The Horizon Client must use approved ciphers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246880	HRZC-7X-000006	SV-246880r768600_rule		Medium

Description
The Horizon Client disables the older TLS v1.0 protocol and the SSL v2 and SSL v3 protocols by default. TLS v1.1 is still enabled in the default configuration, despite known shortcomings, for the sake of backward compatibility with older servers and clients. The Horizon Connection Server STIG mandates TLS v1.2 in order to protect sensitive data-in-flight and the Client must follow suite. Note: Mandating TLS 1.2 may affect certain thin and zero clients. Test and implement carefully.

Description

The Horizon Client disables the older TLS v1.0 protocol and the SSL v2 and SSL v3 protocols by default. TLS v1.1 is still enabled in the default configuration, despite known shortcomings, for the sake of backward compatibility with older servers and clients. The Horizon Connection Server STIG mandates TLS v1.2 in order to protect sensitive data-in-flight and the Client must follow suite. Note: Mandating TLS 1.2 may affect certain thin and zero clients. Test and implement carefully.

STIG	Date
VMware Horizon 7.13 Client Security Technical Implementation Guide	2021-07-22

Details

Check Text ( C-50312r768598_chk )
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Configures SSL protocols and cryptographic algorithms". If "Configures SSL protocols and cryptographic algorithms" is set to "Disabled" or "Not Configured", this is a finding. If the field beneath "Configures SSL protocols and cryptographic algorithms", is not set to "TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES", this is a finding.

Check Text ( C-50312r768598_chk )

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Configures SSL protocols and cryptographic algorithms".

If "Configures SSL protocols and cryptographic algorithms" is set to "Disabled" or "Not Configured", this is a finding.

If the field beneath "Configures SSL protocols and cryptographic algorithms", is not set to "TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES", this is a finding.

Fix Text (F-50266r768599_fix)
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Configures SSL protocols and cryptographic algorithms". Make sure the setting is "Enabled". In the field beneath "Configures SSL protocols and cryptographic algorithms", type the following: TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES Click "OK".

Fix Text (F-50266r768599_fix)

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Configures SSL protocols and cryptographic algorithms".

Make sure the setting is "Enabled".

In the field beneath "Configures SSL protocols and cryptographic algorithms", type the following:

TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES

Click "OK".