The Horizon Connection Server must be configured with a DoD-issued TLS certificate.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246897	HRZV-7X-000016	SV-246897r768651_rule		Medium

Description
The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not DoD-approved, trust of this CA has not been established. The Horizon Connection Server supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools, focusing on the certificate with the "vdm"-friendly name. Satisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137

Description

The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not DoD-approved, trust of this CA has not been established. The Horizon Connection Server supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools, focusing on the certificate with the "vdm"-friendly name. Satisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50329r768649_chk )
On the Horizon Connection Server, open "certlm.msc or certmgr.msc" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the "Friendly Name" of "vdm". For this certificate, locate the issuer in the "Issued By" column. If the Horizon Connection Server broker certificate is not "Issued By" a trusted DoD CA, or other AO-approved certificate, this is a finding.

Check Text ( C-50329r768649_chk )

On the Horizon Connection Server, open "certlm.msc or certmgr.msc" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the "Friendly Name" of "vdm". For this certificate, locate the issuer in the "Issued By" column.

If the Horizon Connection Server broker certificate is not "Issued By" a trusted DoD CA, or other AO-approved certificate, this is a finding.

Fix Text (F-50283r768650_fix)
Obtain a web server certificate from a DoD authority, specifying the common name as the "Horizon Connection server FQDN", the signing algorithm as "SHA256", and the key strength of at least "1024 bits". Export the certificate and private key to a password-protected PFX bundle. On the Horizon Connection Server, open "certlm.msc or certmgr.msc" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the "Friendly Name" of "vdm". Right-click this certificate and select "Properties". Change the "Friendly name" to "vdm-original" or similar. Click "OK. Right click on the Personal >> Certificates folder. Select All Tasks >> Import. Click "Next". Click "Browse...". Navigate to the .pfx bundle and click "Open". Click "Next". Supply the password, select "Mark this key as exportable" and "Include all extended properties". Click "Next". Click "Next". Click "Finish". Select the newly imported certificate. Right-click this certificate and select "Properties". Change the "Friendly name" to "vdm". This name must be exact. Click "OK. Restart the Connection Server or the "VMware Horizon View Connection Server" service for changes to take effect.

Fix Text (F-50283r768650_fix)

Obtain a web server certificate from a DoD authority, specifying the common name as the "Horizon Connection server FQDN", the signing algorithm as "SHA256", and the key strength of at least "1024 bits".

Export the certificate and private key to a password-protected PFX bundle.

On the Horizon Connection Server, open "certlm.msc or certmgr.msc" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the "Friendly Name" of "vdm". Right-click this certificate and select "Properties". Change the "Friendly name" to "vdm-original" or similar. Click "OK.

Right click on the Personal >> Certificates folder. Select All Tasks >> Import. Click "Next". Click "Browse...". Navigate to the .pfx bundle and click "Open". Click "Next". Supply the password, select "Mark this key as exportable" and "Include all extended properties". Click "Next". Click "Next". Click "Finish".

Select the newly imported certificate. Right-click this certificate and select "Properties". Change the "Friendly name" to "vdm". This name must be exact. Click "OK.

Restart the Connection Server or the "VMware Horizon View Connection Server" service for changes to take effect.