Wednesday, 23 April 2008

Cisco Privilege levels

Cisco IOS provides for 16 different privilege levels ranging from 0 to 15.

The Cisco IOS comes with 2 predefined user levels.
User EXEC mode runs at privilege level 1 and “enabled” mode (privileged EXEC mode)runs at level 15.

Every IOS command is pre-assigned to either level 1 or level 15. If the router is configured with aaa new-model then AAA can be used for user authorization and I recommend you do this.

By default Cisco provides EXEC (level 1) with a few commands which may, in terms of security, make more sense being at a higher privilege level. The next example shows how to move the commands to the privileged mode, which in most configurations should be protected better.

(config)#privilege exec level 15 connect
(config)#privilege exec level 15 telnet
(config)#privilege exec level 15 rlogin
(config)#privilege exec level 15 show ip access-lists
(config)#privilege exec level 15 show access-lists
(config)#privilege exec level 15 show logging
(config)#privilege exec level 1 show ip

The last line is required to move the show command back down to level 1 remember this is just an example and really you should not move commands down to user level unless there is no other choice.

privilege level.

For a real world example, a site might want to set up more than the two levels of administrative access on their routers.
This could be done by assigning a password to an intermediate level, like 5 or 10, and then assigning particular commands to that

Deciding which commands to assign to an intermediate privilege level is really up to your security policy and depends on the type of functions you want to allow a site administrator to preform. Also look to the version of IOS for the current command list.

Note: I said site administrator not domain administrator as you might have a remote site that you need a site administrator to check things on the router in the event of the link to the site being down.

However, if an attempt was made to do something like this there are a few things to be very careful about.

First, do not use the username command to set up accounts above level 1, use the enable secret command to set a level password instead, we'll come onto that in a moment.

Second, be very careful about moving too much access down from level 15, this could cause unexpected security holes in the system.
Third, be very careful about moving any part of the configure command down, once a user has write access they could leverage this to take control of the router.


There are two password protection schemes in Cisco IOS. Type 7 uses the Cisco-defined encryption algorithm which is known to the commercial security community to be weak. Type 5 uses an MD5 hash which is much stronger.

Cisco recommends that Type 5 encryption be used instead of Type 7 where possible.
Type 7 encryption is used by the enable password, username, and line password commands.

To protect the privileged EXEC level as much as possible, do not use the enable password command, only use the enable secret command.

Even if the enable secret is set do not set the enable password, it will not be used and may give away a system password.

(config)#enable secret 2-mAny-pAssw0rDs
(config)#no enable password

Because it is not possible to use Type 5 encryption on the default EXEC login or the username command, no user account should be created above privilege level 1. But user accounts should be created for auditing purposes.

So the username command should be used to create individual user accounts at the EXEC level and then the higher privilege levels should be protected with enable secret passwords. but I do not like this I would recommend you use authenticate, authorize, and audit users (AAA) security model if you have user accounts accessing privilege level 1

Good security practice dictates some other rules for passwords.
The privileged EXEC secret password should not match any other user password or any other enable secret password.

Enable service password-encryption; this will keep passers-by from reading your passwords when they are displayed on your screen.

Be aware that there are some secret values that service password-encryption does not protect.

Never set any of these secret values to the same string as any other password.

Avoid dictionary words, names, or dates. Always include at least one of each of the following: lowercase letters, uppercase letters, digits, and special characters.

Make all passwords at least eight characters long. Avoid more than 4 digits or same-case letters in a row.

Do not create any user accounts without passwords!!! if you do you should be shot as you know that only bad things can happen.

Note: enable secret and username passwords may be up to 25 characters long including spaces.

So if this was all clear then you should have an outline of what you need to do.
I may follow this posting with some step by step guides late.

No comments: