Each product can support a range of settings that must be evaluated and if necessary, modified to meet security and compliance requirements.

Frequently requested access control settings are listed with the default values in VMware Cloud Foundation 4.2. Configurations with a value of 0 are disabled.

For the recommended parameters, review the desired regulatory standard or framework in the VMware Cloud Foundation Audit Guide Appendix. This appendix lists the top 10 standards: NIST 800-53 R4 (Moderate), PCI DSS 3.2.1, DISA STIG, FedRAMP, HIPAA, FBI CJIS, NERC CIP, NIST 800-171 / CMMC, ISO27001:2013 / GDPR, and SOC 2.

The default settings are not the recommended values. This is the default out-of-the-box state of access controls in VMware Cloud Foundation.
Table 1. Default Access Control Parameters in VMware Cloud Foundation

Product

Configuration ID

Configuration Description

Default Setting

NSX-T Data Center

VI-NET-CFG-1416

Configure NSX-T Manager to terminate idle sessions after a certain period of time.

1800 seconds

NSX-T Data Center

VI-NET-CFG-1417

Configure NSX-T Manager to block any login attempts after consecutive invalid login attempts for a certain period.

900 seconds

NSX-T Data Center

VI-NET-CFG-1418

Configure NSX-T Manager to block further login attempts after a number of consecutive failed login attempts.

5 attempts

NSX-T Data Center

VI-NET-CFG-1419

Configure NSX-T Manager locked accounts to automatically get unlocked after a period of time following the last failed login attempt.

900 seconds

NSX-T Data Center

VI-NET-CFG-1421

Configure a minimum password length for NSX-T Manager accounts.

12 characters

ESXi

VI-ESXI-CFG-00034

Set the maximum number of failed login attempts before an account is locked.

5 attempts

ESXi

VI-ESXI-CFG-00038

Configure the inactivity timeout to automatically terminate idle shell sessions.

0 seconds (automatic termination is disabled)

ESXi

VI-ESXI-CFG-00109

Configure the password history to restrict the reuse of a certain number of previous passwords.

0 passwords (password history is disabled)

ESXi

VI-ESXI-CFG-00165

Configure a time for automatic unlock of a locked user account.

900 seconds

ESXi

VI-ESXI-CFG-00564

Configure the inactivity timeout to automatically terminate idle Host Client sessions.

900 seconds

ESXi

VI-ESXI-CFG-00168

Configure the inactivity timeout to automatically terminate idle DCUI sessions.

600 seconds

vCenter Server

VI-VC-CFG-00403

Configure the password history to restrict the reuse of a certain number of previous passwords.

5 passwords

vCenter Server

VI-VC-CFG-00421

Configure vCenter Server to enforce a maximum password lifetime restriction.

90 days

vCenter Server

VI-VC-CFG-00422

Configure the inactivity timeout to automatically terminate vSphere Client sessions.

120 minutes

vCenter Server

VI-VC-CFG-00428

Configure vCenter Server to rotate the vpxuser auto-password periodically.

30 days

vCenter Server

VI-VC-CFG-00427

Configure a minimum password length for the vpxuser account.

32 characters

vCenter Server

VI-VC-CFG-00410

Configure the minimum number of characters for password length for any vCenter Server user.

8 characters

vCenter Server

VI-VC-CFG-00408

Configure the minimum number of uppercase characters in the password for any vCenter Server user.

1 character

vCenter Server

VI-VC-CFG-00413

Configure the minimum number of lowercase characters in the password for any vCenter Server user.

1 character

vCenter Server

VI-VC-CFG-00433

Configure the minimum number of numeric characters in the password for any vCenter Server user.

1 character

vCenter Server

VI-VC-CFG-00432

Configure the minimum number of special characters in the password for any vCenter Server user.

1 character

vCenter Server

VI-VC-CFG-00436

Limit the maximum number of failed login attempts for vCenter Server users.

5 attempts

vCenter Server

VI-VC-CFG-00434

Configure the number of failed login attempts in a period of time before an account gets locked.

180 seconds

vCenter Server

VI-VC-CFG-00435

Configure a timer for automatic account unlock for accounts locked after failed login attempts.

300 seconds

vCenter Server

VI-VC-CFG-00096

Disable console connection sharing on the virtual machine.

1 (disabled)