Rule ID
SV-246861r768543_rule
Version
V1R1
CCIs
The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of such scripts should be delegated to native windows capabilities where possible. These settings are powerful and can serve as a potential space for a privileged attacker to persist. By default, this setting is unconfigured. Should the site require this setting, ensure it is audited and its configuration valid at all times.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the "CommandsToRunOnConnect" setting. If "CommandsToRunOnConnect" is "Not Configured" or "Disabled", this is not a finding. Click the "Show..." button next to "Commands". If any of the listed commands are not expected, approved, and required, this is a finding.
Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Configuration. Double-click the "CommandsToRunOnConnect" setting. Option 1: Click the radio button next to "Disabled". Click "OK". Option 2: Make sure the setting is "Enabled". Click the "Show..." button next to "Commands". Highlight the unneeded command and press the "delete" key. Click "OK". Click "OK".