Configuring Enable Mode Security

16 Mar

Configuring Enable Mode Security
To configure enable mode access, you can use one of two commands: enable password or enable secret. Both commands accomplish the same thing, allowing access to enable mode. However, the enable secret command is considered to be more secure because it uses a one−way encryption scheme based on the MD5 hashing function. Only use the enable password command with older IOS images and/or boot ROMs that have no knowledge of the newer enable secret command.

Note The MD5 encryption algorithm will be discussed in detail in Chapter 6. For now, just remember that this method is considered more secure.

You configure an enable password by entering the enable password <password> command in global configuration mode:

SecureRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
SecureRouter(config)#enable password Omni−Pass01
SecureRouter(config)#end
SecureRouter#

The preceding configuration sets the enable password to Omni−Pass01. The result of setting the enable password can be seen in the following output. From the user mode prompt, you must enter the enable command to gain access into privileged mode:

SecureRouter>enable
Password: Omni−Pass01
SecureRouter#

Note After you enter the enable command, the password you type at the password prompt will not be displayed. Be sure to type the password exactly as it is configured in the enable password command.

You configure an enable secret password by entering the following command in global configuration mode:

SecureRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
SecureRouter(config)#enable secret Long@Horn10
SecureRouter(config)#end
SecureRouter#

The preceding configuration sets the enable secret password to Long@Horn10. The result of setting the enable secret password can be seen in the following output. From the user mode prompt, you must enter the enable command to gain access into privileged mode, as follows:

SecureRouter>enable
Password: Long@Horn10
SecureRouter#

Note After you enter the enable command, the password you type at the password prompt will not be displayed. Be sure to type the password exactly as it is configured in the enable password command.

Disabling Password Recovery
The first line of defense against intruders is to set passwords on routers. Sometimes passwords are forgotten and must be recovered. There are, however, some instances in which the widely known password recovery procedures should be disabled. When physical security is not possible or in a network emergency, password recovery can be disabled.

Note Password recovery on routers and switches is outside the scope of this book. However, if you need an index of password recovery procedures for Cisco network devices, see the following Cisco Web page: http://www.cisco.com/warp/public/474.

The key to recovering a password on a Cisco router is through manipulation of the configuration registers of the router. All router passwords are stored in the startup configuration, so if the configuration registers are changed properly, the startup configuration with the passwords stored within them can be bypassed. If you have disabled the password recovery mechanisms, you will not be able to perform password recovery on the router. Disabling the password recovery procedure of a Cisco router is a decision that must be thought out ahead of time because the command used to disable password recovery also disables ROMMON.

Warning The command discussed in this section is not recommended for use on any production router and is explained here only for the benefit of learning within a lab environment.

You can disable the Cisco password recovery procedure by issuing the no service password−recovery command in global configuration mode:

SecureRouter#config t
Enter configuration commands, one per line. End with CNTR/Z.
SecureRouter(config)#no service password−recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.

Are you sure you want to continue? [yes/no]: yes

As you can see, the IOS reminds you of how serious disabling the password recovery procedures are with a warning message and a prompt allowing you to change your mind. To see the results of changing the password recovery feature, issue the show running−config command. The effects of issuing the command can be seen in the following configuration:

SecureRouter#show run
Building configuration…
Current configuration:
!
version 12.0
service password−encryption
no service password−recovery
!
hostname SecureRouter

After password recovery has been disabled and the configuration has been saved, the widely available password recovery procedure will not be available on the router. The following output verifies that password recovery is indeed disabled:

SecureRouter#reload
Proceed with reload? [confirm]

00:14:34: %SYS−5−RELOAD: Reload requested
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
PC = 0xfff14ee8, Vector = 0×500, SP = 0×680127b0
C2600 platform with 49152 Kbytes of main memory

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0×80008000, size: 0×928024
Self decompressing the image : #######################….

Warning The use of the command discussed in this section is not recommended for a production router. It should be used only in extreme circumstances or in a lab environment!

If the no service password−recovery command has been issued on a Cisco router and the passwords have been forgotten, you must contact your Cisco Technical Support Engineer to obtain help in gaining access into the router and enabling the password recovery process again.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.