The vCenter Server for Windows must limit the maximum number of failed login attempts to three.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-94793 | VCWN-65-000045 | SV-104623r1_rule | Medium |
| Description |
|---|
| By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. |
| STIG | Date |
|---|---|
| VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide | 2020-03-27 |
Details
| Check Text ( C-93987r1_chk ) |
|---|
| From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policy should be set at follows: Maximum number of failed login attempts: 3 If this account lockout policy is not configured as stated, this is a finding. |
| Fix Text (F-100915r1_fix) |
|---|
| From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. Click "Edit". Set the Maximum number of failed login attempts to "3" and click "OK". |