The Horizon Client must not allow command line credentials.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-246881 | HRZC-7X-000007 | SV-246881r768603_rule | Medium |
| Description |
|---|
| The Horizon Client has a number of command line options including authentication parameters, by default. This can include a smart card PIN, if so configured by the end user. This would normally be implemented by a script, which would mean plain text sensitive authenticators sitting on disk. Hard coding of credentials of any sort, but especially smart card PINs, must be explicitly disallowed. |
| STIG | Date |
|---|---|
| VMware Horizon 7.13 Client Security Technical Implementation Guide | 2021-07-22 |
Details
| Check Text ( C-50313r768601_chk ) |
|---|
| Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Allow command line credentials". If "Allow command line credentials" is "Not Configured" or "Enabled", this is a finding. |
| Fix Text (F-50267r768602_fix) |
|---|
| Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Allow command line credentials". Make sure the setting is "Disabled". Click "OK". |