Check: ESXI-67-000005
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000005
(in versions v1 r3 through v1 r1)
Title
The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user. (Cat II impact)
Discussion
By limiting the number of failed logon attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Once the configured number of attempts is reached, the account is locked by the ESXi host.
Check Content
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Security.AccountLockFailures" value and verify it is set to "3". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures If "Security.AccountLockFailures" is set to a value other than "3", this is a finding.
Fix Text
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Security.AccountLockFailures" value, and configure it to "3". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3
Additional Identifiers
Rule ID: SV-239262r674715_rule
Vulnerability ID: V-239262
Group Title: SRG-OS-000021-VMM-000050
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
Controls
Number | Title |
---|---|
AC-7 |
Unsuccessful Logon Attempts |