Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Resources
Documents
Publishers
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
VMware Horizon 7.13 Client Security Technical Implementation Guide
VMware Horizon 7.13 Client Security Technical Implementation Guide
An XCCDF Benchmark
Details
Profiles
Items
Prose
File Metadata
7 rules organized in 7 groups
SRG-APP-000516-AS-000237
1 Rule
The Horizon Client must not connect to servers without fully verifying the server certificate.
Medium Severity
Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). The Horizon Client connects to the Connection Server, UAG or other gateway via a TLS connection. This initial connection must be trusted, otherwise the sensitive information flowing over the tunnel could potentially be open to interception. The Horizon Client can be configured to ignore any certificate validation errors, warn or fail. By default, the Client will warn and let the user decide to proceed or not. This decision must not be left to the end user. In a properly configured, enterprise environment, there should be no trouble with the presented certificate. On the other hand, a TLS connection could be easily intercepted and middle-manned with the assumption that a user will just click away any errors.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Client must not show the Log in as current user option.
Medium Severity
The Horizon Connection Server STIG disabled the "Log in as current user" option, for reasons described there. Displaying this option and allowing users to select it would lead to unnecessary confusion and therefore must be disabled.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Client must not ignore certificate revocation problems.
Medium Severity
When the Horizon Client connects to the server, by default, the server TLS certificate will be validated on the client side. If the revocation status cannot be determined or if the certificate is revoked, the connection will fail due to an untrusted connection. This default behavior can be overridden, however, to ignore revocation errors and proceed with revoked or certificates of unknown status. The default, secure, configuration must be validated and maintained.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Client must require TLS connections.
Medium Severity
In older versions of Horizon, before 5.0, remote desktop connections could be established without TLS encryption. In order to protect data-in-transit when potentially connecting to very old Horizon servers, TLS tunnels must be mandated. The default configuration attempts TLS but will fall back to no encryption if it is not supported. This must be corrected and maintained over time.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Client must use approved ciphers.
Medium Severity
The Horizon Client disables the older TLS v1.0 protocol and the SSL v2 and SSL v3 protocols by default. TLS v1.1 is still enabled in the default configuration, despite known shortcomings, for the sake of backward compatibility with older servers and clients. The Horizon Connection Server STIG mandates TLS v1.2 in order to protect sensitive data-in-flight and the Client must follow suite. Note: Mandating TLS 1.2 may affect certain thin and zero clients. Test and implement carefully.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Client must not allow command line credentials.
Medium Severity
The Horizon Client has a number of command line options including authentication parameters, by default. This can include a smart card PIN, if so configured by the end user. This would normally be implemented by a script, which would mean plain text sensitive authenticators sitting on disk. Hard coding of credentials of any sort, but especially smart card PINs, must be explicitly disallowed.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Client must not send anonymized usage data.
Medium Severity
By default, the Horizon Client collects anonymized data from the client systems to help improve software and hardware compatibility. To eliminate any possibility of sensitive DoD configurations being known to unauthorized parties, even when anonymized, this setting must be disabled.