The guest authentication allows unlimited login attempts which makes it easier to brute force guest username and password once the attacker has got past the vSphere authentication checks.

Note: The attacker must have vSphere admin privileges to perform guest authentication on the virtual machine. For more information, see vSphere Permissions and User Management Tasks .

Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.

Account lockout policy or PAM configuration is generally not set by default in the guest. In order to enforce a rate limit on the login attempts using guest authentication, configure native Windows account lockout policy in Windows guest or configure PAM to lock user accounts in Linux guest.

Windows:

The account lockout policy in the Active Directory domain locks a user account automatically if a specified number of login attempts have failed for the user account. For more details, see Microsoft Article

Steps for setting account lockout policy

1. Install Group Policy Management Tools if not done already. 

Windows 10 Version 1809 and higher

• Right-click the Start button and choose Settings > Apps > Optional features > Add feature.
• Select RSAT: Group Policy Management Tools.
• Select Install.
• It should eventually appear as an option under Start > Windows Administrative Tools.

Windows 8 and Windows 10 Version 1803 and lower

• Right-click the Start button and choose Control Panel > Programs.
• From the Programs and Features section, select Turn Windows features on or off.
• Scroll down and expand the Remote Server Administration Tools section.
• Expand Feature Administration Tools.
• Ensure that Group Policy Management Tools is checked, then select OK.
• You should now have an option for Administrative Tools on the Start menu. From there, select the Group Policy tool needed.

2. Configure Account Lockout Policy in the Active Directory.

• Run the Group Policy Management console (gpmc.msc) or go to Start > Windows Administrative Tools > Group Policy Management.
• Expand the domain name, and find the GPO called Default Domain Policy. Right-click and select Edit.
• In the Group Policy Editor, go to the section Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
• Set the policy Reset account lockout counter after — this parameter sets the number of minutes after which the counter of failed authorization attempts is reset to 0 (1 to 99999).
• Set the policy Account lockout threshold — the number of incorrect password attempts, after which the Windows user account will be blocked (0 to 999). User accounts are never locked if this value is set to 0.
• Set the policy Account lockout duration — Active Directory user account lockout time in minutes (0 to 99999). If a value of 0 is specified, the user accounts will be locked until the administrator manually unlocks the locked accounts.

Note: After making changes to the Default Domain Policy, it takes up to 2 hours to apply the new Group Policy settings to the domain controllers and computers, or the policy can be updated on the domain controllers manually using the gpupdate command.

Account Lockout Auditing

Windows account lockout affects all the services. To track which process/service locked the user account, Account Lockout audit events can be enabled:

• In Group Policy Management Editor console, Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Logon/Logoff, enable success and failure audit events for Audit Account Lockout.
• Check the Account Lockout event with ID 4625 in Computer Management > System Tools > Event Viewer > Windows Logs > Security.

Linux

Linux distributions using pam_faillock module (RHEL, CentOS, Fedora etc.)

User account can be locked for a pre-set amount of time after the specified number of failed login attempts using pam_faillock module.

Example /etc/pam.d/vmtoolsd file with pam_faillock config highlighted in bold text:

auth       required         pam_shells.so
auth       required         pam_faillock.so preauth  even_deny_root deny=3 unlock_time=60
auth       sufficient       pam_unix.so shadow
auth       required         pam_unix_auth.so shadow
auth       [default=die]    pam_faillock.so authfail  even_deny_root deny=3 unlock_time=60
account    required         pam_shells.so
account    sufficient       pam_unix.so
account    required         pam_unix_acct.so
account    required         pam_faillock.so

Where:

• preauth –> Module to be called before the modules which ask for the user authentication.
• authfail –> Module to be called after the modules which determine the authentication has failed.
• authfail –> Module to be called after the modules which determine the authentication has failed.
• unlock_time=60 –> Keep the account locked for 60 seconds. If this option is not used, the default value is 600 (10 minutes). “unlock_time=never" will cause the account to be locked forever until reset manually by a system administrator
• even_deny_root –> Lock the root user account as well after specified number of incorrect login attempts.
• root_unlock_time=60 –> Keep the root user account locked for 60 seconds after specified number of failed login attempts. “root_unlock_time=never" will cause the account to be locked forever until reset manually by a system administrator. If this option is not specified, the value is the same as the unlock_time option.

Please refer Linux man pages for further details about pam_faillock.so and faillock command.

Linux distributions using pam_tally2 module (SLES, Ubuntu, Debian etc.)

User account can be locked for a pre-set amount of time after the specified number of failed login attempts using pam_tally2 module.

Add a line like below at the beginning of /etc/pam.d/vmtoolsd file:
auth        required     pam_tally2.so  onerr=fail  deny=3   unlock_time=60   audit   even_deny_root   root_unlock_time=60

Where:

• onerr=fail –> In case of error issue a failure.
• deny=3 –> Lock the account after 3 unsuccessful login attempts.
• unlock_time=60 –> Keep the account locked for 60 seconds. If this option is not used, the user account is locked until reset manually by a system administrator.
• audit –> Enable audit logs for user login attempt in secure log file.
• even_deny_root –> Lock the root user account as well after specified number of incorrect login attempts.
• root_unlock_time=60 –> Keep the root user account locked for 60 seconds after specified number of failed login attempts. “root_unlock_time=never" will cause the account to be locked forever until reset manually by a system administrator. If this option is not used, the value is the same as the unlock_time option.

Please refer Linux man pages for further details about pam_tally2.so and pam_tally2 command.
 

Note: These PAM configurations are provided as examples only. Newer PAM versions might add or remove some settings. Therefore, you may have to adjust these example configurations based on the PAM version on your system and your account locking requirements.