UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Horizon Connection Server must disconnect users after a maximum of ten hours.


Overview

Finding ID Version Rule ID IA Controls Severity
V-246899 HRZV-7X-000018 SV-246899r768657_rule Medium
Description
Horizon Connection Server is intended to provide remote desktops and applications, generally during working hours and for no more than an extended workday. Leaving sessions active for more than what is reasonable for a work day leaves open the possibility of a session becoming unoccupied and insecure on the client side. For example, if a client connection is opened at 0900, there are few day-to-day reasons that the connection should still be open after 1900, therefore the connection must be terminated. If the user is still active, they can reauthenticate immediately and get back on for another ten hours.
STIG Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide 2021-07-30

Details

Check Text ( C-50331r768655_chk )
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Locate the "Forcibly Disconnect Users" setting.

If the "Forcibly Disconnect Users" setting is set to "Never", this is a finding.

If the "Forcibly Disconnect Users" setting is set to greater than "600" minutes (ten hours), this is a finding.
Fix Text (F-50285r768656_fix)
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Click "Edit". Next to "Forcibly Disconnect Users", select "After" from the dropdown and fill in "600" minutes in the text field. Click "OK".