Re: NVRAM/Startup-config Security

aquadisco · ‎10-04-2010

How can i prevent a user from writing to the startup-config?

Javier Henderson · ‎10-04-2010

Using command authorization and denying that user the execution of "copy running-config startup-config" (and other variations of same, i.e. "write memory", etc)

Shilpa Gupta · ‎10-04-2010

Hello,

Here are some links for command authorization which might be helpful for you:-

ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Configuring Command Authorization on ASA:-

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html#wp1042034

Configuring Command authorization on router:-

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml#t1

Thanks,

Shilpa

aquadisco · ‎10-04-2010

Good comments so far, but i need a little more hand holding as some of the options don't seem to be available on my configuration. Is this approach dependent on a TACACS server?

Here is some background information that i should have supplied originally.

Using 2811 router with Advanced Enterprises Services IOS
Would like to restrict users from changing the startup-config without use of the external AAA systems (TACACS, etc).

Thanks!