vCenter: vcenter-8.administration-sso-password-lifetime

Information

The vCenter Server must be configured with an appropriate maximum password age. Modern best practices for passwords (NIST 800-63B Section 5.1.1.2, among other guidance) indicates that with adequate password entropy, security is not improved by arbitrarily requiring users to change their passwords at certain intervals. Many automated security tools and regulatory compliance frameworks do not reflect this guidance, and may override this recommendation.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -PasswordLifetimeDays 9999

See Also

https://github.com/vmware/vcf-security-and-compliance-guidelines/raw/refs/heads/main/security-configuration-hardening-guide/vsphere/8.0/