The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258933 | VCSA-80-000266 | SV-258933r961368_rule | Medium |
| Description |
| By requiring that Single Sign-On (SSO) accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. When the account unlock time is set to zero, a locked account can only be unlocked manually by an administrator. |
| STIG | Date |
| VMware vSphere 8.0 vCenter Security Technical Implementation Guide | 2025-06-09 |
Details
| Check Text (C-62673r934455_chk) |
| From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy. View the value of the "Unlock time" setting. Unlock time: 0 seconds If the lockout policy is not configured with "Unlock time" policy of "0", this is a finding. |
| Fix Text (F-62582r934456_fix) |
| From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy. Click "Edit". Set the "Unlock time" to "0" and click "Save". |