The Horizon Connection Server must require DoD PKI for administrative logins.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246888	HRZV-7X-000007	SV-246888r790555_rule		High

Description
The Horizon Connection Server console supports CAC login as required for cryptographic non-repudiation. CAC login can be configured as disabled, optional or required but for maximum assurance it must be set to "required". Setting CAC login as "optional" may be appropriate at some sites to support a "break glass" scenario where PKI is failing but there is an emergency access account configured with username/password. Satisfies: SRG-APP-000080-AS-000045, SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103, SRG-APP-000153-AS-000104, SRG-APP-000177-AS-000126, SRG-APP-000392-AS-000240, SRG-APP-000391-AS-000239, SRG-APP-000403-AS-000248

Description

The Horizon Connection Server console supports CAC login as required for cryptographic non-repudiation. CAC login can be configured as disabled, optional or required but for maximum assurance it must be set to "required". Setting CAC login as "optional" may be appropriate at some sites to support a "break glass" scenario where PKI is failing but there is an emergency access account configured with username/password. Satisfies: SRG-APP-000080-AS-000045, SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103, SRG-APP-000153-AS-000104, SRG-APP-000177-AS-000126, SRG-APP-000392-AS-000240, SRG-APP-000391-AS-000239, SRG-APP-000403-AS-000248

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50320r790554_chk )
Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Scroll down to "Horizon Administrator Authentication". Find the value in the drop down next to "Smart card authentication for administrators". If "Smart card authentication for administrators" is not set to "Required", this is a finding. NOTE: If another form of DoD approved PKI is used, and configured to be required for administrative logins, this is not a finding.

Check Text ( C-50320r790554_chk )

Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Scroll down to "Horizon Administrator Authentication". Find the value in the drop down next to "Smart card authentication for administrators".

If "Smart card authentication for administrators" is not set to "Required", this is a finding.

NOTE: If another form of DoD approved PKI is used, and configured to be required for administrative logins, this is not a finding.

Fix Text (F-50274r768623_fix)
Log in to Horizon Connection Server Console and copy all root and intermediate certificates, in base-64 '.cer' format, required for CAC authentication to ‘C:\Certs’. If "C:\Certs” does not exist, create it. Copy the provided make_keystore.txt to the Horizon Connection Server in "\VMware\VMware View\Server\sslgateway\conf". Rename "make_keystore.txt" to “makekeystore.ps1”. The "make_keystore.txt" content is provided in this STIG package. Launch PowerShell as an administrator on the Horizon Connection Server and execute the following commands: cd "\VMware\VMware View\Server\sslgateway\conf" Set-ExecutionPolicy unrestricted (type ‘Y’ when prompted) .\make_keystore.ps1 -CertDir C:\Certs -Password -KeyStore keystore -LockedProperties locked.properties’ Copy the created "locked.properties" and "keystore" files to any Horizon Connection Server that shares the same trusted issuers. Omit this step if multiple connections servers are not utilized. Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Select the "Authentication" tab. Scroll down to "View Administrator Authentication". Select "Required" for the "Smart card authentication for administrators". Click "OK". Repeat for all other Horizon Connection Servers. Restart the "VMware Horizon View Connection Server" service for changes to take effect.

Fix Text (F-50274r768623_fix)

Log in to Horizon Connection Server Console and copy all root and intermediate certificates, in base-64 '.cer' format, required for CAC authentication to ‘C:\Certs’. If "C:\Certs” does not exist, create it.

Copy the provided make_keystore.txt to the Horizon Connection Server in "\VMware\VMware View\Server\sslgateway\conf". Rename "make_keystore.txt" to “makekeystore.ps1”. The "make_keystore.txt" content is provided in this STIG package.

Launch PowerShell as an administrator on the Horizon Connection Server and execute the following commands:

cd "\VMware\VMware View\Server\sslgateway\conf"
Set-ExecutionPolicy unrestricted
(type ‘Y’ when prompted)
.\make_keystore.ps1 -CertDir C:\Certs -Password -KeyStore keystore -LockedProperties locked.properties’

Copy the created "locked.properties" and "keystore" files to any Horizon Connection Server that shares the same trusted issuers. Omit this step if multiple connections servers are not utilized.

Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Select the "Authentication" tab. Scroll down to "View Administrator Authentication". Select "Required" for the "Smart card authentication for administrators". Click "OK". Repeat for all other Horizon Connection Servers.

Restart the "VMware Horizon View Connection Server" service for changes to take effect.