The Horizon Connection Server Instant Clone domain account must be configured with limited permissions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246905	HRZV-7X-000024	SV-246905r768675_rule		Medium

Description
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.

Description

Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50337r768673_chk )
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Instant Clone Domain Accounts. In the right pane, validate that the accounts listed are User accounts in Active Directory and have only the following permissions on the container for the instant-clone computer account: List Contents Read All Properties Write All Properties Read Permissions Reset Password Create Computer Objects Delete Computer Objects Ensure the permissions apply to the correct container and to all child objects of the container. If the Instant Clone domain account has more than the minimum required permissions, this is a finding. Note: If Instant Clones is not used, this is not applicable.

Check Text ( C-50337r768673_chk )

Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Instant Clone Domain Accounts. In the right pane, validate that the accounts listed are User accounts in Active Directory and have only the following permissions on the container for the instant-clone computer account:

List Contents
Read All Properties
Write All Properties
Read Permissions
Reset Password
Create Computer Objects
Delete Computer Objects

Ensure the permissions apply to the correct container and to all child objects of the container.

If the Instant Clone domain account has more than the minimum required permissions, this is a finding.

Note: If Instant Clones is not used, this is not applicable.

Fix Text (F-50291r768674_fix)
Log in to Active Directory Users and Computers. Set the permission for Instant Clone Domain Account to: List Contents Read All Properties Write All Properties Read Permissions Reset Password Create Computer Objects Delete Computer Objects Ensure the permissions apply to the correct container and to all child objects of the container.