Advanced system settings control aspects of ESXi behavior, such as logging, system resources, and security.

The following table presents some of the important ESXi advanced system settings for security. To view all the advanced system settings, consult either the vSphere Client (Host > Configure > System > Advanced System Settings) or the API for a given release.

Table 1. Partial List of Security Advanced System Settings
Advanced System Setting Description Default Value
Annotations.WelcomeMessage Displays a welcome message in the Host Client prior to login, or in the DCUI on the default screen. In the DCUI, the welcome message replaces some text, such as the host IP address. (Empty)
Config.Etc.issue Displays a banner during an SSH login session. Use a trailing newline for best results. (Empty)
Config.Etc.motd Displays the message of the day upon SSH login. (Empty)
Config.HostAgent.vmacore.soap.sessionTimeout Sets the idle time in minutes before the system automatically logs out a VIM API. A value of 0 (zero) deactivates the idle time. This setting applies only to new sessions. 30 (minutes)
Mem.MemEagerZero Activates zeroing the user world and the guest memory pages in the VMkernel operating systems (including the VMM process) after a virtual machine exit. The default value (0) uses lazy zeroing. A value of 1 uses eager zeroing. 0 (deactivated)
Security.AccountLockFailures Sets the maximum number of failed login attempts before the system locks a user's account. For example, to lock the account on the fifth login failure, set this value to 4. A value of 0 (zero) deactivates account locking.
For implementation reasons, some login mechanisms count unexpectedly:
  • VIM logins (including the VMware Host Client) and ESXCLI reflect the exact number of failed logins.
  • SSH connections count as a login attempt when displaying a password prompt, and undo that count on successful login. This behavior is normal for challenge and response communications.
  • CGI logins double-count login failures.
    Caution: Due to this problem, a user can be locked out faster than the number of failed logins when using the CGI interface.
5
Security.AccountUnlockTime Sets the number of seconds that a user is locked out. Any login attempt within the specified lock timeout restarts the lock timeout. 900 (15 minutes)
Security.PasswordHistory Sets the number of passwords to remember for each user. This setting prevents duplicate or similar passwords. 0
Security.PasswordMaxDays Sets the maximum number of days between password changes. 99999
Security.PasswordQualityControl Changes the required length and the character class requirement or allow pass phrases in the Pam_passwdqc configuration. You can use special characters in passwords. You can have password lengths of at least 15 characters. The default setting requires three character classes and a minimum length of seven characters.
If implementing the DoD Annex, you can combine the similar=deny option plus a minimum password length to enforce a requirement that passwords are sufficiently different. The password history setting is only enforced for passwords changed through the VIM LocalAccountManager.changePassword API. To change the password requires that the user have administrator permission. The PasswordQualityControl setting, with a PasswordMaxDays setting, satisfies the requirements of the DoD Annex:
min=disabled,disabled,disabled,disabled,15 similar=deny
retry=3 min=disabled,disabled,disabled,7,7
UserVars.DcuiTimeOut Sets the idle time in seconds before the system automatically logs out the DCUI. A value of 0 (zero) deactivates the timeout. 600 (10 minutes)
UserVars.ESXiShellInteractiveTimeOut Sets the idle time in seconds before the system automatically logs out an interactive shell. This setting takes effect for new sessions only. A value of 0 (zero) deactivates the idle time. Applies to both the DCUI and the SSH shell. 0
UserVars.ESXiShellTimeOut Sets the time in seconds a login shell waits for login. A value of 0 (zero) deactivates the timeout. Applies to both the DCUI and the SSH shell. 0
UserVars.HostClientSessionTimeout Sets the idle time in seconds before the system automatically logs out the Host Client. A value of 0 (zero) deactivates the idle time. 900 (15 minutes)
UserVars.HostClientWelcomeMessage Displays a welcome message in the Host Client upon login. The message is displayed following login as a “hint”. (Empty)