The Horizon Client must require TLS connections.
An XCCDF Rule
Description
<VulnDiscussion>In older versions of Horizon, before 5.0, remote desktop connections could be established without TLS encryption. In order to protect data-in-transit when potentially connecting to very old Horizon servers, TLS tunnels must be mandated. The default configuration attempts TLS but will fall back to no encryption if it is not supported. This must be corrected and maintained over time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-246879r768597_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops.
Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Enable SSL encrypted framework channel".
Make sure the setting is "Enabled".