VCSA-80-000266 The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.

Information

By requiring that Single Sign-On (SSO) accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. When the account unlock time is set to zero, a locked account can only be unlocked manually by an administrator.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy.

Click "Edit".

Set the "Unlock time" to "0" and click "Save".

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y24M08_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7b., CAT|II, CCI|CCI-002238, Rule-ID|SV-258933r961368_rule, STIG-ID|VCSA-80-000266, Vuln-ID|V-258933

Plugin: VMware

Control ID: 69afacee98d9bfeca10ed3563eea22894fdcb87e0721cc79e5b298c021f2a6e9