The Horizon Connection Server must not accept pass-through client credentials.
An XCCDF Rule
Description
<VulnDiscussion>Horizon Connection Server has the ability to allow clients to authenticate using the local session credentials of their local endpoint. While convenient, this must be disabled for DoD deployments as the server cannot ascertain the method of endpoint login, whether that user's client certificate has since been revoked, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-246902r768666_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. Select the Connection Servers tab in the right pane. Click "Edit". Click the "Authentication" tab. Scroll down to the "Current User Authentication". Uncheck the checkbox next to "Accept logon as current user". Click "OK".
Note: When smart card authentication required, this setting will be unchecked and greyed out automatically.