The Horizon Client must require TLS connections.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-246879 | HRZC-7X-000005 | SV-246879r768597_rule | Medium |
| Description |
|---|
| In older versions of Horizon, before 5.0, remote desktop connections could be established without TLS encryption. In order to protect data-in-transit when potentially connecting to very old Horizon servers, TLS tunnels must be mandated. The default configuration attempts TLS but will fall back to no encryption if it is not supported. This must be corrected and maintained over time. |
| STIG | Date |
|---|---|
| VMware Horizon 7.13 Client Security Technical Implementation Guide | 2021-07-22 |
Details
| Check Text ( C-50311r768595_chk ) |
|---|
| Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Enable SSL encrypted framework channel". If "Enable SSL encrypted framework channel" is set to "Disabled" or "Not Configured", this is a finding. In the dropdown beneath "Enable SSL encrypted framework channel", if "Enforce" is not selected, this is a finding. |
| Fix Text (F-50265r768596_fix) |
|---|
| Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Enable SSL encrypted framework channel". Make sure the setting is "Enabled". In the dropdown beneath "Enable SSL encrypted framework channel", select "Enforce". Click "OK". |