Check: ESXI-65-000005
VMware vSphere 6.5 ESXi STIG:
ESXI-65-000005
(in versions v2 r4 through v1 r1)
Title
The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user. (Cat II impact)
Discussion
By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Check Content
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Security.AccountLockFailures value and verify it is set to 3. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures and verify it is set to 3. If the Security.AccountLockFailures is set to a value other than 3, this is a finding.
Fix Text
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Security.AccountLockFailures value and configure it to 3. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3
Additional Identifiers
Rule ID: SV-207606r378517_rule
Vulnerability ID: V-207606
Group Title: SRG-OS-000021-VMM-000050
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
Controls
Number | Title |
---|---|
AC-7 |
Unsuccessful Logon Attempts |