The Horizon Connection Server must be configured to restrict USB passthrough access.
An XCCDF Rule
Description
<VulnDiscussion>One of the many benefits of VDI is the separation of the end user from the "desktop" they are accessing. This helps mitigate the risks imposed by physical access. In a traditional desktop scenario, and from a security perspective, physical access is equivalent to ownership. USB devices are physical devices that interact at the driver layer with the guest operating system and are inherently problematic. There are numerous risks posed by USB including the driver stack, data loss prevention, malicious devices, etc. Client USB devices are not necessary for general purpose VDI desktops and must be disabled broadly and enabled selectively. Note: USB mouse, keyboard and smart card devices are abstracted by Horizon and are not affected by any of these Horizon configurations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-246914r768702_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Step One - Disable USB Access Globally:
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Global Policies. In the right pane, click "Edit Policies". In the drop-down next to "USB Access", select "Deny". Click "OK".
Step Two - Confirm per-pool settings: