UCF STIG Viewer Logo

The Horizon Connection Server must require DoD PKI for administrative logins.


Overview

Finding ID Version Rule ID IA Controls Severity
V-246888 HRZV-7X-000007 SV-246888r790555_rule High
Description
The Horizon Connection Server console supports CAC login as required for cryptographic non-repudiation. CAC login can be configured as disabled, optional or required but for maximum assurance it must be set to "required". Setting CAC login as "optional" may be appropriate at some sites to support a "break glass" scenario where PKI is failing but there is an emergency access account configured with username/password. Satisfies: SRG-APP-000080-AS-000045, SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103, SRG-APP-000153-AS-000104, SRG-APP-000177-AS-000126, SRG-APP-000392-AS-000240, SRG-APP-000391-AS-000239, SRG-APP-000403-AS-000248
STIG Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide 2021-07-30

Details

Check Text ( C-50320r790554_chk )
Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Scroll down to "Horizon Administrator Authentication". Find the value in the drop down next to "Smart card authentication for administrators".

If "Smart card authentication for administrators" is not set to "Required", this is a finding.

NOTE: If another form of DoD approved PKI is used, and configured to be required for administrative logins, this is not a finding.
Fix Text (F-50274r768623_fix)
Log in to Horizon Connection Server Console and copy all root and intermediate certificates, in base-64 '.cer' format, required for CAC authentication to ‘C:\Certs’. If "C:\Certs” does not exist, create it.

Copy the provided make_keystore.txt to the Horizon Connection Server in "\VMware\VMware View\Server\sslgateway\conf". Rename "make_keystore.txt" to “makekeystore.ps1”. The "make_keystore.txt" content is provided in this STIG package.

Launch PowerShell as an administrator on the Horizon Connection Server and execute the following commands:

cd "\VMware\VMware View\Server\sslgateway\conf"
Set-ExecutionPolicy unrestricted
(type ‘Y’ when prompted)
.\make_keystore.ps1 -CertDir C:\Certs -Password -KeyStore keystore -LockedProperties locked.properties’

Copy the created "locked.properties" and "keystore" files to any Horizon Connection Server that shares the same trusted issuers. Omit this step if multiple connections servers are not utilized.

Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Select the "Authentication" tab. Scroll down to "View Administrator Authentication". Select "Required" for the "Smart card authentication for administrators". Click "OK". Repeat for all other Horizon Connection Servers.

Restart the "VMware Horizon View Connection Server" service for changes to take effect.