password recovery

[directlyconnected]

Is there a way to prevent unwanted users that have direct access to a Cisco router (or switch) from establishing a console session, say from a laptop, and doing a password recovery? Ponder this whilst I taketh my beauty nap. Thankseth

Tim

 

[rburke]

In short.. no.

If someone has direct console access to some Cisco gear then they can always do a password recovery by powering off the equipment and using the console port for direct access. That is one of the main reasons for keeping high standards of physical security around networking gear. You can have a million dollar redundant network, but if someone can walk in and turn it off then what good is it?

 

[tangerine0072000]

can you not setup a password on the console port, sure I've read this somewhere !

 

[jneiberger]

You can try the configuration command "no service password-recovery" but I wouldn't recommend it unless you absolutely had to use it. It can make life rather difficult for you in certain situations. Look it up on CCO and make sure you're willing to live with the consequences if you try it.

 

[MTandSAV]

can you not setup a password on the console port, sure I've read this somewhere !"

yes you can and you definately should do this. However this will not prevent someone from doing a pw recovery. First you need to do for pw recovery is switch off the device and boot it up again

CCNA, CCNP..partly

 

[voltron1011]

That's where PHYSICAL SECURITY comes in. You've got to physically lock up all of your stuff: racks, cabinets, datacenter, building, etc, etc....