The Horizon Connection Server must perform full path validation on server-to-server TLS connection certificates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246891	HRZV-7X-000010	SV-246891r768633_rule		Medium

Description
The Horizon Connection Server performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. If a SAML 2.0 authenticator is configured for use by a Connection Server instance, the Connection Server also performs certificate revocation checking on the SAML 2.0 server certificate. By default, all certificates in the chain are checked except the root certificate. This must be changed so that the full path, including the root, is validated.

Description

The Horizon Connection Server performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. If a SAML 2.0 authenticator is configured for use by a Connection Server instance, the Connection Server also performs certificate revocation checking on the SAML 2.0 server certificate. By default, all certificates in the chain are checked except the root certificate. This must be changed so that the full path, including the root, is validated.

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50323r768631_chk )
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM\Security". Locate the "CertificateRevocationCheckType" key. If the "CertificateRevocationCheckType" key does not exist, this is a finding. If the "CertificateRevocationCheckType" key does not have a value of "3", this is a finding.

Fix Text (F-50277r768632_fix)
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM\Security". If the "CertificateRevocationCheckType" key exists: Right click "CertificateRevocationCheckType", select "Modify..." and set the value to "3" (without quotes). Click "OK". Otherwise: Right-click on the "Security" folder and select New >> DWORD (32 bit) Value. Set the name to "CertificateRevocationCheckType" (without quotes). Right-click "CertificateRevocationCheckType", select "Modify..." and set the value to "3" (without quotes). Click "OK". Restart the "VMware Horizon View Connection Server" service for changes to take effect.

Fix Text (F-50277r768632_fix)

On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM\Security".

If the "CertificateRevocationCheckType" key exists:

Right click "CertificateRevocationCheckType", select "Modify..." and set the value to "3" (without quotes). Click "OK".

Otherwise:

Right-click on the "Security" folder and select New >> DWORD (32 bit) Value. Set the name to "CertificateRevocationCheckType" (without quotes). Right-click "CertificateRevocationCheckType", select "Modify..." and set the value to "3" (without quotes). Click "OK".

Restart the "VMware Horizon View Connection Server" service for changes to take effect.