ESXI-67-000006 - The ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

By enforcing a reasonable unlock timeout after multiple failed logon attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Users must wait for the timeout period to elapse before subsequent logon attempts are allowed.

Solution

From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings.

Click 'Edit' and select the 'Security.AccountUnlockTime' value and configure it to '900'.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7, CAT|II, CCI|CCI-002238, Rule-ID|SV-239263r674718_rule, STIG-ID|ESXI-67-000006, STIG-Legacy|SV-104045, STIG-Legacy|V-93959, Vuln-ID|V-239263

Plugin: VMware

Control ID: eb0d7800a664c9e52818f93604c576015fe350250e058e1f45f411daed3b5441