Details

By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets your policies; if not, configure to meet password aging policies.

Note: It is very important the password aging policy not be shorter than the default interval that is set to automatically change the vpxuser password, to preclude the possibility that vCenter might get locked out of an ESXi host.

Solution

Select the vCenter Server in the vSphere Web Client object hierarchy.
Click Configure.
Click Advanced Settings and enter VimPasswordExpirationInDays in the filter box.
Set ‘VirtualCenter.VimPasswordExpirationInDays’ to ’30’.

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:

If the setting already exists:
Get-AdvancedSetting -Entity -Name VirtualCenter.VimPasswordExpirationInDays | Set-AdvancedSetting -Value 30

If the setting does not exist:
New-AdvancedSetting -Entity -Name VirtualCenter.VimPasswordExpirationInDays -Value 30

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-5_Y21M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.

References

• 800-53|CM-6b.
• CAT|II
• CCI|CCI-000366
• Rule-ID|SV-216845r612237_rule
• STIG-ID|VCWN-65-000023
• STIG-Legacy|SV-104587
• STIG-Legacy|V-94757
• Vuln-ID|V-216845

Source

• Tenable.com/audits