02-14-2017 01:02 AM - edited 03-10-2019 12:46 AM
Sirs
for security reasons, I'd like to disable the possibility to perform both the "password recovery" and the "reset to factory default" (hardware and software) procedures.
More specifically, I'd like to configure my switch/router in order to completely "brick" it if you don't know any of the "legal" passwords.
In this manner, I'd like to
1) prevent the theft of the equipment (making it useless)
2) prevent attacks to my network performed using a "legal" hardware equipment but re-configured in a malicious way (by means of a factory reset and a subsequent "bad" configuration)
I know that I can use
1) the " no setup express" command
2) the "no password recovery" command
Is that sufficient? Is there any additional parameter's configuration allowing my desired behaviour?
Thanks in advance
Have a nice day
Daniele
02-14-2017 01:48 AM
the "no password recovery" command
This won't work.
Anyone (if one knows how to find it) can bypass this (I know I can).
A lot of people would enable this command and then sell their Cisco kit into the market hoping to get the buyer into strife (or getting more money just to give the password).
02-14-2017 03:51 AM
Many thanks Leo for you answer (I agree with your last comment)
In my business case (large server room, with hundreds of different equipments owned by tens of different stakeholder) I mainly have to avoid that the hardware reset button is pushed by mistake (or intentionally) performing an "out of order" attack.
...and that someone (by mistake or intentionally) change the "master" passwords...
I forgot to mention that I use also the "FIPS compliant" option
02-14-2017 12:09 PM
Look, if the problem is all about unauthorized people gaining access to your routers and switches, then the answer doesn't lie entirely on them. Secure TACACs server, robust password policy and layers of ACLs will keep them secure.
However, all this doesn't guarantee someone making a mistake. And this alone doesn't guarantee that a disgruntled staff doesn't remote access in to wreck havoc.
02-14-2017 11:14 PM
Tx for your very precise answer.
...unfortunately, it seems that there is no way to disable the "reset" button...
Up to now, this is my major concern.
Have a nice day
Daniele
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide