Check: HRZV-7X-000007
VMware Horizon 7.13 Connection Server STIG:
HRZV-7X-000007
(in versions v1 r2 through v1 r1)
Title
The Horizon Connection Server must require DoD PKI for administrative logins. (Cat I impact)
Discussion
The Horizon Connection Server console supports CAC login as required for cryptographic non-repudiation. CAC login can be configured as disabled, optional or required but for maximum assurance it must be set to "required". Setting CAC login as "optional" may be appropriate at some sites to support a "break glass" scenario where PKI is failing but there is an emergency access account configured with username/password. Satisfies: SRG-APP-000080-AS-000045, SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103, SRG-APP-000153-AS-000104, SRG-APP-000177-AS-000126, SRG-APP-000392-AS-000240, SRG-APP-000391-AS-000239, SRG-APP-000403-AS-000248
Check Content
Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Scroll down to "Horizon Administrator Authentication". Find the value in the drop down next to "Smart card authentication for administrators". If "Smart card authentication for administrators" is not set to "Required", this is a finding. NOTE: If another form of DoD approved PKI is used, and configured to be required for administrative logins, this is not a finding.
Fix Text
Log in to Horizon Connection Server Console and copy all root and intermediate certificates, in base-64 '.cer' format, required for CAC authentication to ‘C:\Certs’. If "C:\Certs” does not exist, create it. Copy the provided make_keystore.txt to the Horizon Connection Server in "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Rename "make_keystore.txt" to “makekeystore.ps1”. The "make_keystore.txt" content is provided in this STIG package. Launch PowerShell as an administrator on the Horizon Connection Server and execute the following commands: cd "<install_directory>\VMware\VMware View\Server\sslgateway\conf" Set-ExecutionPolicy unrestricted (type ‘Y’ when prompted) .\make_keystore.ps1 -CertDir C:\Certs -Password <store password> -KeyStore keystore -LockedProperties locked.properties’ Copy the created "locked.properties" and "keystore" files to any Horizon Connection Server that shares the same trusted issuers. Omit this step if multiple connections servers are not utilized. Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Select the "Authentication" tab. Scroll down to "View Administrator Authentication". Select "Required" for the "Smart card authentication for administrators". Click "OK". Repeat for all other Horizon Connection Servers. Restart the "VMware Horizon View Connection Server" service for changes to take effect.
Additional Identifiers
Rule ID: SV-246888r879554_rule
Vulnerability ID: V-246888
Group Title: SRG-APP-000080-AS-000045
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000166 |
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
Controls
Number | Title |
---|---|
AU-10 |
Non-repudiation |