The Horizon Agent must check the entire chain when validating certificates.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-246864 | HRZA-7X-000005 | SV-246864r768552_rule | Medium |
| Description |
|---|
| Any time the Horizon Agent establishes an outgoing TLS connection, it verifies the server certificate revocation status. By default, it verifies all intermediates but not the root. DoD policy requires full path validation, thus this default behavior needs to be changed. |
| STIG | Date |
|---|---|
| VMware Horizon 7.13 Agent Security Technical Implementation Guide | 2021-07-30 |
Details
| Check Text ( C-50296r768550_chk ) |
|---|
| Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Common Configuration >> Security Configuration. Double-click the "Type of certificate revocation check" setting. If "Type of certificate revocation check" is "Not Configured" or "Disabled", this is a finding. In the drop-down under "Type of certificate revocation check", if "WholeChain" is not selected, this is a finding. |
| Fix Text (F-50250r768551_fix) |
|---|
| Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Common Configuration >> Security Configuration. Double-click the "Type of certificate revocation check" setting. Make sure the setting is "Enabled". In the drop-down under "Type of certificate revocation check", select "WholeChain". Click "OK". |