Cisco IOS provides for 16 different privilege levels ranging from
zero to 15
. The Cisco IOS
comes with two predefined user levels. User EXEC mode runs at privilege level
1, and the privileged EXEC mode runs at level 15. Every IOS command is
pre-assigned to either level 1 or level 15. By default, Cisco provides user
EXEC level 1 with a few commands that may, in terms of security, belong at a
higher privilege level.
Figure
shows
how to move level 1 user EXEC commands to level 15 privileged EXEC mode. This
provides a more secure user EXEC mode. The last line is required to move the
show ip command back down to level 1. For example, a site
might want to set up more than the two levels of administrative access on their
routers.
There are several considerations to keep in mind when
customizing privilege levels:
- Do not use the username command to set up accounts
above level one. Instead, use the enable secret command to
set a level password.
- Be very careful about moving too much access down from level 15, as this
could cause unexpected security holes in the system.
- Be very careful about moving any part of the configure
command down from level 15. Once a user has write access, they could leverage
this to acquire greater access.
Accounts
First, give each administrator a login account for
the router. When an administrator logs in with a user name and changes the
configuration, the log message that is generated will include the name of the
login account that was used. The login accounts created with the
username command should be assigned privilege level 1. In
addition, do not create any user accounts without passwords. When an
administrator no longer needs access to the router, delete the account. Figure
shows how to
create local user accounts for users named ‘rsmith’ and ‘bjones’, and remove
the local user named ‘brian’. In general, only allow accounts that are required
on the router and minimize the number of users with access to configuration
mode on the router.