The Horizon Connection Server must not accept pass-through client credentials.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-246902 | HRZV-7X-000021 | SV-246902r768666_rule | Medium |
| Description |
|---|
| Horizon Connection Server has the ability to allow clients to authenticate using the local session credentials of their local endpoint. While convenient, this must be disabled for DoD deployments as the server cannot ascertain the method of endpoint login, whether that user's client certificate has since been revoked, etc. |
| STIG | Date |
|---|---|
| VMware Horizon 7.13 Connection Server Security Technical Implementation Guide | 2021-07-30 |
Details
| Check Text ( C-50334r768664_chk ) |
|---|
| Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Scroll down to the "Current User Authentication" and note the "Accept logon as current user" checkbox. If the "Accept logon as current user" checkbox is checked, this is a finding. Note: If "Smart card authentication for users" is set to "Required", this setting is automatically disabled and greyed out. This would be not applicable. |
| Fix Text (F-50288r768665_fix) |
|---|
| Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. Select the Connection Servers tab in the right pane. Click "Edit". Click the "Authentication" tab. Scroll down to the "Current User Authentication". Uncheck the checkbox next to "Accept logon as current user". Click "OK". Note: When smart card authentication required, this setting will be unchecked and greyed out automatically. |