4.7 Ensure account lockout is set to 15 minutes

Information

An account is automatically locked after the maximum number of failed consecutive login attempts is reached.
The account should be automatically unlocked after 15 minutes, otherwise administrators will need to manually unlock accounts
on request by authorized users.

*Rationale*

This setting reduces the inconvenience for benign users and the overhead on administrators, while also severely slowing down any brute force password guessing attacks.

Solution

To verify the account lockout is set to 15 minutes, perform the following:

1. From the vSphere Web Client, select the host.
2. Click "Configure" -> "Settings" -> "System" -> "Advanced System Settings".
3. Enter "Security.AccountUnlockTime" in the filter.
4. Verify that the value for this parameter is set to 900.

Alternately, the following PowerCLI command may be used:


Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime

See Also

https://workbench.cisecurity.org/files/2168

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|16

Plugin: VMware

Control ID: 24270670de127ded09b8e9f1e03ca88b38d4439294321ce0ab4fdc8dbb4f78aa