The Horizon Agent desktops must not allow client drive redirection.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246873	HRZA-7X-000014	SV-246873r768579_rule		Medium

Description
Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the Horizon Client, Agent, and guest operating systems will coordinate to allow drives local to the client to be redirected over the Client connection and mounted in the virtual desktop. This configuration must be modified to disallow drive sharing in order to protect sensitive DoD data from being maliciously, accidentally, or casually removed from the controlled environment.

Description

Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the Horizon Client, Agent, and guest operating systems will coordinate to allow drives local to the client to be redirected over the Client connection and mounted in the virtual desktop. This configuration must be modified to disallow drive sharing in order to protect sensitive DoD data from being maliciously, accidentally, or casually removed from the controlled environment.

STIG	Date
VMware Horizon 7.13 Agent Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50305r768577_chk )
Ensure the vdm_rdsh_server.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection. Double-click the "Do not allow drive redirection" setting. If "Do not allow drive redirection" is not "Enabled", this is a finding.

Check Text ( C-50305r768577_chk )

Ensure the vdm_rdsh_server.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection. Double-click the "Do not allow drive redirection" setting.

If "Do not allow drive redirection" is not "Enabled", this is a finding.

Fix Text (F-50259r768578_fix)
Ensure the vdm_rdsh_server.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection. Double-click the "Do not allow drive redirection" setting. Click the radio button next to "Enabled". Click "OK".

Fix Text (F-50259r768578_fix)

Ensure the vdm_rdsh_server.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection. Double-click the "Do not allow drive redirection" setting.

Click the radio button next to "Enabled". Click "OK".