← Back to VMware Horizon 7.13 Agent Security Technical Implementation Guide

V-246864

CAT II (Medium)

The Horizon Agent must check the entire chain when validating certificates.

Rule ID

SV-246864r768552_rule

STIG

VMware Horizon 7.13 Agent Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

Any time the Horizon Agent establishes an outgoing TLS connection, it verifies the server certificate revocation status. By default, it verifies all intermediates but not the root. DoD policy requires full path validation, thus this default behavior needs to be changed.

Check Content

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Common Configuration >> Security Configuration. Double-click the "Type of certificate revocation check" setting.

If "Type of certificate revocation check" is "Not Configured" or "Disabled", this is a finding.

In the drop-down under "Type of certificate revocation check", if "WholeChain" is not selected, this is a finding.

Fix Text

Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts.

Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Common Configuration >> Security Configuration. Double-click the "Type of certificate revocation check" setting.

Make sure the setting is "Enabled".

In the drop-down under "Type of certificate revocation check", select "WholeChain". Click "OK".