The Horizon Connection Server must be configured with a DoD-issued TLS certificate.
An XCCDF Rule
Description
<VulnDiscussion>The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not DoD-approved, trust of this CA has not been established. The Horizon Connection Server supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools, focusing on the certificate with the "vdm"-friendly name. Satisfies: SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-246897r768651_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Obtain a web server certificate from a DoD authority, specifying the common name as the "Horizon Connection server FQDN", the signing algorithm as "SHA256", and the key strength of at least "1024 bits".
Export the certificate and private key to a password-protected PFX bundle.
On the Horizon Connection Server, open "certlm.msc or certmgr.msc" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the "Friendly Name" of "vdm". Right-click this certificate and select "Properties". Change the "Friendly name" to "vdm-original" or similar. Click "OK.