Tuesday, 7 January 2014

Secure Your Cisco: Custom Privilege Levels

Custom Privelige levels

When you log into your Cisco, you are logging in at privilege level 1. You can  this by typing "show privilege":

 Router>show privilege   
 Current privilege level is 1  
 Router>  

When you log in to the privileged exec shell, you by default log in on privilege level 15:

 Router>enable  
 Router#show privilege   
 Current privilege level is 15  
 Router#  

At privilege level 15 we have all of the most important commands, those that we don't necessarily want users logged in on a lower privilege level to have access to. We can also move commands from priliege level 1 up, perhaps we want to be able to have a networks assistant to have access to commands that we don't want other techs to be able to access. This is where the levels between 1 and 15 come in.

We might want to prevent a user at level 1 from using the ping command, for whatever reason. We'll test first of all that we currently have access to the command:

 Router>show privilege   
 Current privilege level is 1  
 Router>ping 192.168.1.2  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/14 ms  

If we want to take the ability away from users at pivilege level 1, we first need to create the new prvilege level:

 Router#config t  
 Enter configuration commands, one per line. End with CNTL/Z.  
 Router(config)#enable secret level 5 0 topsecret  

If you check now in your running config you will see a new entry for pivilege level 5. Next, we need to move the command away from privilege level 1 and up to our newly created level 5:

 Router#conf t  
 Enter configuration commands, one per line. End with CNTL/Z.  
 Router(config)#privilege exec level 5 ping  

Lets test this by seeing if we can still use ping in level 1:

 Router>ping  
 Translating "ping"...domain server (255.255.255.255)  
  (255.255.255.255)  
 Translating "ping"...domain server (255.255.255.255)  
 % Unknown command or computer name, or unable to find computer address  
 Router>  

The ping command no longer even shows up in the interactive help:

 Router>pin?  
 % Unrecognized command  

As a sidenote, I found that this didn't work in Packet Tracer, but it does work in GNS3. There are a few commands that I found don't work in Packet Tracer so I'm now trying to get my labs set up in GNS3 as I continue my studies.

No comments:

Post a Comment