4.3 Ensure the maximum failed login attempts is set to 5

Information

Authentication should be configured so there is a maximum number of consecutive failed login attempts for each account, at which point the account at risk will be locked out.

Rationale:

Multiple account login failures for the same account could possibly be an attacker trying to brute force guess the password.

Impact:

A users account will be locked after 5 unsuccessful login attempts.

Solution

To set the maximum failed login attempts correctly, perform the following steps:

From the vSphere Web Client, select the host.

Click Configure then expand System.

Select Advanced System Settings then click Edit.

Enter Security.AccountLockFailures in the filter.

Set the value for this parameter to 5.

Alternately, use the following PowerCLI command:

Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 5

See Also

https://workbench.cisecurity.org/files/3473