Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Horizon Client must not allow command line credentials.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-246881 | HRZC-7X-000007 | SV-246881r768603_rule | Medium |
| Description |
|---|
| The Horizon Client has a number of command line options including authentication parameters, by default. This can include a smart card PIN, if so configured by the end user. This would normally be implemented by a script, which would mean plain text sensitive authenticators sitting on disk. Hard coding of credentials of any sort, but especially smart card PINs, must be explicitly disallowed. |
| STIG | Date |
|---|---|
| VMware Horizon 7.13 Client Security Technical Implementation Guide | 2021-07-22 |
Details
| Check Text ( C-50313r768601_chk ) |
|---|
| Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Allow command line credentials". If "Allow command line credentials" is "Not Configured" or "Enabled", this is a finding. |
| Fix Text (F-50267r768602_fix) |
|---|
| Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Allow command line credentials". Make sure the setting is "Disabled". Click "OK". |