Check: HRZV-7X-000002
VMware Horizon 7.13 Connection Server STIG:
HRZV-7X-000002
(in versions v1 r2 through v1 r1)
Title
The Horizon Connection Server must be configured to only support TLS 1.2 connections. (Cat I impact)
Discussion
Preventing the disclosure of transmitted information requires that the application server take measures to employ strong cryptographic mechanisms to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems. According to NIST and as of publication, TLS 1.1 must not be used and TLS 1.2 will be configured. Note: Mandating TLS 1.2 may affect certain client types. Test and implement carefully. Satisfies: SRG-APP-000015-AS-000010, SRG-APP-000014-AS-000009, SRG-APP-000156-AS-000106, SRG-APP-000172-AS-000120, SRG-APP-000439-AS-000155, SRG-APP-000439-AS-000274 , SRG-APP-000440-AS-000167, SRG-APP-000442-AS-000259
Check Content
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, confirm with the SA if TLS 1.2 was enforced at a global level via ADSI EDIT. If no such global change was made, this is a finding. Open "locked.properties" in a text editor. Find the "secureProtocols.1" and "preferredSecureProtocol" settings. Ensure they are set as follows: secureProtocols.1=TLSv1.2 preferredSecureProtocol=TLSv1.2 If there is a "secureProtocols.2" or "secureProtocols.3" setting, this is a finding. If the "secureProtocols.1" and "preferredSecureProtocol" are not exactly as above, this is a finding.
Fix Text
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Remove any "secureProtocols.2" or "secureProtocols.3" settings. Add or change the following lines: secureProtocols.1=TLSv1.2 preferredSecureProtocol=TLSv1.2 Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Additional Identifiers
Rule ID: SV-246883r879520_rule
Vulnerability ID: V-246883
Group Title: SRG-APP-000015-AS-000010
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001453 |
Implement cryptographic mechanisms to protect the integrity of remote access sessions. |
Controls
Number | Title |
---|---|
AC-17(2) |
Protection of Confidentiality / Integrity Using Encryption |