Check: HRZV-7X-000011
VMware Horizon 7.13 Connection Server STIG:
HRZV-7X-000011
(in versions v1 r2 through v1 r1)
Title
The Horizon Connection Server must validate client and administrator certificates. (Cat II impact)
Discussion
The Horizon Connection Server can be configured to check the revocation status of PKI certificates over both OCSP and CRL. This capability is disabled by default and must be enabled post-deployment. There are a number of other configurations that are supported, including OCSP and CRL location override but those will be site and architecture specific. The suggested configuration is OCSP with failover to CRL and override the AIA locations via a local OCSP responder, if present. See below: enableRevocationChecking=true ocspCRLFailover=true ocspSendNonce=true enableOCSP=true allowCertCRLs=false crlLocation=http://<crl.myagency.mil> ocspURL=http://<ca.myagency.mil/ocsp ocspSigningCert=ca.myagency.mil.cer Set enableRevocationChecking to true to enable smart card certificate revocation checking. Set ocspCRLFailover to enable CRL checking is OCSP fails. Set ocspSendNonce to true to prevent OCSP repeated responses. Set enableOCSP to true to enable OCSP certificate revocation checking. Set allowCertCRLs to false to disable pulling the CRL distribution point from the certificate. Set crlLocation to the local file of http URL to use for the CRL distribution point. Set ocspURL to the URL of the OCSP Responder. Set ocspSigningCert to the location of the file that contains the OCSP Responder's signing certificate.
Check Content
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is a finding. Open "locked.properties" in a text editor. Find the "enableRevocationChecking" setting. If "enableRevocationChecking" does not exist, this is a finding. If "enableRevocationChecking" is not set to "true", this is a finding.
Fix Text
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Add or change the following line: enableRevocationChecking=true Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Additional Identifiers
Rule ID: SV-246892r879612_rule
Vulnerability ID: V-246892
Group Title: SRG-APP-000175-AS-000124
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000185 |
For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
Controls
Number | Title |
---|---|
IA-5(2) |
Pki-based Authentication |