← Back to VMware Horizon 7.13 Client Security Technical Implementation Guide

V-246878

CAT II (Medium)

The Horizon Client must not ignore certificate revocation problems.

Rule ID

SV-246878r768594_rule

STIG

VMware Horizon 7.13 Client Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

When the Horizon Client connects to the server, by default, the server TLS certificate will be validated on the client side. If the revocation status cannot be determined or if the certificate is revoked, the connection will fail due to an untrusted connection. This default behavior can be overridden, however, to ignore revocation errors and proceed with revoked or certificates of unknown status. The default, secure, configuration must be validated and maintained.

Check Content

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Ignore certificate revocation problems".

If "Ignore certificate revocation problems" is set to "Enabled", this is a finding.

Fix Text

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Ignore certificate revocation problems".

Make sure the setting is "Disabled". Click "OK".