Details

An account is automatically locked after the maximum number of failed consecutive login attempts is reached. The account should be automatically unlocked after 15 minutes, otherwise administrators will need to manually unlock accounts on request by authorized users.

Rationale:

This setting reduces the inconvenience for benign users and the overhead on administrators, while also severely slowing down any brute force password guessing attacks.

Solution

To set the account lockout to 15 minutes, perform the following:

From the vSphere Web Client, select the host.

Click Configure then expand System.

Select Advanced System Settings then click Edit.

Enter Security.AccountUnlockTime in the filter.

Set the value for this parameter to 900.

Alternately, use the following PowerCLI command:

Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3473

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system VMware.

References

• 800-53|AC-2(5)
• 800-53|AC-11
• CSCv7|16.11

Source

• Tenable.com/audits