The Horizon Connection Server must require CAC reauthentication after user idle timeouts.
An XCCDF Rule
Description
<VulnDiscussion>If a user VDI session times out due to activity, the user must be assumed to not be active and have their resource locked. These resources should only be made available again upon the user reauthenticating versus reusing the initial connection. This ensures that the connection has not been hijacked and re-stablishes nonrepudiation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-246913r768699_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Settings. In the right pane, click the "General Settings" tab. Click "Edit". Select the checkbox next to "Enable 2-Factor Reauthentication". Click "OK".