password recovery

nangananga Member Posts: 201
I was going through the CCNA Security book exam 553. There it says for security purpose the rommon mode password recovery is disabled by using the command no service password- recovery
I was wondering if this option locks out for password recovery, what is another option for password recovery if the disgruntled admin locks this recovery path and the and we have no access to router as well.

Comments

  • mikej412mikej412 Member Posts: 10,090
    When you have physical access (or console port access) to the router, password recovery lets you bypass the password and get access to the existing configuration -- where you can then change/fix your security/password problem/issue.

    When you disable password recovery, you can still regain access to the router -- but the current configuration (and user IDs, passwords, certificates, VPN configurations, etc) get blown away. You'd either have to manually reconfigure the router (or switch) or restore using a saved configuration.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • nangananga Member Posts: 201
    exactly ...so this means that in such a scenario the router would have to be loaded with the new flash and there on the the current required config needs to be loaded !

    well thats a good vulnerability !
  • tierstentiersten Member Posts: 4,505
    nanga wrote:
    well thats a good vulnerability !
    It isn't a vulnerability. You can't guard against a disgruntled admin doing most things. All you can hope for is backup of the config somewhere safe which they don't have access.
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,163 Mod
    nanga wrote:
    exactly ...so this means that in such a scenario the router would have to be loaded with the new flash and there on the the current required config needs to be loaded !

    well thats a good vulnerability !
    What it means is that if someone steals your router, they've got it either way. If someone can get into your datacenter or wiring closet and hook up a serial cable, they've bypassed your security anyway. In server administration there is a saying "if someone else gets physical access to your box, it's no longer your box". What the recovery lockout is good for is preventing someone from accessing the stored configuration, which definitely could have information that would lead to a vulnerability in it. If someone steals your router and has to blow away the config, at least they don't have your settings to work from to compromise your network. (This is why it's a good idea to keep backups of your config files on a TFTP server, for example.)

    Think of it like a car. If someone actually takes it from where you left it and puts it in a warehouse or other location to mess with, no amount of anti-theft technology or alarms are going to prevent them from getting in if they really want to. Those security measures are only good if the thief doesn't have free reign to mess with the car, like out on the street or in a parking garage. Physical security, in this analogy, would be making sure you don't park your brand-new sports car in a bad neighborhood or at the badly-lit, far-end of a parking lot at night. Just the same, you need to have physical locks and walls to keep unauthorized personnel and random strangers from plugging into your router, otherwise it's now their router.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
Sign In or Register to comment.