The Horizon Connection Server must not allow unauthenticated access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246912	HRZV-7X-000031	SV-246912r768696_rule		Medium

Description
When the Horizon native smart card capability is not set to "Required", the option for "Unauthenticated Access" is enabled. This would be true in the case of an external IdP providing authentication via SAML. The "Unauthenticated Access" option allows users to access published applications from a Horizon Client without requiring AD credentials. This is typically implemented as a convenience when serving up an application that has its own security and user management. This configuration is not acceptable in the DoD and must be disabled.

Description

When the Horizon native smart card capability is not set to "Required", the option for "Unauthenticated Access" is enabled. This would be true in the case of an external IdP providing authentication via SAML. The "Unauthenticated Access" option allows users to access published applications from a Horizon Client without requiring AD credentials. This is typically implemented as a convenience when serving up an application that has its own security and user management. This configuration is not acceptable in the DoD and must be disabled.

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50344r768694_chk )
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", find the value in the drop-down below "Unauthenticated Access". If "Unauthenticated Access" is set to "Enabled", this is a finding. Note: If "Smart card authentication for users" is set to "Required", this setting is automatically disabled and greyed out. This would be not applicable.

Check Text ( C-50344r768694_chk )

Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", find the value in the drop-down below "Unauthenticated Access".

If "Unauthenticated Access" is set to "Enabled", this is a finding.

Note: If "Smart card authentication for users" is set to "Required", this setting is automatically disabled and greyed out. This would be not applicable.

Fix Text (F-50298r768695_fix)
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. In the drop-down below Horizon Authentication >> Unauthenticated Access, select "Disabled". Click "OK". Restart the "VMware Horizon View Connection Server" service for changes to take effect.

Fix Text (F-50298r768695_fix)

Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. In the drop-down below Horizon Authentication >> Unauthenticated Access, select "Disabled". Click "OK".

Restart the "VMware Horizon View Connection Server" service for changes to take effect.