Advanced system settings control aspects of ESXi behavior, such as logging, system resources, and security.
The following table presents some of the important ESXi advanced system settings for security. To view all the advanced system settings, consult either the vSphere Client ( or the API for a given release.
| Advanced System Setting | Description | Default Value |
|---|---|---|
| Annotations.WelcomeMessage | Displays a welcome message in the Host Client prior to login, or in the DCUI on the default screen. In the DCUI, the welcome message replaces some text, such as the host IP address. | (Empty) |
| Config.Etc.issue | Displays a banner during an SSH login session. Use a trailing newline for best results. | (Empty) |
| Config.Etc.motd | Displays the message of the day upon SSH login. | (Empty) |
| Config.HostAgent.vmacore.soap.sessionTimeout | Sets the idle time in minutes before the system automatically logs out a VIM API. A value of 0 (zero) deactivates the idle time. This setting applies only to new sessions. | 30 (minutes) |
| Mem.MemEagerZero | Activates zeroing the user world and the guest memory pages in the VMkernel operating systems (including the VMM process) after a virtual machine exit. The default value (0) uses lazy zeroing. A value of 1 uses eager zeroing. | 0 (deactivated) |
| Security.AccountLockFailures | Sets the maximum number of failed login attempts before the system locks a user's account. For example, to lock the account on the fifth login failure, set this value to 4. A value of 0 (zero) deactivates account locking.
For implementation reasons, some login mechanisms count unexpectedly:
|
5 |
| Security.AccountUnlockTime | Sets the number of seconds that a user is locked out. Any login attempt within the specified lock timeout restarts the lock timeout. | 900 (15 minutes) |
| Security.PasswordHistory | Sets the number of passwords to remember for each user. This setting prevents duplicate or similar passwords. | 0 |
| Security.PasswordMaxDays | Sets the maximum number of days between password changes. | 99999 |
| Security.PasswordQualityControl | Changes the required length and the character class requirement or allow pass phrases in the Pam_passwdqc configuration. You can use special characters in passwords. You can have password lengths of at least 15 characters. The default setting requires three character classes and a minimum length of seven characters.
If implementing the DoD Annex, you can combine the
similar=deny option plus a minimum password length to enforce a requirement that passwords are sufficiently different. The password history setting is only enforced for passwords changed through the VIM
LocalAccountManager.changePassword API. To change the password requires that the user have administrator permission. The PasswordQualityControl setting, with a PasswordMaxDays setting, satisfies the requirements of the DoD Annex:
min=disabled,disabled,disabled,disabled,15 similar=deny |
retry=3 min=disabled,disabled,disabled,7,7 |
| UserVars.DcuiTimeOut | Sets the idle time in seconds before the system automatically logs out the DCUI. A value of 0 (zero) deactivates the timeout. | 600 (10 minutes) |
| UserVars.ESXiShellInteractiveTimeOut | Sets the idle time in seconds before the system automatically logs out an interactive shell. This setting takes effect for new sessions only. A value of 0 (zero) deactivates the idle time. Applies to both the DCUI and the SSH shell. | 0 |
| UserVars.ESXiShellTimeOut | Sets the time in seconds a login shell waits for login. A value of 0 (zero) deactivates the timeout. Applies to both the DCUI and the SSH shell. | 0 |
| UserVars.HostClientSessionTimeout | Sets the idle time in seconds before the system automatically logs out the Host Client. A value of 0 (zero) deactivates the idle time. | 900 (15 minutes) |
| UserVars.HostClientWelcomeMessage | Displays a welcome message in the Host Client upon login. The message is displayed following login as a “hint”. | (Empty) |
