VMware Horizon 7.13 Connection Server Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server Instant Clone domain account must be configured with limited permissions.
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baselin...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baselin...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must have X-Frame-Options enabled.
RFC 7034 HTTP Header Field X-Frame-Options, also known as counter clickjacking, is enabled by default on the Horizon Connection Server. It can be disabled by adding the entry "x-frame-options=OFF" ...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must enable the Content Security Policy.
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), clickjacking and other code inj...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
SRG-APP-000516-AS-000237
Group -
The PCoIP Secure Gateway must be configured with a DoD-issued TLS certificate.
The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not a DoD-approved CA, trust ...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must not allow unauthenticated access.
When the Horizon native smart card capability is not set to "Required", the option for "Unauthenticated Access" is enabled. This would be true in the case of an external IdP providing authenticatio...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must be configured to restrict USB passthrough access.
One of the many benefits of VDI is the separation of the end user from the "desktop" they are accessing. This helps mitigate the risks imposed by physical access. In a traditional desktop scenario,...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must prevent MIME type sniffing.
MIME types define how a given type of file is intended to be processed by the browser. Modern browsers are capable of determining the content type of a file by byte headers and content inspection a...Rule Medium Severity -
SRG-APP-000456-AS-000266
Group -
All Horizon components must be running supported versions.
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (incl...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.