UCF STIG Viewer Logo

The Horizon Connection Server administrators must be limited in terms of quantity, scope, and permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-246887 HRZV-7X-000006 SV-246887r768621_rule Medium
Description
Role based access and least privilege are two fundamental security concepts that must be properly implemented in Horizon View to ensure the right user and groups have the right permissions on the right objects. Horizon View allows for assigning of roles (pre-defined sets of permissions) to specific users and groups and on a specific Access Group (set of objects). Administrators must ensure that minimal permissions are assigned to the right entities, in the right scope, and stay so over time. Satisfies: SRG-APP-000033-AS-000024, SRG-APP-000118-AS-000078, SRG-APP-000121-AS-000081, SRG-APP-000122-AS-000082, SRG-APP-000123-AS-000083, SRG-APP-000290-AS-000174, SRG-APP-000315-AS-000094, SRG-APP-000340-AS-000185, SRG-APP-000343-AS-000030
STIG Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide 2021-07-30

Details

Check Text ( C-50319r768619_chk )
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Administrators. From the "Administrators and Groups" tab, review each user and group in the left pane and their associated roles in the right pane.

Anyone with any privilege can log on to the Console and view potentially sensitive configurations, system details, and events.

If there are any users or groups that should not be viewed as trusted "Administrators" of the Horizon system, this is a finding.

Permissions must be as restrictive as possible and their scope (Access Group) as limited as possible. Ensure no user or group has unnecessary permissions and that their Access Group is appropriately limited. Pay special attention to the "Local Administrator" and "Administrator" roles on the root Access Group as those user and groups have total control over the environment local and global environment, respectively.

If any user or group has permissions that are greater than the minimum necessary, this is a finding.

If any user or group has any permissions on an overly broad access group, this is a finding.
Fix Text (F-50273r768620_fix)
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Administrators.

To remove users or groups:

From the "Administrators and Groups" tab, select the unnecessary users or groups in the left pane and click the "Remove User or Group" button. Click "OK'" to confirm removal.

To modify assigned permissions:

From the "Administrators and Groups" tab, select the appropriate user or group in the left pane. From the right pane, select the role to remove and click "Remove Permission". Click "OK" to confirm removal.

To create a new role with more limited permissions:

From the "Role Permissions" tab, click "Add Role". Provide a descriptive name and select the minimum required permissions. Click "OK". Highlight the new role. Click "Add Permission". Click "Add". Find the relevant user(s). Click "OK". Click "Finish".