Re: IE3300 no service password-recovery command

Energia · ‎12-16-2021

Use of the "no service password-recovery" command is recommended when hardening Cisco-devices.

But as I see the command is not available on the IE-platform? In my case: IE3300 running IOS XE 16.12.03 (Gibraltar)

What would be the correct command to prevent use of the password-recovery feature?

Leo Laohoo · ‎12-16-2021

@Energia wrote:

Use of the "no service password-recovery" command is recommended when hardening Cisco-devices.

Blindly following the "recommended" best practice?

Think about this: What happens if there is a disgruntled employee who, before getting escorted out, turns this feature on and then scrambles the password.

Just think about it.

Energia · ‎12-16-2021

Blindly following the "recommended" best practice?
Think about this: What happens if there is a disgruntled employee who, before getting escorted out, turns this feature on and then scrambles the password.
Just think about it.

Well... the use of no service password-recovery is just one of many controls. And I am not saying that the solution is to disable this feature on every device.

Leo Laohoo · ‎12-16-2021

I have seen several threads here about someone enabling this "feature" and then scrambling the passwords.
It may sound "trivial" but the number of hours it will take to re-configure a switch (because password recovery means the platform will reboot without any config) will take a lot of time.

Energia · ‎12-17-2021

That is one argument for centralized config backup.