Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
8
Helpful
3
Replies

NVRAM/Startup-config Security

aquadisco
Level 1
Level 1

‎10-04-2010 07:28 AM - edited ‎03-10-2019 05:27 PM

How can i prevent a user from writing to the startup-config?

Labels:
0 Helpful
3 Replies 3

Javier Henderson
Level 4
Level 4

‎10-04-2010 08:55 AM

Using command authorization and denying that user the execution of "copy running-config startup-config" (and other variations of same, i.e. "write memory", etc)

Shilpa Gupta
Cisco Employee
Cisco Employee

‎10-04-2010 09:06 AM

Hello,

Here are some links for command authorization which might be helpful for you:-

ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Configuring Command Authorization on ASA:-

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html#wp1042034

Configuring Command authorization on router:-

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml#t1

Thanks,

Shilpa

aquadisco
Level 1
Level 1

‎10-04-2010 01:09 PM

Good comments so far, but i need a little more hand holding as some of the options don't seem to be available on my configuration.  Is this approach dependent on a TACACS server?

Here is some background information that i should have supplied originally.

  • Using 2811 router with Advanced Enterprises Services IOS
  • Would like to restrict users from changing the startup-config without use of the external AAA systems (TACACS, etc).

Thanks!

0 Helpful
Customers Also Viewed These Support Documents