Rule ID
SV-246879r768597_rule
Version
V1R1
CCIs
In older versions of Horizon, before 5.0, remote desktop connections could be established without TLS encryption. In order to protect data-in-transit when potentially connecting to very old Horizon servers, TLS tunnels must be mandated. The default configuration attempts TLS but will fall back to no encryption if it is not supported. This must be corrected and maintained over time.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Enable SSL encrypted framework channel". If "Enable SSL encrypted framework channel" is set to "Disabled" or "Not Configured", this is a finding. In the dropdown beneath "Enable SSL encrypted framework channel", if "Enforce" is not selected, this is a finding.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware Horizon Client Configuration >> Security Settings. Double-click "Enable SSL encrypted framework channel". Make sure the setting is "Enabled". In the dropdown beneath "Enable SSL encrypted framework channel", select "Enforce". Click "OK".