Check: ESXI-65-000006
VMware vSphere 6.5 ESXi STIG:
ESXI-65-000006
(in versions v2 r4 through v1 r1)
Title
The ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out. (Cat II impact)
Discussion
By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Check Content
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Security.AccountUnlockTime value and verify it is set to 900. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime and verify it is set to 900. If the Security.AccountUnlockTime is set to a value other than 900, this is a finding.
Fix Text
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Security.AccountUnlockTime value and configure it to 900. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900
Additional Identifiers
Rule ID: SV-207607r854577_rule
Vulnerability ID: V-207607
Group Title: SRG-OS-000329-VMM-001180
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
Controls
Number | Title |
---|---|
AC-7 |
Unsuccessful Logon Attempts |