Details

By requiring that SSO accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. When the account unlock time is set to zero, once an account is locked it can only be unlocked manually by an administrator.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy.

Click ‘Edit’.

Set the ‘Unlock time’ to ‘0’ and click ‘OK’.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system VMware.

References

• 800-53|AC-7b.
• CAT|II
• CCI|CCI-002238
• Rule-ID|SV-243106r719561_rule
• STIG-ID|VCTR-67-000047
• Vuln-ID|V-243106

Source

• Tenable.com/audits