enabled, this is not applicable.
Discussion
The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The Blast Secure Gateway supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools. For simplicity, it is recommended to use the same certificate as previously configured for Connection Server itself via the "vdm" common name.
Fix
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway". Option One: Use the same certificate as the Connection Server. Create a new String (REG_SZ) key named "SSLCertWinCertFriendlyName". Set its value to "vdm". Close the Registry Editor. Restart the "VMware Horizon View PCoIP Secure Gateway" service for changes to take effect. Option Two: Use a different certificate for the PCoIP Secure Gateway. Create a new String (REG_SZ) key named "SSLCertWinCertFriendlyName". Set its value to "pcoip". Close the Registry Editor. Obtain a web server certificate from a DoD authority, specifying the common name as the Horizon Connection server FQDN, the signing algorithm as SHA256 and the key strength of at least 1024 bits. Export the certificate and private key to a password-protected PFX bundle. Right-click on the Personal >> Certificates folder. Select All Tasks >> Import. Click "Next". Click "Browse...". Navigate to the .pfx bundle and click "Open". Click "Next". Supply the password, select "Mark this key as exportable" and "Include all extended properties". Click "Next". Click "Next". Click "Finish". Select the newly imported certificate. Right-click this certificate and select "Properties". Change the "Friendly name" to "pcoip". This name must be exact. Click "OK. Restart the "VMware Horizon View PCoIP Secure Gateway" service for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000018: The Horizon Connection Server must disconnect users after a maximum of ten hours.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Locate the "Forcibly Disconnect Users" setting. If the "Forcibly Disconnect Users" setting is set to "Never", this is a finding. If the "Forcibly Disconnect Users" setting is set to greater than "600" minutes (ten hours), this is a finding.
Discussion
Horizon Connection Server is intended to provide remote desktops and applications, generally during working hours and for no more than an extended workday. Leaving sessions active for more than what is reasonable for a work day leaves open the possibility of a session becoming unoccupied and insecure on the client side. For example, if a client connection is opened at 0900, there are few day-to-day reasons that the connection should still be open after 1900, therefore the connection must be terminated. If the user is still active, they can reauthenticate immediately and get back on for another ten hours.
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Click "Edit". Next to "Forcibly Disconnect Users", select "After" from the dropdown and fill in "600" minutes in the text field. Click "OK".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000011: The Horizon Connection Server must validate client and administrator certificates.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is a finding. Open "locked.properties" in a text editor. Find the "enableRevocationChecking" setting. If "enableRevocationChecking" does not exist, this is a finding. If "enableRevocationChecking" is not set to "true", this is a finding.
Discussion
The Horizon Connection Server can be configured to check the revocation status of PKI certificates over both OCSP and CRL. This capability is disabled by default and must be enabled post-deployment. There are a number of other configurations that are supported, including OCSP and CRL location override but those will be site and architecture specific. The suggested configuration is OCSP with failover to CRL and override the AIA locations via a local OCSP responder, if present. See below: enableRevocationChecking=true ocspCRLFailover=true ocspSendNonce=true enableOCSP=true allowCertCRLs=false crlLocation=http://<crl.myagency.mil> ocspURL=http://<ca.myagency.mil/ocsp ocspSigningCert=ca.myagency.mil.cer Set enableRevocationChecking to true to enable smart card certificate revocation checking. Set ocspCRLFailover to enable CRL checking is OCSP fails. Set ocspSendNonce to true to prevent OCSP repeated responses. Set enableOCSP to true to enable OCSP certificate revocation checking. Set allowCertCRLs to false to disable pulling the CRL distribution point from the certificate. Set crlLocation to the local file of http URL to use for the CRL distribution point. Set ocspURL to the URL of the OCSP Responder. Set ocspSigningCert to the location of the file that contains the OCSP Responder's signing certificate.
Fix
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Add or change the following line: enableRevocationChecking=true Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000006: The Horizon Connection Server administrators must be limited in terms of quantity, scope, and permissions.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Administrators. From the "Administrators and Groups" tab, review each user and group in the left pane and their associated roles in the right pane. Anyone with any privilege can log on to the Console and view potentially sensitive configurations, system details, and events. If there are any users or groups that should not be viewed as trusted "Administrators" of the Horizon system, this is a finding. Permissions must be as restrictive as possible and their scope (Access Group) as limited as possible. Ensure no user or group has unnecessary permissions and that their Access Group is appropriately limited. Pay special attention to the "Local Administrator" and "Administrator" roles on the root Access Group as those user and groups have total control over the environment local and global environment, respectively. If any user or group has permissions that are greater than the minimum necessary, this is a finding. If any user or group has any permissions on an overly broad access group, this is a finding.
Discussion
Role based access and least privilege are two fundamental security concepts that must be properly implemented in Horizon View to ensure the right user and groups have the right permissions on the right objects. Horizon View allows for assigning of roles (pre-defined sets of permissions) to specific users and groups and on a specific Access Group (set of objects). Administrators must ensure that minimal permissions are assigned to the right entities, in the right scope, and stay so over time. Satisfies: SRG-APP-000033-AS-000024, SRG-APP-000118-AS-000078, SRG-APP-000121-AS-000081, SRG-APP-000122-AS-000082, SRG-APP-000123-AS-000083, SRG-APP-000290-AS-000174, SRG-APP-000315-AS-000094, SRG-APP-000340-AS-000185, SRG-APP-000343-AS-000030
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Administrators. To remove users or groups: From the "Administrators and Groups" tab, select the unnecessary users or groups in the left pane and click the "Remove User or Group" button. Click "OK'" to confirm removal. To modify assigned permissions: From the "Administrators and Groups" tab, select the appropriate user or group in the left pane. From the right pane, select the role to remove and click "Remove Permission". Click "OK" to confirm removal. To create a new role with more limited permissions: From the "Role Permissions" tab, click "Add Role". Provide a descriptive name and select the minimum required permissions. Click "OK". Highlight the new role. Click "Add Permission". Click "Add". Find the relevant user(s). Click "OK". Click "Finish".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000002: The Horizon Connection Server must be configured to only support TLS 1.2 connections.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, confirm with the SA if TLS 1.2 was enforced at a global level via ADSI EDIT. If no such global change was made, this is a finding. Open "locked.properties" in a text editor. Find the "secureProtocols.1" and "preferredSecureProtocol" settings. Ensure they are set as follows: secureProtocols.1=TLSv1.2 preferredSecureProtocol=TLSv1.2 If there is a "secureProtocols.2" or "secureProtocols.3" setting, this is a finding. If the "secureProtocols.1" and "preferredSecureProtocol" are not exactly as above, this is a finding.
Discussion
Preventing the disclosure of transmitted information requires that the application server take measures to employ strong cryptographic mechanisms to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems. According to NIST and as of publication, TLS 1.1 must not be used and TLS 1.2 will be configured. Note: Mandating TLS 1.2 may affect certain client types. Test and implement carefully. Satisfies: SRG-APP-000015-AS-000010, SRG-APP-000014-AS-000009, SRG-APP-000156-AS-000106, SRG-APP-000172-AS-000120, SRG-APP-000439-AS-000155, SRG-APP-000439-AS-000274 , SRG-APP-000440-AS-000167, SRG-APP-000442-AS-000259
Fix
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Remove any "secureProtocols.2" or "secureProtocols.3" settings. Add or change the following lines: secureProtocols.1=TLSv1.2 preferredSecureProtocol=TLSv1.2 Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
HRZV-7X-000032: The Horizon Connection Server must require CAC reauthentication after user idle timeouts.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Locate the "Enable 2-Factor Reauthentication" setting. If the "Enable 2-Factor Reauthentication" setting is set to "No", this is a finding.
Discussion
If a user VDI session times out due to activity, the user must be assumed to not be active and have their resource locked. These resources should only be made available again upon the user reauthenticating versus reusing the initial connection. This ensures that the connection has not been hijacked and re-stablishes nonrepudiation.
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Click "Edit". Select the checkbox next to "Enable 2-Factor Reauthentication". Click "OK".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000001: The Horizon Connection Server must limit the number of concurrent client sessions.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the "maxConnections" setting. The "maxConnections" setting may be set higher than the default of "2000" (up to 4000) in certain, large Horizon deployments. If there is no "maxConnections" setting, this is NOT a finding. If "maxConnections" is set to more than "4000", this is a finding.
Discussion
The Horizon Connection Server has the ability to limit the number of simultaneous client connections. This capability is helpful in limiting resource exhaustion risks related to denial of service attacks. By default, in code, the Connection Server allows up to 2000 client connections at one time, over all protocol types. For larger deployments, this limit can be increased to a tested and supported maximum of 4000 by making modifications to the "locked.properties" file. Ensure any changes to the number of allowed simultaneous connections is supported by VMware for the choice of protocols and that this value is documented as part of the SSP. Satisfies: SRG-APP-000001-AS-000001, SRG-APP-000435-AS-000163
Fix
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Add or change the following line: maxConnections=2000 The default value of "2000" may be increased to no more than 4000 if required and properly documented. Otherwise, keep the default value of "2000". Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000031: The Horizon Connection Server must not allow unauthenticated access.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", find the value in the drop-down below "Unauthenticated Access". If "Unauthenticated Access" is set to "Enabled", this is a finding. Note: If "Smart card authentication for users" is set to "Required", this setting is automatically disabled and greyed out. This would be not applicable.
Discussion
When the Horizon native smart card capability is not set to "Required", the option for "Unauthenticated Access" is enabled. This would be true in the case of an external IdP providing authentication via SAML. The "Unauthenticated Access" option allows users to access published applications from a Horizon Client without requiring AD credentials. This is typically implemented as a convenience when serving up an application that has its own security and user management. This configuration is not acceptable in the DoD and must be disabled.
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. In the drop-down below Horizon Authentication >> Unauthenticated Access, select "Disabled". Click "OK". Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000017: The Horizon Connection Server must reauthenticate users after a network interruption.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "Security Settings" tab. Locate the "Reauthenticate Secure Tunnel Connections After Network Interruption" setting. If the "Reauthenticate Secure Tunnel Connections After Network Interruption" setting is set to "No", this is a finding.
Discussion
Given the remote access nature of Horizon Connection Server, the client must be ensured to be under positive control as much as is possible from the server side. As such, whenever a network interruption causes a client disconnect, that session must be reauthenticated upon reconnection. To allow a session resumption would be convenient but would allow for the possibility of the endpoint being taken out of the control of the intended user and reconnected to a different network, in control of a bad actor who could then resume the disconnected session.
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "Security Settings" tab. Click "Edit". Check the box next to "Reauthenticate secure tunnel connections after network interruption". Click "OK".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000024: The Horizon Connection Server Instant Clone domain account must be configured with limited permissions.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Instant Clone Domain Accounts. In the right pane, validate that the accounts listed are User accounts in Active Directory and have only the following permissions on the container for the instant-clone computer account: List Contents Read All Properties Write All Properties Read Permissions Reset Password Create Computer Objects Delete Computer Objects Ensure the permissions apply to the correct container and to all child objects of the container. If the Instant Clone domain account has more than the minimum required permissions, this is a finding. Note: If Instant Clones is not used, this is not applicable.
Discussion
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
Fix
Log in to Active Directory Users and Computers. Set the permission for Instant Clone Domain Account to: List Contents Read All Properties Write All Properties Read Permissions Reset Password Create Computer Objects Delete Computer Objects Ensure the permissions apply to the correct container and to all child objects of the container.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000010: The Horizon Connection Server must perform full path validation on server-to-server TLS connection certificates.
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM\Security". Locate the "CertificateRevocationCheckType" key. If the "CertificateRevocationCheckType" key does not exist, this is a finding. If the "CertificateRevocationCheckType" key does not have a value of "3", this is a finding.
Discussion
The Horizon Connection Server performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. If a SAML 2.0 authenticator is configured for use by a Connection Server instance, the Connection Server also performs certificate revocation checking on the SAML 2.0 server certificate. By default, all certificates in the chain are checked except the root certificate. This must be changed so that the full path, including the root, is validated.
Fix
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM\Security". If the "CertificateRevocationCheckType" key exists: Right click "CertificateRevocationCheckType", select "Modify..." and set the value to "3" (without quotes). Click "OK". Otherwise: Right-click on the "Security" folder and select New >> DWORD (32 bit) Value. Set the name to "CertificateRevocationCheckType" (without quotes). Right-click "CertificateRevocationCheckType", select "Modify..." and set the value to "3" (without quotes). Click "OK". Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000034: The Horizon Connection Server must prevent MIME type sniffing.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the "x-content-type-options" setting. If there is no "x-content-type-options" setting, this is NOT a finding. If "x-content-type-options" is set to "false", this is a finding.
Discussion
MIME types define how a given type of file is intended to be processed by the browser. Modern browsers are capable of determining the content type of a file by byte headers and content inspection and can then override the type dictated by the server. An example would be a ".js" that was sent as the "jpg" mime type vs the JavaScript mime type. The browser would "correct" this and process the file as JavaScript. The danger is that a given file could be disguised as something else on the server, like JavaScript, opening up the door to cross-site scripting. To disable browser "sniffing" of content type, the Connection Server sends the "x-content-type-options: nosniff" header by default. This configuration must be validated and maintained over time.
Fix
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Remove the following line: x-content-type-options=false Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000027: The Horizon Connection Server must have Origin Checking enabled.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the "checkOrigin" setting. If there is no "checkOrigin" setting, this is NOT a finding. If "checkOrigin" is set to "false", this is a finding.
Discussion
RFC 6454 Origin Checking, which protects against cross-site request forging, is enabled by default on the Horizon Connection Server. When an administrator opens the Horizon 7 Console or a user connects to Blast HTML Access, the server checks that the origin URL for the web request matches the configured secure tunnel URL or "localhost". When the Connection Server is load balanced or front-ended by a Unified Access Gateway (UAG) appliance, origin checking will fail. This is commonly resolved by disabling origin checking entirely by specifying "checkOrigin=false" in the "locked.properties" file. This is not the proper solution. Instead, origin checking must be enabled and the load balancer and UAG appliances must be allowlisted via the "balancedHost" and "portalHost.X" settings in "locked.properties", respectively. Origin checking can be disabled by adding the entry "checkOrigin=false" to locked.properties, usually for troubleshooting purposes. The default, "checkOrigin=true" or unspecified configuration must be verified and maintained.
Fix
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Remove the following line: checkOrigin=false To allowlist a load balancer in front of the Connection Server, add the following line: balancedHost=load-balancer-name-here To allowlist Unified Access Gateway (UAG) gateways, add every address using the following format and pattern: portalHost.1=access-point-name-1 portalHost.2=access-point-name-2 ... Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000026: The Horizon Connection Server must have X-Frame-Options enabled.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the "X-Frame-Options" setting. If there is no "X-Frame-Options" setting, this is NOT a finding. If "X-Frame-Options" is set to "OFF", this is a finding.
Discussion
RFC 7034 HTTP Header Field X-Frame-Options, also known as counter clickjacking, is enabled by default on the Horizon Connection Server. It can be disabled by adding the entry "x-frame-options=OFF" to the locked.properties file, usually for troubleshooting purposes. The default configuration must be verified and maintained.
Fix
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Remove the following line: X-Frame-Options=OFF Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000035: All Horizon components must be running supported versions.
Horizon 7.x is no longer supported by the vendor. If any of the system components are running Horizon 7.x, this is a finding.
Discussion
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Fix
Install a supported version of Horizon.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
HRZV-7X-000007: The Horizon Connection Server must require DoD PKI for administrative logins.
Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Scroll down to "Horizon Administrator Authentication". Find the value in the drop down next to "Smart card authentication for administrators". If "Smart card authentication for administrators" is not set to "Required", this is a finding. NOTE: If another form of DoD approved PKI is used, and configured to be required for administrative logins, this is not a finding.
Discussion
The Horizon Connection Server console supports CAC login as required for cryptographic non-repudiation. CAC login can be configured as disabled, optional or required but for maximum assurance it must be set to "required". Setting CAC login as "optional" may be appropriate at some sites to support a "break glass" scenario where PKI is failing but there is an emergency access account configured with username/password. Satisfies: SRG-APP-000080-AS-000045, SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103, SRG-APP-000153-AS-000104, SRG-APP-000177-AS-000126, SRG-APP-000392-AS-000240, SRG-APP-000391-AS-000239, SRG-APP-000403-AS-000248
Fix
Log in to Horizon Connection Server Console and copy all root and intermediate certificates, in base-64 '.cer' format, required for CAC authentication to ‘C:\Certs’. If "C:\Certs” does not exist, create it. Copy the provided make_keystore.txt to the Horizon Connection Server in "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Rename "make_keystore.txt" to “makekeystore.ps1”. The "make_keystore.txt" content is provided in this STIG package. Launch PowerShell as an administrator on the Horizon Connection Server and execute the following commands: cd "<install_directory>\VMware\VMware View\Server\sslgateway\conf" Set-ExecutionPolicy unrestricted (type ‘Y’ when prompted) .\make_keystore.ps1 -CertDir C:\Certs -Password <store password> -KeyStore keystore -LockedProperties locked.properties’ Copy the created "locked.properties" and "keystore" files to any Horizon Connection Server that shares the same trusted issuers. Omit this step if multiple connections servers are not utilized. Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Select the "Authentication" tab. Scroll down to "View Administrator Authentication". Select "Required" for the "Smart card authentication for administrators". Click "OK". Repeat for all other Horizon Connection Servers. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
HRZV-7X-000023: The Horizon Connection Server must backup its configuration daily.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Select the "Backup" tab. Validate that "Automatic backup frequency" is set to a least "Every day". If the Connection Server is not set to be backed up daily (or less), this is a finding.
Discussion
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Select the "Backup" tab. Set "Automatic backup frequency:" to "Every day" or more frequently. Click "OK".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000014: The Horizon Connection Server must protect log files from unauthorized access.
On the Horizon Connection Server, navigate to "C:\ProgramData\VMware\VDM". Right-click the "logs" folder and select "Properties". Change to the "Security" tab. By default, only built-in system accounts such as "SYSTEM" and "NETWORK SERVICE" plus the local "Administrators" group have access to the "logs" folder. If any other groups have any permissions on this folder, this is a finding.
Discussion
Error logs can contain sensitive information about system errors and system architecture that need to be protected from unauthorized access and modification. By default, Horizon Connection Server logs are only accessible by local windows Administrators. This configuration must be verified and maintained.
Fix
On the Horizon Connection Server, navigate to "C:\ProgramData\VMware\VDM". Right-click the "logs" folder and select "Properties". Change to the "Security" tab. Click "Edit…". Highlight any groups or users that are not built-in system administrative accounts or the local "Administrators" group. Click "Remove". Click "OK". Click "OK".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000013: The Horizon Connection Server must time out administrative sessions after 15 minutes or less.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Find the “Connection Server Session Timeout” value. If "Connection Server Session Timeout" is set to more than 15 minutes, this is a finding.
Discussion
If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the system. Horizon 7 Console sessions can and must be limited in the amount of idle time that will be allowed before automatic logoff. By default, 30 minutes of idle time is allowed but this must be changed to 15 minutes or less for DoD systems. This configuration must be verified and maintained over time. Satisfies: SRG-APP-000220-AS-000148, SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Click "Edit". Set "Connection Server Session Timeout" to "15" minutes (or less). Click "OK".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000015: The Horizon Connection Server must offload events to a central log server in real time.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Event Configuration. The configured syslog servers are located in the right pane under "Syslog". If there are no valid syslog servers configured, this is a finding.
Discussion
Information system logging capability is critical for accurate forensic analysis. Centralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. The Horizon Connection Server can be configured to send all events to a syslog receiver. Multiple servers can be configured but only the UDP protocol is supported at this time. Satisfies: SRG-APP-000358-AS-000064, SRG-APP-000515-AS-000203
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Event Configuration. In the right pane, under "Syslog", click "Add". Enter the address of your central log server and configure the port if necessary. Click "OK". Add other servers as necessary.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000025: The Horizon Connection Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM\Plugins\wsnm\TunnelService\Params". Locate the "JvmOptions" key. If "JvmOptions" does not exist, or the path does not exist, this is NOT a finding. If "JvmOptions" does not include the "-Djdk.tls.rejectClientInitiatedRenegotiation=true" option, this is a finding.
Discussion
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
Fix
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM\plugins \wsnm\TunnelService\Params". Locate the "JvmOptions" key. If "JvmOptions" exists: Right-click "JvmOptions", select "Modify...". Remove the following option, if it exists: -Djdk.tls.rejectClientInitiatedRenegotiation=false Add the following to the end of the string: -Djdk.tls.rejectClientInitiatedRenegotiation=true Click "OK".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000019: The Horizon Connection Server must disconnect applications after two hours of idle time.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Locate the "Disconnect Applications and Discard SSO Credentials for Idle Users" setting. If the "Disconnect Applications and Discard SSO Credentials for Idle Users" setting is set to "Never", this is a finding. If the "Disconnect Applications and Discard SSO Credentials for Idle Users" setting is set to greater than "120" minutes (two hours), this is a finding.
Discussion
Horizon View is intended to provide remote desktops and applications during for more or less continuous use. If an application is open and goes used for more than two hours, that application must be closed to eliminate the risk of that idle application being usurped. For desktops, sessions will not be disconnected after two hours but the credentials stored with Horizon will be invalidated. Subsequent desktop connection attempts will require reauthentication.
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Click "Edit". Next to "Disconnect Applications and Discard SSO Credentials for Idle Users", select "After" from the dropdown and fill in "120" minutes in the text field. Click "OK".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
HRZV-7X-000020: The Horizon Connection Server must discard SSO credentials after 15 minutes.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Locate the "Discard SSO credentials" setting. If the "Discard SSO Credentials" setting is set to "Never", this is a finding. If the "Discard SSO Credentials" setting is set to greater than "15 minutes", this is a finding.
Discussion
Horizon Connection Server caches user credentials temporarily to ensure that the user can connect to their desktop pools without reauthenticating, right after logging in to the broker. However, this grace period must be restricted so that SSO credentials are only retained for 15 minutes before being discarded. Subsequent desktop connection attempts will require reauthentication, even if the user is still connected to the broker.
Fix
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Click "Edit". Next to "Discard SSO Credentials", select "After" from the dropdown and fill in "15" minutes in the text field. Click "OK".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None