The system must enforce the limit of three consecutive invalid logon attempts by a user.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-63179	ESXI-06-000005	SV-77669r1_rule		Medium

Description
By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

STIG	Date
VMware vSphere ESXi 6.0 Security Technical Implementation Guide	2019-01-04

Details

Check Text ( C-63913r1_chk )
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.AccountLockFailures value and verify it is set to 3. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost \| Get-AdvancedSetting -Name Security.AccountLockFailures and verify it is set to 3. If the Security.AccountLockFailures is set to a value other than 3, this is a finding.

Check Text ( C-63913r1_chk )

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.AccountLockFailures value and verify it is set to 3.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures and verify it is set to 3.

If the Security.AccountLockFailures is set to a value other than 3, this is a finding.

Fix Text (F-69097r1_fix)
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.AccountLockFailures value and configure it to 3. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost \| Get-AdvancedSetting -Name Security.AccountLockFailures \| Set-AdvancedSetting -Value 3