The Horizon Agent must not allow drag and drop for PCoIP.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246870	HRZA-7X-000011	SV-246870r768570_rule		Medium

Description
Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. Additionally, data coming into the environment must be through allowed channels and inspected appropriately. By default, the PCoIP protocol on the Horizon Agent will allow drag and drop actions from the client to the desktop. This must be configured to disabled in both directions.

Description

Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. Additionally, data coming into the environment must be through allowed channels and inspected appropriately. By default, the PCoIP protocol on the Horizon Agent will allow drag and drop actions from the client to the desktop. This must be configured to disabled in both directions.

STIG	Date
VMware Horizon 7.13 Agent Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50302r768568_chk )
Ensure the pcoip.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Overridable Administrator Settings. Double-click the "Configure drag and drop direction" setting. If "Configure drag and drop direction" is not "Enabled", this is a finding. In the drop-down under "Configure drag and drop direction", if "Disabled in both directions" is not selected, this is a finding.

Check Text ( C-50302r768568_chk )

Ensure the pcoip.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Overridable Administrator Settings. Double-click the "Configure drag and drop direction" setting.

If "Configure drag and drop direction" is not "Enabled", this is a finding.

In the drop-down under "Configure drag and drop direction", if "Disabled in both directions" is not selected, this is a finding.

Fix Text (F-50256r768569_fix)
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Overridable Administrator Settings. Double-click the "Configure drag and drop direction" setting. Click the radio button next to "Enabled". In the drop-down under "Configure drag and drop", select "Disabled in both directions". Click "OK".

Fix Text (F-50256r768569_fix)

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> PCoIP Session Variables >> Overridable Administrator Settings. Double-click the "Configure drag and drop direction" setting.

Click the radio button next to "Enabled".

In the drop-down under "Configure drag and drop", select "Disabled in both directions". Click "OK".