If you have Cisco routers running 12.2 code, you now have the option to turn off the ability to be able to do a password recovery once youve gained local access to the router.
Everyone knows that its pretty simple to get a Cisco router to bypass its startup config so that you can get in and make changes, including giving it a new password to replace the one that everyones somehow managed to forget because the guy that set it up has left. All you need is physical access to the box so you can reboot it. That is one of the reasons why physical security in your comms rooms is so vital.
So a new feature has been added to IOS to let you configure the router to disable access to the ROMMON so that the config register cannot be set to allow this, thus disabling the ability to change passwords (or view the config) in this way: the no service password-recovery command.
This is a good thing isnt it?
Two possible areas of concern. If you configure this yourself, you better make sure that you are absolutely, 100 per cent sure you know what the passwords are. This might sound silly, but companies have had to do password recoveries because of typos, or routers that havent been changed in months, and no-one can remember the enable password. Also, if there is no valid Cisco IOS software image in the Flash memory of the router, you can no longer use the ROMMON XMODEM command to load a new Flash image. All you can do is get a new IOS software image onto an internal SIMM, or on a PCMCIA card if your router has one. This might be an issue if youre upgrading IOS, have to remove the current version to make room, and the new version gets corrupted on download.
There is no way to get a password back if you set this config parameter and lock yourself out. All you can do once this command has been entered, if you dont have the enable password, is to reset the config to factory default.
The other worry is if you dont set it. What if your physical security isnt that great and someone gets in to your comms room who shouldnt, reboots your router, makes a few changes and then sets this line in the config? Youre locked out of your own router - again its a case of taking it out of the network completely, and wiping the config - and hoping that you have an up to date config file to upload back into it. Another case for making sure you take backups at every change.
It may well be good that this command has been added - it does add a level of security to your environment - but you have to really make sure you know the implications before you do (or dont) choose to use it.