How to Disabling Password Recovery
Why you need to set passwords on routers?
--> To defense against intruders
Why the passwords must be recovered?
>>> Sometimes passwords are forgotten. There are, however, some instances in which the widely known password recovery procedures should be disabled. When physical security is not possible or in a network emergency, password recovery can be disabled.
What is the key to recovering a password on a Cisco router?
>>> The key to recovering a password on a Cisco router is through manipulation of the configuration registers of the router. All router passwords are stored in the startup configuration, so if the configuration registers are changed properly, the startup configuration with the passwords stored within them can be bypassed.
What happens if you disable the password recovery?
>>> If you have disabled the password recovery mechanisms, you will not
be able to perform password recovery on the router. Disabling the password recovery procedure of a Cisco router is a decision that must be thought out ahead of time because the command used to disable password recovery also disables ROMMON.
How you can disable the password recovery?
>>> You can disable the Cisco password recovery procedure by issuing the no service
password−recovery command in global configuration mode:
CiscoRouter#config t
Enter configuration commands, one per line. End with CNTR/Z.
SecureRouter(config)#no service password−recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.
Are you sure you want to continue? [yes/no]: yes
As you can see, the IOS reminds you of how serious disabling the password recovery procedures are with a warning message and a prompt allowing you to change your mind. To see the results of changing the password recovery feature, issue the show running−config command. The effects of issuing the command can be seen in the following configuration:
CiscoRouter#show run
Building configuration...
Current configuration:
!
version 12.0
service password−encryption
no service password−recovery
!
hostname CiscoRouter
After password recovery has been disabled and the configuration has been saved, the widely available password recovery procedure will not be available on the router. The following output verifies that password recovery is indeed disabled:
CiscoRouter#reload
Proceed with reload? [confirm]
00:14:34: %SYS−5−RELOAD: Reload requested
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
PC = 0xfff14ee8, Vector = 0x500, SP = 0x680127b0
C2600 platform with 49152 Kbytes of main memory
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80008000, size: 0x928024
Self decompressing the image : #######################....
If the no service password−recovery command has been issued on a Cisco router and the
passwords have been forgotten, you must contact your Cisco Technical Support Engineer to obtain help in gaining access into the router and enabling the password recovery process again.
http://networksecuritynotes.blogspot.com/2009/12/how-to-disabling-password-recovery.html Read more...