Details

By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets your policies; if not, configure to meet password aging policies. Note: It is very important the password aging policy not be shorter than the default interval that is set to automatically change the vpxuser password, to preclude the possibility that vCenter might get locked out of an ESXi host.

Solution

From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Click Edit and edit the VirtualCenter.VimPasswordExpirationInDays setting to 30 or if the value does not exist create it by entering the values in the Key and Value fields and clicking Add.

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:

If the setting already exists:

Get-AdvancedSetting -Entity -Name VirtualCenter.VimPasswordExpirationInDays | Set-AdvancedSetting -Value 30

If the setting does not exist:

New-AdvancedSetting -Entity -Name VirtualCenter.VimPasswordExpirationInDays -Value 30

Supportive Information

The following resource is also helpful.

• http://iasecontent.disa.mil/stigs/zip/U_VMware_vSphere_6-0_vCenter_Server_for_Windows_V1R4_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.

References

• 800-53|CM-6b.
• CAT|II
• CCI|CCI-000366
• Group-ID|V-63983
• Rule-ID|SV-78473r1_rule
• STIG-ID|VCWN-06-000023
• Vuln-ID|V-63983

Source

• Tenable.com/audits