UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ESXi host must be configured with an appropriate maximum password age.


Overview

Finding ID Version Rule ID IA Controls Severity
V-256443 ESXI-70-000091 SV-256443r886110_rule Medium
Description
The older an ESXi local account password is, the larger the opportunity window is for attackers to guess, crack or reuse a previously cracked password. Rotating passwords on a regular basis is a fundamental security practice and one that ESXi supports.
STIG Date
VMware vSphere 7.0 ESXi Security Technical Implementation Guide 2023-02-21

Details

Check Text ( C-60118r886108_chk )
From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Advanced System Settings.

Select the "Security.PasswordMaxDays" value and verify it is set to "90".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Security.PasswordMaxDays

If the "Security.PasswordMaxDays" setting is not set to "90", this is a finding.
Fix Text (F-60061r886109_fix)
From the vSphere Client go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Advanced System Settings.

Select the "Security.PasswordMaxDays" value and set it to "90".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Security.PasswordMaxDays | Set-AdvancedSetting -Value "90"