The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-258933 | SRG-APP-000345 | VCSA-80-000266 | SV-258933r961368_rule | 2025-06-09 | 2 |
Description
By requiring that Single Sign-On (SSO) accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. When the account unlock time is set to zero, a locked account can only be unlocked manually by an administrator.
ℹ️ Check
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy.
View the value of the "Unlock time" setting.
Unlock time: 0 seconds
If the lockout policy is not configured with "Unlock time" policy of "0", this is a finding.
✔️ Fix
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy.
Click "Edit".
Set the "Unlock time" to "0" and click "Save".