UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Horizon Client must not connect to servers without fully verifying the server certificate.


Overview

Finding ID Version Rule ID IA Controls Severity
V-246876 HRZC-7X-000002 SV-246876r768588_rule Medium
Description
Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). The Horizon Client connects to the Connection Server, UAG or other gateway via a TLS connection. This initial connection must be trusted, otherwise the sensitive information flowing over the tunnel could potentially be open to interception. The Horizon Client can be configured to ignore any certificate validation errors, warn or fail. By default, the Client will warn and let the user decide to proceed or not. This decision must not be left to the end user. In a properly configured, enterprise environment, there should be no trouble with the presented certificate. On the other hand, a TLS connection could be easily intercepted and middle-manned with the assumption that a user will just click away any errors.
STIG Date
VMware Horizon 7.13 Client Security Technical Implementation Guide 2021-07-22

Details

Check Text ( C-50308r768586_chk )
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Certificate verification mode".

If "Certificate verification mode" is "Not Configured" or "Disabled", this is a finding.

If "Certificate verification mode" is not set to "Full Security", this is a finding.
Fix Text (F-50262r768587_fix)
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Certificate verification mode".

Make sure the setting is "Enabled".

In the dropdown below "Certificate verification mode", select "Full Security". Click "OK".