The Horizon Agent must audit clipboard actions for Blast.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246871	HRZA-7X-000012	SV-246871r768573_rule		Medium

Description
Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the Blast protocol on the Horizon Agent will block clipboard "copy/paste" actions from the desktop to the client but allow actions from the client to the desktop. All such allowed actions must be audited for potential future forensic purposes.

Description

Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the Blast protocol on the Horizon Agent will block clipboard "copy/paste" actions from the desktop to the client but allow actions from the client to the desktop. All such allowed actions must be audited for potential future forensic purposes.

STIG	Date
VMware Horizon 7.13 Agent Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50303r768571_chk )
Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the "Configure clipboard audit" setting. If "Configure clipboard audit" is "Not Configured" or "Disabled", this is a finding. In the drop-down under "Configure clipboard audit", if "Enabled in both directions" is not selected, this is a finding.

Check Text ( C-50303r768571_chk )

Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the "Configure clipboard audit" setting.

If "Configure clipboard audit" is "Not Configured" or "Disabled", this is a finding.

In the drop-down under "Configure clipboard audit", if "Enabled in both directions" is not selected, this is a finding.

Fix Text (F-50257r768572_fix)
Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> VMware Blast. Double-click the "Configure clipboard audit" setting. Click the radio button next to "Enabled". In the drop-down under "Configure clipboard audit", select "Enabled in both directions". Click "OK".

Fix Text (F-50257r768572_fix)

Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> VMware Blast. Double-click the "Configure clipboard audit" setting.

Click the radio button next to "Enabled".

In the drop-down under "Configure clipboard audit", select "Enabled in both directions". Click "OK".