VMware Horizon 7.13 Agent Security Technical Implementation Guide

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware Horizon 7.13 Agent Security Technical Implementation Guide

Overview

Version	Date	Finding Count (15)			Downloads
1	2021-07-30	CAT I (High): 0	CAT II (Med): 15	CAT III (Low): 0	Excel	JSON	XML

STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC III - Administrative Sensitive)

Finding ID	Severity	Title	Description
V-246874	Medium	The Horizon Agent must block USB mass storage.	The Horizon Agent has the capability to granularly control what, if any, USB devices are allowed to be passed from the local client to the agent on the virtual desktop. By default, Horizon blocks...
V-246872	Medium	The Horizon Agent must audit clipboard actions for PCoIP.	Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored...
V-246873	Medium	The Horizon Agent desktops must not allow client drive redirection.	Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored...
V-246870	Medium	The Horizon Agent must not allow drag and drop for PCoIP.	Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored...
V-246871	Medium	The Horizon Agent must audit clipboard actions for Blast.	Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored...
V-246869	Medium	The Horizon Agent must not allow drag and drop for Blast.	Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored...
V-246868	Medium	The Horizon Agent must not allow file transfers through HTML Access.	Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored...
V-246861	Medium	The Horizon Agent must only run allowed scripts on user connect.	The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of...
V-246860	Medium	The Horizon Agent must require TLS connections.	The Horizon Agent has the capability to be backward compatible with legacy clients, circa View 5.2, which do not support newer TLS connections. By default, the agent can fall back to this non-TLS...
V-246863	Medium	The Horizon Agent must only run allowed scripts on user reconnect.	The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of...
V-246862	Medium	The Horizon Agent must only run allowed scripts on user disconnect.	The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of...
V-246865	Medium	The Horizon Agent must set an idle timeout.	Idle sessions are at increased risk of being hijacked. If a user has stepped away from their desk and is no long in positive control of their session, that session is in danger of being assumed by...
V-246864	Medium	The Horizon Agent must check the entire chain when validating certificates.	Any time the Horizon Agent establishes an outgoing TLS connection, it verifies the server certificate revocation status. By default, it verifies all intermediates but not the root. DoD policy...
V-246867	Medium	The Horizon Agent must block server to client clipboard actions for PCoIP.	Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored...
V-246866	Medium	The Horizon Agent must block server to client clipboard actions for Blast.	Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored...