UCF STIG Viewer Logo

The Horizon Connection Server must require CAC reauthentication after user idle timeouts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-246913 HRZV-7X-000032 SV-246913r768699_rule Medium
Description
If a user VDI session times out due to activity, the user must be assumed to not be active and have their resource locked. These resources should only be made available again upon the user reauthenticating versus reusing the initial connection. This ensures that the connection has not been hijacked and re-stablishes nonrepudiation.
STIG Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide 2021-07-30

Details

Check Text ( C-50345r768697_chk )
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Locate the "Enable 2-Factor Reauthentication" setting.

If the "Enable 2-Factor Reauthentication" setting is set to "No", this is a finding.
Fix Text (F-50299r768698_fix)
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Click "Edit". Select the checkbox next to "Enable 2-Factor Reauthentication". Click "OK".