The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258933 | VCSA-80-000266 | SV-258933r934457_rule | CCI-002238 | medium |
| Description | ||||
| By requiring that Single Sign-On (SSO) accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. When the account unlock time is set to zero, a locked account can only be unlocked manually by an administrator. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Security Technical Implementation Guide | 2023-10-11 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-7
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.8
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002238
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-258933r934457_chk)
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy.
View the value of the "Unlock time" setting.
Unlock time: 0 seconds
If the lockout policy is not configured with "Unlock time" policy of "0", this is a finding.
Fix Text (F-62582r934456_fix)
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy.
Click "Edit".
Set the "Unlock time" to "0" and click "Save".