Even if you turn off the console port or any other port...you can still bypass the conf file if rebooted into password recovery mode. Its ALMOST impossible to lock yourself out of a router!! If you have physical access to it...you own it!!!!! You can't disable password recovery.........
Kenny Ansel, Sytex Group Network Security Instructor MCP+I, MCSE, CCNP 608-388-8801 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 4:58 PM To: Douglas Gullett; Security-Basics@Securityfocus. Com; Shafagh Zandi Subject: RE: Cisco Password Recovery If the console and remote ports are turned off in the IOS conf stored in non-volatile ram, then only network based connections can be used to change the config... requiring password authentication. Be careful, though, because this also means if you set the box up to be network unreachable due to a bad ACL or some other no-brainer, the only way to get the router back functional is to pull the NVRAM chip, put it in a different box and tftp a new image (erasing the old image) from a different box. D. Weiss CCNA/MCSE/SSP2 -----Original Message----- From: Douglas Gullett [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 4:46 AM To: Security-Basics@Securityfocus. Com; Shafagh Zandi Subject: RE: Cisco Password Recovery I believe that currently that is only available on the Cisco 3550 FastEther Multilayer switch, and then it is only a smoke screen. (you can reset the switch but the config will be reset to the default) It goes back to the saying, "Locks are only there to keep the honest people out!" The idea, is to have the biggest, baddest, toughest lock, so that they will go and pick on someone else's door! It is a good idea to make sure cabling and equipment is physically secured from un-authorized access. Also, not to many company's would want to let their IT guys TOTALLY disable password recovery...because what happens when the IT guy changes the password and leaves without saying goodbye? Douglas Gullett, CCNA, CCDA, CCNP -----Original Message----- From: Shafagh Zandi [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 30, 2002 11:10 AM To: [EMAIL PROTECTED] Subject: Cisco Password Recovery Hi, Everybody I've many Cisco routers and I need to protect my Cisco devices, especially implementing the "Physical Security". I'm thinking about Cisco password recovery, and I need to prevent others to do this task, How can I disable password recovery? Shafagh Zandi. www.shafagh.net
