III - Administrative Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must have Origin Checking enabled.
RFC 6454 Origin Checking, which protects against cross-site request forging, is enabled by default on the Horizon Connection Server. When an administrator opens the Horizon 7 Console or a user conn...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must enable the Content Security Policy.
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), clickjacking and other code inj...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must enable the proper Content Security Policy directives.
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities such as cross-site scripting (XSS), clickjacking and other code inje...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The PCoIP Secure Gateway must be configured with a DoD-issued TLS certificate.
The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not a DoD-approved CA, trust ...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must not allow unauthenticated access.
When the Horizon native smart card capability is not set to "Required", the option for "Unauthenticated Access" is enabled. This would be true in the case of an external IdP providing authenticatio...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must require CAC reauthentication after user idle timeouts.
If a user VDI session times out due to activity, the user must be assumed to not be active and have their resource locked. These resources should only be made available again upon the user reauthen...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must be configured to restrict USB passthrough access.
One of the many benefits of VDI is the separation of the end user from the "desktop" they are accessing. This helps mitigate the risks imposed by physical access. In a traditional desktop scenario,...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
The Horizon Connection Server must prevent MIME type sniffing.
MIME types define how a given type of file is intended to be processed by the browser. Modern browsers are capable of determining the content type of a file by byte headers and content inspection a...Rule Medium Severity -
SRG-APP-000456-AS-000266
Group -
All Horizon components must be running supported versions.
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (incl...Rule High Severity -
SRG-APP-000001-AS-000001
Group -
The Horizon Connection Server must limit the number of concurrent client sessions.
The Horizon Connection Server has the ability to limit the number of simultaneous client connections. This capability is helpful in limiting resource exhaustion risks related to denial of service a...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.