Pages

Tuesday, 8 May 2012

Restricting the Password Recovery Process


Restricting the Password Recovery Process

The password recovery process is enabled by default, which is performed from monitor
(PIX) or ROMMON (ASA) mode. You can disable the password recovery process with
the following command:


ciscoasa(config)# no service password-recovery


WARNING: Executing "no service password-recovery" has disabled the
password recovery mechanism and disabled access to ROMMON. The only
means of recovering from lost or forgotten passwords will be for
ROMMON to erase all file systems including configuration files and
images. You should make a backup of your configuration and have a
mechanism to restore images from the ROMMON command line.


Disabling the password recovery process might be required by your security policy.
The most common situation where I’ve seen this feature implemented is in a shared
SOHO location, where there’s a chance that someone might steal the appliance. In this
situation, you can protect your appliance configuration by disabling the password recovery
process.


Once you’ve disabled the password recovery process, in order to break into the appliance,
all files in flash are erased: configuration, operating system, ASDM, crash dumps,
and private files! The break-in must occur from monitor/ROMMON mode, and you’ll
have to TFTP an OS into flash, boot up the appliance, and reconfigure it from scratch (or
pull in a saved configuration from a server).


NOTE:- You can re-enable the password recovery by re-executing the service passwordrecovery command without the no parameter

No comments:

Post a Comment