| Interview the SA. USB devices can be blocked in a number of ways: |
1. The desktop OS
2. A third party DLP solution
3. Horizon Agent configuration and GPOs
4. Horizon Connection Server global policies
5. Horizon Connection Server per-pool policies
If 1, 2, or 3 are implemented in this environment, this control is not applicable. Number three is addressed in the Horizon Agent STIG.
Step One - Disable USB Access Globally:
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Policies. In the right pane, confirm that "USB Access" is set to "Deny".
If "USB Access" is not set to "Deny", this is a finding.
Step Two - Confirm per-pool settings:
Log in to the Horizon 7 Console. From the left pane, navigate to Inventory >> Desktops. In the right pane, click the name of each pool that does not explicitly require access to USB devices. In the next screen, click the "Policies" tab. Confirm that "Applied Policy" is set to "Deny".
If "Applied Policy" is not set to "Deny", this is a finding.
Click the "Policy Overrides" tab. Highlight each user. If "USB Access" is set to "Allow" for any user, ensure the exception is required and authorized. If any user has an override configured that is not required or authorized, this is a finding.