ESXI-67-000005 - The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.

Information

By limiting the number of failed logon attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Once the configured number of attempts is reached, the account is locked by the ESXi host.

Solution

From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings.

Click 'Edit', select the 'Security.AccountLockFailures' value, and configure it to '3'.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7a., CAT|II, CCI|CCI-000044, Rule-ID|SV-239262r674715_rule, STIG-ID|ESXI-67-000005, Vuln-ID|V-239262

Plugin: VMware

Control ID: 2ea50a9e779ac7fa3893b528192f5da2c1871ff4e9a37b8c92deea618dc6b1be