The Horizon Client must not ignore certificate revocation problems.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-246878 | HRZC-7X-000004 | SV-246878r768594_rule | Medium |
| Description |
|---|
| When the Horizon Client connects to the server, by default, the server TLS certificate will be validated on the client side. If the revocation status cannot be determined or if the certificate is revoked, the connection will fail due to an untrusted connection. This default behavior can be overridden, however, to ignore revocation errors and proceed with revoked or certificates of unknown status. The default, secure, configuration must be validated and maintained. |
| STIG | Date |
|---|---|
| VMware Horizon 7.13 Client Security Technical Implementation Guide | 2021-07-22 |
Details
| Check Text ( C-50310r768592_chk ) |
|---|
| Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Ignore certificate revocation problems". If "Ignore certificate revocation problems" is set to "Enabled", this is a finding. |
| Fix Text (F-50264r768593_fix) |
|---|
| Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Ignore certificate revocation problems". Make sure the setting is "Disabled". Click "OK". |