STIGQter: STIG Summary: VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The vCenter Server for Windows must limit the maximum number of failed login attempts to three.

DISA Rule

SV-216864r612237_rule

Vulnerability Number

V-216864

Group Title

SRG-APP-000345

Rule Version

VCWN-65-000045

Severity

CAT II

CCI(s)

• CCI-002238 - The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

Weight

10

Fix Recommendation

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. Click "Edit". Set the Maximum number of failed login attempts to "3" and click "OK".

Check Contents

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy.

View the values for the lockout policies.

The following lockout policy should be set at follows:
Maximum number of failed login attempts: 3

If this account lockout policy is not configured as stated, this is a finding.

Vulnerability Number

V-216864

Documentable

False

Rule Version

VCWN-65-000045

Severity Override Guidance

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy.

View the values for the lockout policies.

The following lockout policy should be set at follows:
Maximum number of failed login attempts: 3

If this account lockout policy is not configured as stated, this is a finding.

Check Content Reference

M

Target Key

4030

Comments