The Horizon Agent must only run allowed scripts on user reconnect.

An XCCDF Rule

Description

The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of such scripts should be delegated to native windows capabilities where possible. These settings are powerful and can serve as a potential space for a privileged attacker to persist. By default, this setting is unconfigured. Should a site require this setting, ensure it is audited and the configuration valid at all times.

ID: SV-246863r768549_rule
Version: HRZA-7X-000004
Severity: Medium
References: CCI-000366
Updated: 5 days ago

Remediation Templates

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the "CommandsToRunOnReconnect" setting.

Option 1:
Click the radio button next to "Disabled". Click "OK".

Option 2:

Click the "Show..." button next to "Commands". Highlight the unneeded command and press the "delete" key. Click "OK". Click "OK".

The Horizon Agent must only run allowed scripts on user reconnect.

Description

Remediation Templates

A Manual Procedure