Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-246873 | HRZA-7X-000014 | SV-246873r768579_rule | Medium |
Description |
---|
Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored appropriately. By default, the Horizon Client, Agent, and guest operating systems will coordinate to allow drives local to the client to be redirected over the Client connection and mounted in the virtual desktop. This configuration must be modified to disallow drive sharing in order to protect sensitive DoD data from being maliciously, accidentally, or casually removed from the controlled environment. |
STIG | Date |
---|---|
VMware Horizon 7.13 Agent Security Technical Implementation Guide | 2021-07-30 |
Check Text ( C-50305r768577_chk ) |
---|
Ensure the vdm_rdsh_server.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection. Double-click the "Do not allow drive redirection" setting. If "Do not allow drive redirection" is not "Enabled", this is a finding. |
Fix Text (F-50259r768578_fix) |
---|
Ensure the vdm_rdsh_server.admx template is added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection. Double-click the "Do not allow drive redirection" setting. Click the radio button next to "Enabled". Click "OK". |