The Horizon Agent must check the entire chain when validating certificates.

An XCCDF Rule

Description

Any time the Horizon Agent establishes an outgoing TLS connection, it verifies the server certificate revocation status. By default, it verifies all intermediates but not the root. DoD policy requires full path validation, thus this default behavior needs to be changed.

ID: SV-246864r768552_rule
Version: HRZA-7X-000005
Severity: Medium
References: CCI-000366
Updated: 5 days ago

Remediation Templates

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Common Configuration >> Security Configuration. Double-click the "Type of certificate revocation check" setting.

Make sure the setting is "Enabled".

In the drop-down under "Type of certificate revocation check", select "WholeChain". Click "OK".

The Horizon Agent must check the entire chain when validating certificates.

Description

Remediation Templates

A Manual Procedure