Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-243104 | VCTR-67-000045 | SV-243104r719555_rule | Medium |
Description |
---|
By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. |
STIG | Date |
---|---|
VMware vSphere 6.7 vCenter Security Technical Implementation Guide | 2022-01-04 |
Check Text ( C-46379r719553_chk ) |
---|
From the vSphere Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policy should be set at follows: Maximum number of failed login attempts: 3 If this account lockout policy is not configured as stated, this is a finding. |
Fix Text (F-46336r719554_fix) |
---|
From the vSphere Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. Click "Edit". Set the "Maximum number of failed login attempts" to "3" and click "OK". |