UCF STIG Viewer Logo

The Horizon Connection Server must perform full path validation on server-to-server TLS connection certificates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-246891 HRZV-7X-000010 SV-246891r768633_rule Medium
Description
The Horizon Connection Server performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. If a SAML 2.0 authenticator is configured for use by a Connection Server instance, the Connection Server also performs certificate revocation checking on the SAML 2.0 server certificate. By default, all certificates in the chain are checked except the root certificate. This must be changed so that the full path, including the root, is validated.
STIG Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide 2021-07-30

Details

Check Text ( C-50323r768631_chk )
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM\Security". Locate the "CertificateRevocationCheckType" key.

If the "CertificateRevocationCheckType" key does not exist, this is a finding.

If the "CertificateRevocationCheckType" key does not have a value of "3", this is a finding.
Fix Text (F-50277r768632_fix)
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM\Security".

If the "CertificateRevocationCheckType" key exists:

Right click "CertificateRevocationCheckType", select "Modify..." and set the value to "3" (without quotes). Click "OK".

Otherwise:

Right-click on the "Security" folder and select New >> DWORD (32 bit) Value. Set the name to "CertificateRevocationCheckType" (without quotes). Right-click "CertificateRevocationCheckType", select "Modify..." and set the value to "3" (without quotes). Click "OK".

Restart the "VMware Horizon View Connection Server" service for changes to take effect.