Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Resources
Documents
Publishers
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide
An XCCDF Benchmark
Details
Profiles
Items
Prose
File Metadata
35 rules organized in 35 groups
SRG-APP-000015-AS-000010
1 Rule
The Horizon Connection Server must be configured to only support TLS 1.2 connections.
High Severity
Preventing the disclosure of transmitted information requires that the application server take measures to employ strong cryptographic mechanisms to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems. According to NIST and as of publication, TLS 1.1 must not be used and TLS 1.2 will be configured. Note: Mandating TLS 1.2 may affect certain client types. Test and implement carefully. Satisfies: SRG-APP-000015-AS-000010, SRG-APP-000014-AS-000009, SRG-APP-000156-AS-000106, SRG-APP-000172-AS-000120, SRG-APP-000439-AS-000155, SRG-APP-000439-AS-000274 , SRG-APP-000440-AS-000167, SRG-APP-000442-AS-000259
SRG-APP-000015-AS-000010
1 Rule
The Blast Secure Gateway must be configured to only support TLS 1.2 connections.
High Severity
Preventing the disclosure of transmitted information requires that the application server take measures to employ strong cryptographic mechanisms to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems. According to NIST and as of publication, TLS 1.1 must not be used and TLS 1.2 will be configured. Note: Mandating TLS 1.2 may affect certain client types. Test and implement carefully.
SRG-APP-000015-AS-000010
1 Rule
The Horizon Connection Server must force server cipher preference.
High Severity
By default, during the initial setup of a Transport Layer Security (TLS) connection to the Horizon Connection Server, the client sends a list of supported cipher suites in order of preference. The Connection Server replies with the cipher suite it will use for communication, chosen from the client list. This is not ideal since the untrusted client is setting the boundaries and conditions for the connection to proceed. The client could potentially specify known weak cipher combinations that would make the communication more susceptible to interception. By adding the "honorClientOrder" setting to the locked.properties file, the Connection Server will reject the client preference and force the client to choose from the server ordered list of preferred ciphers.
SRG-APP-000016-AS-000013
1 Rule
The Horizon Connection Server must be configured to debug level logging.
Medium Severity
To ensure that all security-relevant information and events are logged, the Horizon Connection Server must be configured with the "debug" logging level. This is the default value but since it could be changed to "info", this configuration must be verified and maintained.
SRG-APP-000033-AS-000024
1 Rule
The Horizon Connection Server administrators must be limited in terms of quantity, scope, and permissions.
Medium Severity
Role based access and least privilege are two fundamental security concepts that must be properly implemented in Horizon View to ensure the right user and groups have the right permissions on the right objects. Horizon View allows for assigning of roles (pre-defined sets of permissions) to specific users and groups and on a specific Access Group (set of objects). Administrators must ensure that minimal permissions are assigned to the right entities, in the right scope, and stay so over time. Satisfies: SRG-APP-000033-AS-000024, SRG-APP-000118-AS-000078, SRG-APP-000121-AS-000081, SRG-APP-000122-AS-000082, SRG-APP-000123-AS-000083, SRG-APP-000290-AS-000174, SRG-APP-000315-AS-000094, SRG-APP-000340-AS-000185, SRG-APP-000343-AS-000030
SRG-APP-000080-AS-000045
1 Rule
The Horizon Connection Server must require DoD PKI for administrative logins.
High Severity
The Horizon Connection Server console supports CAC login as required for cryptographic non-repudiation. CAC login can be configured as disabled, optional or required but for maximum assurance it must be set to "required". Setting CAC login as "optional" may be appropriate at some sites to support a "break glass" scenario where PKI is failing but there is an emergency access account configured with username/password. Satisfies: SRG-APP-000080-AS-000045, SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103, SRG-APP-000153-AS-000104, SRG-APP-000177-AS-000126, SRG-APP-000392-AS-000240, SRG-APP-000391-AS-000239, SRG-APP-000403-AS-000248
SRG-APP-000089-AS-000050
1 Rule
The Horizon Connection Server must be configured with an events database.
Medium Severity
The Horizon Connection Server stores application level events and actions in a dedicated database versus log files. This makes day-to-day administration easier while offloading these events to a separate system for resiliency. An events database is configured after Connection Server deployment. It need only be done once, in the case of multiple grouped Connection Servers, as the configuration will be applied to the other servers automatically. Satisfies: SRG-APP-000089-AS-000050, SRG-APP-000091-AS-000052, SRG-APP-000095-AS-000056, SRG-APP-000096-AS-000059, SRG-APP-000097-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000100-AS-000063, SRG-APP-000101-AS-000072, SRG-APP-000266-AS-000168, SRG-APP-000380-AS-000088, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000503-AS-000228, SRG-APP-000504-AS-000229, SRG-APP-000505-AS-000230, SRG-APP-000509-AS-000234
SRG-APP-000090-AS-000051
1 Rule
The Horizon Connection Server must limit access to the global configuration privilege.
Medium Severity
The Horizon Connection Server comes with pre-defined privileges that can be combined in any combination into a role. That role is then assigned to a user or group. Any role that has the "Manage Global Configuration and Policies" has the ability to change the configuration of the Connection Server, including the events database. This privilege must be restricted and monitored over time.
SRG-APP-000175-AS-000124
1 Rule
The Horizon Connection Server must perform full path validation on server-to-server TLS connection certificates.
Medium Severity
The Horizon Connection Server performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. If a SAML 2.0 authenticator is configured for use by a Connection Server instance, the Connection Server also performs certificate revocation checking on the SAML 2.0 server certificate. By default, all certificates in the chain are checked except the root certificate. This must be changed so that the full path, including the root, is validated.
SRG-APP-000175-AS-000124
1 Rule
The Horizon Connection Server must validate client and administrator certificates.
Medium Severity
The Horizon Connection Server can be configured to check the revocation status of PKI certificates over both OCSP and CRL. This capability is disabled by default and must be enabled post-deployment. There are a number of other configurations that are supported, including OCSP and CRL location override but those will be site and architecture specific. The suggested configuration is OCSP with failover to CRL and override the AIA locations via a local OCSP responder, if present. See below: enableRevocationChecking=true ocspCRLFailover=true ocspSendNonce=true enableOCSP=true allowCertCRLs=false crlLocation=http://<crl.myagency.mil> ocspURL=http://<ca.myagency.mil/ocsp ocspSigningCert=ca.myagency.mil.cer Set enableRevocationChecking to true to enable smart card certificate revocation checking. Set ocspCRLFailover to enable CRL checking is OCSP fails. Set ocspSendNonce to true to prevent OCSP repeated responses. Set enableOCSP to true to enable OCSP certificate revocation checking. Set allowCertCRLs to false to disable pulling the CRL distribution point from the certificate. Set crlLocation to the local file of http URL to use for the CRL distribution point. Set ocspURL to the URL of the OCSP Responder. Set ocspSigningCert to the location of the file that contains the OCSP Responder's signing certificate.
SRG-APP-000179-AS-000129
1 Rule
The Horizon Connection Server must only use FIPS 140-2 validated cryptographic modules.
High Severity
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms or poor implementation. The Horizon Connection Server can be configured to exclusively use FIPS 140-2 validated cryptographic modules but only at installation time, not post deployment. Reference VMware documentation for up-to-date requirements for enabling FIPS in Horizon View. Satisfies: SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000416-AS-000140
SRG-APP-000220-AS-000148
1 Rule
The Horizon Connection Server must time out administrative sessions after 15 minutes or less.
Medium Severity
If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the system. Horizon 7 Console sessions can and must be limited in the amount of idle time that will be allowed before automatic logoff. By default, 30 minutes of idle time is allowed but this must be changed to 15 minutes or less for DoD systems. This configuration must be verified and maintained over time. Satisfies: SRG-APP-000220-AS-000148, SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253
SRG-APP-000267-AS-000170
1 Rule
The Horizon Connection Server must protect log files from unauthorized access.
Medium Severity
Error logs can contain sensitive information about system errors and system architecture that need to be protected from unauthorized access and modification. By default, Horizon Connection Server logs are only accessible by local windows Administrators. This configuration must be verified and maintained.
SRG-APP-000358-AS-000064
1 Rule
The Horizon Connection Server must offload events to a central log server in real time.
Medium Severity
Information system logging capability is critical for accurate forensic analysis. Centralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. The Horizon Connection Server can be configured to send all events to a syslog receiver. Multiple servers can be configured but only the UDP protocol is supported at this time. Satisfies: SRG-APP-000358-AS-000064, SRG-APP-000515-AS-000203
SRG-APP-000427-AS-000264
1 Rule
The Horizon Connection Server must be configured with a DoD-issued TLS certificate.
Medium Severity
The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not DoD-approved, trust of this CA has not been established. The Horizon Connection Server supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools, focusing on the certificate with the "vdm"-friendly name. Satisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must reauthenticate users after a network interruption.
Medium Severity
Given the remote access nature of Horizon Connection Server, the client must be ensured to be under positive control as much as is possible from the server side. As such, whenever a network interruption causes a client disconnect, that session must be reauthenticated upon reconnection. To allow a session resumption would be convenient but would allow for the possibility of the endpoint being taken out of the control of the intended user and reconnected to a different network, in control of a bad actor who could then resume the disconnected session.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must disconnect users after a maximum of ten hours.
Medium Severity
Horizon Connection Server is intended to provide remote desktops and applications, generally during working hours and for no more than an extended workday. Leaving sessions active for more than what is reasonable for a work day leaves open the possibility of a session becoming unoccupied and insecure on the client side. For example, if a client connection is opened at 0900, there are few day-to-day reasons that the connection should still be open after 1900, therefore the connection must be terminated. If the user is still active, they can reauthenticate immediately and get back on for another ten hours.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must disconnect applications after two hours of idle time.
Medium Severity
Horizon View is intended to provide remote desktops and applications during for more or less continuous use. If an application is open and goes used for more than two hours, that application must be closed to eliminate the risk of that idle application being usurped. For desktops, sessions will not be disconnected after two hours but the credentials stored with Horizon will be invalidated. Subsequent desktop connection attempts will require reauthentication.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must discard SSO credentials after 15 minutes.
Medium Severity
Horizon Connection Server caches user credentials temporarily to ensure that the user can connect to their desktop pools without reauthenticating, right after logging in to the broker. However, this grace period must be restricted so that SSO credentials are only retained for 15 minutes before being discarded. Subsequent desktop connection attempts will require reauthentication, even if the user is still connected to the broker.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must not accept pass-through client credentials.
Medium Severity
Horizon Connection Server has the ability to allow clients to authenticate using the local session credentials of their local endpoint. While convenient, this must be disabled for DoD deployments as the server cannot ascertain the method of endpoint login, whether that user's client certificate has since been revoked, etc.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must require DoD PKI for client logins.
Medium Severity
Before clients can pick a desktop or app to access, they must first authenticate to the broker, the Connection Server itself. If the client is accessing the broker directly, then the allowed authentication methods must be specified. These include RADIUS, SecurID, user/pass and smart card. In the DoD, CAC login must be enforced at all times, for all client connections. If the client is connecting through a Security Server or the UAG appliance, this requirement does not apply.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must backup its configuration daily.
Medium Severity
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server Instant Clone domain account must be configured with limited permissions.
Medium Severity
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Medium Severity
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must have X-Frame-Options enabled.
Medium Severity
RFC 7034 HTTP Header Field X-Frame-Options, also known as counter clickjacking, is enabled by default on the Horizon Connection Server. It can be disabled by adding the entry "x-frame-options=OFF" to the locked.properties file, usually for troubleshooting purposes. The default configuration must be verified and maintained.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must have Origin Checking enabled.
Medium Severity
RFC 6454 Origin Checking, which protects against cross-site request forging, is enabled by default on the Horizon Connection Server. When an administrator opens the Horizon 7 Console or a user connects to Blast HTML Access, the server checks that the origin URL for the web request matches the configured secure tunnel URL or "localhost". When the Connection Server is load balanced or front-ended by a Unified Access Gateway (UAG) appliance, origin checking will fail. This is commonly resolved by disabling origin checking entirely by specifying "checkOrigin=false" in the "locked.properties" file. This is not the proper solution. Instead, origin checking must be enabled and the load balancer and UAG appliances must be allowlisted via the "balancedHost" and "portalHost.X" settings in "locked.properties", respectively. Origin checking can be disabled by adding the entry "checkOrigin=false" to locked.properties, usually for troubleshooting purposes. The default, "checkOrigin=true" or unspecified configuration must be verified and maintained.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must enable the Content Security Policy.
Medium Severity
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server defines the policy and the client browser enforces the policy. This feature is enabled by default but must be validated and maintained over time.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must enable the proper Content Security Policy directives.
Medium Severity
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server has default CSP directives that block XSS attacks, enable x-frame restrictions and more. If the default configurations are overridden, the protections may be disabled even though the CSP itself is still enabled. This default policy must be validated and maintained over time.
SRG-APP-000516-AS-000237
1 Rule
The PCoIP Secure Gateway must be configured with a DoD-issued TLS certificate.
Medium Severity
The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The Blast Secure Gateway supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools. For simplicity, it is recommended to use the same certificate as previously configured for Connection Server itself via the "vdm" common name.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must not allow unauthenticated access.
Medium Severity
When the Horizon native smart card capability is not set to "Required", the option for "Unauthenticated Access" is enabled. This would be true in the case of an external IdP providing authentication via SAML. The "Unauthenticated Access" option allows users to access published applications from a Horizon Client without requiring AD credentials. This is typically implemented as a convenience when serving up an application that has its own security and user management. This configuration is not acceptable in the DoD and must be disabled.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must require CAC reauthentication after user idle timeouts.
Medium Severity
If a user VDI session times out due to activity, the user must be assumed to not be active and have their resource locked. These resources should only be made available again upon the user reauthenticating versus reusing the initial connection. This ensures that the connection has not been hijacked and re-stablishes nonrepudiation.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must be configured to restrict USB passthrough access.
Medium Severity
One of the many benefits of VDI is the separation of the end user from the "desktop" they are accessing. This helps mitigate the risks imposed by physical access. In a traditional desktop scenario, and from a security perspective, physical access is equivalent to ownership. USB devices are physical devices that interact at the driver layer with the guest operating system and are inherently problematic. There are numerous risks posed by USB including the driver stack, data loss prevention, malicious devices, etc. Client USB devices are not necessary for general purpose VDI desktops and must be disabled broadly and enabled selectively. Note: USB mouse, keyboard and smart card devices are abstracted by Horizon and are not affected by any of these Horizon configurations.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Connection Server must prevent MIME type sniffing.
Medium Severity
MIME types define how a given type of file is intended to be processed by the browser. Modern browsers are capable of determining the content type of a file by byte headers and content inspection and can then override the type dictated by the server. An example would be a ".js" that was sent as the "jpg" mime type vs the JavaScript mime type. The browser would "correct" this and process the file as JavaScript. The danger is that a given file could be disguised as something else on the server, like JavaScript, opening up the door to cross-site scripting. To disable browser "sniffing" of content type, the Connection Server sends the "x-content-type-options: nosniff" header by default. This configuration must be validated and maintained over time.
SRG-APP-000456-AS-000266
1 Rule
All Horizon components must be running supported versions.
High Severity
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes) to production systems after thorough testing of the patches within a lab environment. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
SRG-APP-000001-AS-000001
1 Rule
The Horizon Connection Server must limit the number of concurrent client sessions.
Medium Severity
The Horizon Connection Server has the ability to limit the number of simultaneous client connections. This capability is helpful in limiting resource exhaustion risks related to denial of service attacks. By default, in code, the Connection Server allows up to 2000 client connections at one time, over all protocol types. For larger deployments, this limit can be increased to a tested and supported maximum of 4000 by making modifications to the "locked.properties" file. Ensure any changes to the number of allowed simultaneous connections is supported by VMware for the choice of protocols and that this value is documented as part of the SSP. Satisfies: SRG-APP-000001-AS-000001, SRG-APP-000435-AS-000163