The Horizon Connection Server must be configured to restrict USB passthrough access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246914	HRZV-7X-000033	SV-246914r768702_rule		Medium

Description
One of the many benefits of VDI is the separation of the end user from the "desktop" they are accessing. This helps mitigate the risks imposed by physical access. In a traditional desktop scenario, and from a security perspective, physical access is equivalent to ownership. USB devices are physical devices that interact at the driver layer with the guest operating system and are inherently problematic. There are numerous risks posed by USB including the driver stack, data loss prevention, malicious devices, etc. Client USB devices are not necessary for general purpose VDI desktops and must be disabled broadly and enabled selectively. Note: USB mouse, keyboard and smart card devices are abstracted by Horizon and are not affected by any of these Horizon configurations.

Description

One of the many benefits of VDI is the separation of the end user from the "desktop" they are accessing. This helps mitigate the risks imposed by physical access. In a traditional desktop scenario, and from a security perspective, physical access is equivalent to ownership. USB devices are physical devices that interact at the driver layer with the guest operating system and are inherently problematic. There are numerous risks posed by USB including the driver stack, data loss prevention, malicious devices, etc. Client USB devices are not necessary for general purpose VDI desktops and must be disabled broadly and enabled selectively. Note: USB mouse, keyboard and smart card devices are abstracted by Horizon and are not affected by any of these Horizon configurations.

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50346r768700_chk )
Interview the SA. USB devices can be blocked in a number of ways: 1. The desktop OS 2. A third party DLP solution 3. Horizon Agent configuration and GPOs 4. Horizon Connection Server global policies 5. Horizon Connection Server per-pool policies If 1, 2, or 3 are implemented in this environment, this control is not applicable. Number three is addressed in the Horizon Agent STIG. Step One - Disable USB Access Globally: Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Policies. In the right pane, confirm that "USB Access" is set to "Deny". If "USB Access" is not set to "Deny", this is a finding. Step Two - Confirm per-pool settings: Log in to the Horizon 7 Console. From the left pane, navigate to Inventory >> Desktops. In the right pane, click the name of each pool that does not explicitly require access to USB devices. In the next screen, click the "Policies" tab. Confirm that "Applied Policy" is set to "Deny". If "Applied Policy" is not set to "Deny", this is a finding. Click the "Policy Overrides" tab. Highlight each user. If "USB Access" is set to "Allow" for any user, ensure the exception is required and authorized. If any user has an override configured that is not required or authorized, this is a finding.

Check Text ( C-50346r768700_chk )

Interview the SA. USB devices can be blocked in a number of ways:

1. The desktop OS
2. A third party DLP solution
3. Horizon Agent configuration and GPOs
4. Horizon Connection Server global policies
5. Horizon Connection Server per-pool policies

If 1, 2, or 3 are implemented in this environment, this control is not applicable. Number three is addressed in the Horizon Agent STIG.

Step One - Disable USB Access Globally:

Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Policies. In the right pane, confirm that "USB Access" is set to "Deny".

If "USB Access" is not set to "Deny", this is a finding.

Step Two - Confirm per-pool settings:

Log in to the Horizon 7 Console. From the left pane, navigate to Inventory >> Desktops. In the right pane, click the name of each pool that does not explicitly require access to USB devices. In the next screen, click the "Policies" tab. Confirm that "Applied Policy" is set to "Deny".

If "Applied Policy" is not set to "Deny", this is a finding.

Click the "Policy Overrides" tab. Highlight each user. If "USB Access" is set to "Allow" for any user, ensure the exception is required and authorized. If any user has an override configured that is not required or authorized, this is a finding.

Fix Text (F-50300r768701_fix)
Step One - Disable USB Access Globally: Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Policies. In the right pane, click "Edit Policies". In the drop-down next to "USB Access", select "Deny". Click "OK". Step Two - Confirm per-pool settings: Log in to the Horizon 7 Console. From the left pane, navigate to Inventory >> Desktops. In the right pane, click the name of each pool that does not explicitly require access to USB devices. In the next screen, click the "Policies" tab. Click "Edit Policies". In the dropdown next to "USB Access", select "Inherit". Click "OK". Click the "Policy Overrides" tab. "Edit" or "Remove" as necessary to ensure that configured users with "USB Access" set to "Allow" are as limited as possible.

Fix Text (F-50300r768701_fix)

Step One - Disable USB Access Globally:

Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Policies. In the right pane, click "Edit Policies". In the drop-down next to "USB Access", select "Deny". Click "OK".

Step Two - Confirm per-pool settings:

Log in to the Horizon 7 Console. From the left pane, navigate to Inventory >> Desktops. In the right pane, click the name of each pool that does not explicitly require access to USB devices. In the next screen, click the "Policies" tab. Click "Edit Policies". In the dropdown next to "USB Access", select "Inherit". Click "OK".

Click the "Policy Overrides" tab. "Edit" or "Remove" as necessary to ensure that configured users with "USB Access" set to "Allow" are as limited as possible.