Check: HRZV-7X-000016
VMware Horizon 7.13 Connection Server STIG:
HRZV-7X-000016
(in versions v1 r2 through v1 r1)
Title
The Horizon Connection Server must be configured with a DoD-issued TLS certificate. (Cat II impact)
Discussion
The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not DoD-approved, trust of this CA has not been established. The Horizon Connection Server supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools, focusing on the certificate with the "vdm"-friendly name. Satisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137
Check Content
On the Horizon Connection Server, open "certlm.msc or certmgr.msc" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the "Friendly Name" of "vdm". For this certificate, locate the issuer in the "Issued By" column. If the Horizon Connection Server broker certificate is not "Issued By" a trusted DoD CA, or other AO-approved certificate, this is a finding.
Fix Text
Obtain a web server certificate from a DoD authority, specifying the common name as the "Horizon Connection server FQDN", the signing algorithm as "SHA256", and the key strength of at least "1024 bits". Export the certificate and private key to a password-protected PFX bundle. On the Horizon Connection Server, open "certlm.msc or certmgr.msc" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the "Friendly Name" of "vdm". Right-click this certificate and select "Properties". Change the "Friendly name" to "vdm-original" or similar. Click "OK. Right click on the Personal >> Certificates folder. Select All Tasks >> Import. Click "Next". Click "Browse...". Navigate to the .pfx bundle and click "Open". Click "Next". Supply the password, select "Mark this key as exportable" and "Include all extended properties". Click "Next". Click "Next". Click "Finish". Select the newly imported certificate. Right-click this certificate and select "Properties". Change the "Friendly name" to "vdm". This name must be exact. Click "OK. Restart the Connection Server or the "VMware Horizon View Connection Server" service for changes to take effect.
Additional Identifiers
Rule ID: SV-246897r879798_rule
Vulnerability ID: V-246897
Group Title: SRG-APP-000427-AS-000264
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002470 |
Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions. |
Controls
Number | Title |
---|---|
SC-23(5) |
Allowed Certificate Authorities |