If you have Cisco routers running 12.2 code, you now have the option to turn off the ability to be able to do a password recovery once you’ve gained local access to the router.

Everyone knows that it’s pretty simple to get a Cisco router to bypass its startup config so that you can get in and make changes, including giving it a new password to replace the one that everyone’s somehow managed to forget because the guy that set it up has left. All you need is physical access to the box so you can reboot it. That is one of the reasons why physical security in your comms rooms is so vital.

So a new feature has been added to IOS to let you configure the router to disable access to the ROMMON so that the config register cannot be set to allow this, thus disabling the ability to change passwords (or view the config) in this way: the no service password-recovery command.

This is a good thing isn’t it?
Two possible areas of concern. If you configure this yourself, you better make sure that you are absolutely, 100 per cent sure you know what the passwords are. This might sound silly, but companies have had to do password recoveries because of typos, or routers that haven’t been changed in months, and no-one can remember the enable password. Also, if there is no valid Cisco IOS software image in the Flash memory of the router, you can no longer use the ROMMON XMODEM command to load a new Flash image. All you can do is get a new IOS software image onto an internal SIMM, or on a PCMCIA card if your router has one. This might be an issue if you’re upgrading IOS, have to remove the current version to make room, and the new version gets corrupted on download.

There is no way to get a password back if you set this config parameter and lock yourself out. All you can do once this command has been entered, if you don’t have the enable password, is to reset the config to factory default.

The other worry is if you don’t set it. What if your physical security isn’t that great and someone gets in to your comms room who shouldn’t, reboots your router, makes a few changes and then sets this line in the config? You’re locked out of your own router - again it’s a case of taking it out of the network completely, and wiping the config - and hoping that you have an up to date config file to upload back into it. Another case for making sure you take backups at every change.

It may well be good that this command has been added - it does add a level of security to your environment - but you have to really make sure you know the implications before you do (or don’t) choose to use it.