The Horizon Connection Server must limit access to the global configuration privilege.
The Horizon Connection Server comes with pre-defined privileges that can be combined in any combination into a role. That role is then assigned to a user or group. Any role that has the "Manage Global Configuration and Policies" has the ability to change the configuration of the Connection Server, including the events database. This privilege must be restricted and monitored over time.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Administrators. From the "Role Privileges" tab, review each role in the left pane and their associated privileges in the right pane.
Note any role with the "Manage Global Configuration and Policies" privilege. Switch to the "Role Permissions" tab. For each noted role, if there are any users or group listed who are not permitted to change the events database configuration, this is a finding.
Fix Text (F-50276r768629_fix)
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Administrators. Select each user or group with inappropriate access to the "Manage Global Configuration and Policies" privilege. Remove access or modify permissions as appropriate.
To remove users or groups:
From the "Administrators and Groups" tab, select the unnecessary users or groups in the left pane and click the "Remove User or Group" button. Click "OK'" to confirm removal.
To modify assigned permissions:
From the "Administrators and Groups" tab, select the appropriate user or group in the left pane. From the right pane, select the role to remove and click the "Remove Permission" button. Click "OK" to confirm removal.