The Horizon Connection Server must enable the proper Content Security Policy directives.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246910	HRZV-7X-000029	SV-246910r768690_rule		Medium

Description
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server has default CSP directives that block XSS attacks, enable x-frame restrictions and more. If the default configurations are overridden, the protections may be disabled even though the CSP itself is still enabled. This default policy must be validated and maintained over time.

Description

The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server has default CSP directives that block XSS attacks, enable x-frame restrictions and more. If the default configurations are overridden, the protections may be disabled even though the CSP itself is still enabled. This default policy must be validated and maintained over time.

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50342r768688_chk )
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the following settings: content-security-policy content-security-policy-newadmin content-security-policy-portal content-security-policy-rest If any of the above settings are present, this is a finding.

Check Text ( C-50342r768688_chk )

On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf".

If a file named "locked.properties" does not exist in this path, this is NOT a finding.

Open "locked.properties" in a text editor. Find the following settings:

content-security-policy
content-security-policy-newadmin
content-security-policy-portal
content-security-policy-rest

If any of the above settings are present, this is a finding.

Fix Text (F-50296r768689_fix)
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find and remove the following settings: content-security-policy content-security-policy-newadmin content-security-policy-portal content-security-policy-rest Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.

Fix Text (F-50296r768689_fix)

On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf".

If a file named "locked.properties" does not exist in this path, this is NOT a finding.

Open "locked.properties" in a text editor. Find and remove the following settings:

content-security-policy
content-security-policy-newadmin
content-security-policy-portal
content-security-policy-rest

Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.