Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Resources
Documents
Publishers
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
VMware Horizon 7.13 Agent Security Technical Implementation Guide
Profiles
II - Mission Support Public
II - Mission Support Public
An XCCDF Profile
Details
Items
Prose
15 rules organized in 15 groups
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must only run allowed scripts on user connect.
Medium Severity
The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of such scripts should be delegated to native windows capabilities where possible. These settings are powerful and can serve as a potential space for a privileged attacker to persist. By default, this setting is unconfigured. Should the site require this setting, ensure it is audited and its configuration valid at all times.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must only run allowed scripts on user disconnect.
Medium Severity
The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of such scripts should be delegated to native windows capabilities where possible. These settings are powerful and can serve as a potential space for a privileged attacker to persist. By default, this setting is unconfigured. Should site require this setting, ensure it is audited and its configuration valid at all times.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must only run allowed scripts on user reconnect.
Medium Severity
The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of such scripts should be delegated to native windows capabilities where possible. These settings are powerful and can serve as a potential space for a privileged attacker to persist. By default, this setting is unconfigured. Should a site require this setting, ensure it is audited and the configuration valid at all times.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must check the entire chain when validating certificates.
Medium Severity
Any time the Horizon Agent establishes an outgoing TLS connection, it verifies the server certificate revocation status. By default, it verifies all intermediates but not the root. DoD policy requires full path validation, thus this default behavior needs to be changed.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must set an idle timeout.
Medium Severity
Idle sessions are at increased risk of being hijacked. If a user has stepped away from their desk and is no long in positive control of their session, that session is in danger of being assumed by an attacker. Idle sessions also waste valuable datacenter resources and could potentially lead to a lack of resources for new, active users. As such, an organizationally defined idle timeout must be supplied to override the Horizon default of "never".
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must block server to client clipboard actions for Blast.
Medium Severity
Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the Blast protocol on the Horizon Agent will block clipboard "copy/paste" actions from the desktop to the client but allow actions from the client to the desktop. This configuration must be validated and maintained over time.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must block server to client clipboard actions for PCoIP.
Medium Severity
Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the PCoIP protocol on the Horizon Agent will block clipboard "copy/paste" actions from the desktop to the client but allow actions from the client to the desktop. This configuration must be validated and maintained over time.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must not allow file transfers through HTML Access.
Medium Severity
Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. Additionally, data coming into the environment must be through allowed channels and inspected appropriately. By default, the Blast protocol on the Horizon Agent will allow file transfers through HTML Access only from the client to the desktop. This must be configured to disabled in both directions.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must not allow drag and drop for Blast.
Medium Severity
Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. Additionally, data coming into the environment must be through allowed channels and inspected appropriately. By default, the Blast protocol on the Horizon Agent will allow drag and drop actions from the client to the desktop. This must be configured to disabled in both directions.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must not allow drag and drop for PCoIP.
Medium Severity
Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. Additionally, data coming into the environment must be through allowed channels and inspected appropriately. By default, the PCoIP protocol on the Horizon Agent will allow drag and drop actions from the client to the desktop. This must be configured to disabled in both directions.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must audit clipboard actions for Blast.
Medium Severity
Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the Blast protocol on the Horizon Agent will block clipboard "copy/paste" actions from the desktop to the client but allow actions from the client to the desktop. All such allowed actions must be audited for potential future forensic purposes.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must audit clipboard actions for PCoIP.
Medium Severity
Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the PCoIP protocol on the Horizon Agent will block clipboard "copy/paste" actions from the desktop to the client but allow actions from the client to the desktop. All such allowed actions must be audited for potential future forensic purposes.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent desktops must not allow client drive redirection.
Medium Severity
Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the Horizon Client, Agent, and guest operating systems will coordinate to allow drives local to the client to be redirected over the Client connection and mounted in the virtual desktop. This configuration must be modified to disallow drive sharing in order to protect sensitive DoD data from being maliciously, accidentally, or casually removed from the controlled environment.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must block USB mass storage.
Medium Severity
The Horizon Agent has the capability to granularly control what, if any, USB devices are allowed to be passed from the local client to the agent on the virtual desktop. By default, Horizon blocks certain device families from being redirected to the remote desktop or application. For example, HID (human interface devices) and keyboards are blocked from appearing in the guest as released BadUSB code targets USB keyboard devices. While there are legitimate reasons to pass USB devices to the desktop, these must be carefully analyzed for necessity. At a minimum, USB Mass Storage devices must never passed through, in keeping with long-standing DoD data loss prevention policies. As thumb drives are disallowed for physical PCs, so should they be for virtual desktops. This can be accomplished in many ways, including natively in the Horizon Agent.
SRG-APP-000516-AS-000237
1 Rule
The Horizon Agent must require TLS connections.
Medium Severity
The Horizon Agent has the capability to be backward compatible with legacy clients, circa View 5.2, which do not support newer TLS connections. By default, the agent can fall back to this non-TLS mode when being accessed by a legacy client. The Horizon Agent must be configured to not support these legacy clients and enforce TLS connections as mandatory.