The Horizon Agent must not allow file transfers through HTML Access.

An XCCDF Rule

Description

<VulnDiscussion>Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. Additionally, data coming into the environment must be through allowed channels and inspected appropriately. By default, the Blast protocol on the Horizon Agent will allow file transfers through HTML Access only from the client to the desktop. This must be configured to disabled in both directions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-246868r768564_rule
Severity: Medium
References: CCI-000366
Updated: about 1 year ago

Ensure the vdm_blast.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. 

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Blast. Double-click the "Configure file transfer" setting. 

Click the radio button next to "Enabled". 
In the drop-down under "Configure file transfer", select "Disabled both upload and download". Click "OK".

The Horizon Agent must not allow file transfers through HTML Access.

Description

Remediation - Manual Procedure