UCF STIG Viewer Logo

The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258933 VCSA-80-000266 SV-258933r961368_rule Medium
Description
By requiring that Single Sign-On (SSO) accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. When the account unlock time is set to zero, a locked account can only be unlocked manually by an administrator.
STIG Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62673r934455_chk )
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy.

View the value of the "Unlock time" setting.

Unlock time: 0 seconds

If the lockout policy is not configured with "Unlock time" policy of "0", this is a finding.
Fix Text (F-62582r934456_fix)
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy.

Click "Edit".

Set the "Unlock time" to "0" and click "Save".