The ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-207607	ESXI-65-000006	SV-207607r379606_rule		Medium

Description
By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

STIG	Date
VMware vSphere 6.5 ESXi Security Technical Implementation Guide	2021-09-22

Details

Check Text ( C-7862r364220_chk )
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Security.AccountUnlockTime value and verify it is set to 900. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost \| Get-AdvancedSetting -Name Security.AccountUnlockTime and verify it is set to 900. If the Security.AccountUnlockTime is set to a value other than 900, this is a finding.

Check Text ( C-7862r364220_chk )

From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Security.AccountUnlockTime value and verify it is set to 900.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime and verify it is set to 900.

If the Security.AccountUnlockTime is set to a value other than 900, this is a finding.

Fix Text (F-7862r364221_fix)
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Security.AccountUnlockTime value and configure it to 900. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost \| Get-AdvancedSetting -Name Security.AccountUnlockTime \| Set-AdvancedSetting -Value 900