The Horizon Connection Server must require DoD PKI for administrative logins.
An XCCDF Rule
Description
The Horizon Connection Server console supports CAC login as required for cryptographic non-repudiation. CAC login can be configured as disabled, optional or required but for maximum assurance it must be set to "required". Setting CAC login as "optional" may be appropriate at some sites to support a "break glass" scenario where PKI is failing but there is an emergency access account configured with username/password. Satisfies: SRG-APP-000080-AS-000045, SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103, SRG-APP-000153-AS-000104, SRG-APP-000177-AS-000126, SRG-APP-000392-AS-000240, SRG-APP-000391-AS-000239, SRG-APP-000403-AS-000248
- ID
- SV-246888r790555_rule
- Severity
- High
- References
- Updated
Remediation Templates
A Manual Procedure
Log in to Horizon Connection Server Console and copy all root and intermediate certificates, in base-64 '.cer' format, required for CAC authentication to ‘C:\Certs’. If "C:\Certs” does not exist, create it.
Copy the provided make_keystore.txt to the Horizon Connection Server in "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Rename "make_keystore.txt" to “makekeystore.ps1”. The "make_keystore.txt" content is provided in this STIG package.
Launch PowerShell as an administrator on the Horizon Connection Server and execute the following commands: