Check: HRZV-7X-000012
VMware Horizon 7.13 Connection Server STIG:
HRZV-7X-000012
(in versions v1 r2 through v1 r1)
Title
The Horizon Connection Server must only use FIPS 140-2 validated cryptographic modules. (Cat I impact)
Discussion
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms or poor implementation. The Horizon Connection Server can be configured to exclusively use FIPS 140-2 validated cryptographic modules but only at installation time, not post deployment. Reference VMware documentation for up-to-date requirements for enabling FIPS in Horizon View. Satisfies: SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000416-AS-000140
Check Content
On the Horizon Connection Server, launch an elevated command prompt. Run the following commands: # cd C:\ProgramData\VMware\VDM # findstr /C:"Broker started in FIPS mode" log-*.txt If the "findstr" command produces no output, this is a finding.
Fix Text
FIPS mode can only be implemented during installation. Reinstall the Horizon Connection server and select the option to enable FIPS mode (after the IP configuration). Note: The Connection Server can only be installed in FIPS mode if Windows Server itself is running in FIPS mode.
Additional Identifiers
Rule ID: SV-246893r879616_rule
Vulnerability ID: V-246893
Group Title: SRG-APP-000179-AS-000129
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000803 |
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
Controls
Number | Title |
---|---|
IA-7 |
Cryptographic Module Authentication |