← Back to VMware Horizon 7.13 Connection Server Security Technical Implementation Guide

V-246902

CAT II (Medium)

The Horizon Connection Server must not accept pass-through client credentials.

Rule ID

SV-246902r879887_rule

STIG

VMware Horizon 7.13 Connection Server Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000366

Discussion

Horizon Connection Server has the ability to allow clients to authenticate using the local session credentials of their local endpoint. While convenient, this must be disabled for DoD deployments as the server cannot ascertain the method of endpoint login, whether that user's client certificate has since been revoked, etc.

Check Content

Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Scroll down to the "Current User Authentication" and note the "Accept logon as current user" checkbox.

If the "Accept logon as current user" checkbox is checked, this is a finding.

Note: If "Smart card authentication for users" is set to "Required", this setting is automatically disabled and greyed out. This would be not applicable.

Fix Text

Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. Select the Connection Servers tab in the right pane. Click "Edit". Click the "Authentication" tab. Scroll down to the "Current User Authentication". Uncheck the checkbox next to "Accept logon as current user". Click "OK".

Note: When smart card authentication required, this setting will be unchecked and greyed out automatically.