1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'

Information

Sets the privilege level for the user.

Rationale:

Default device configuration does not require strong user authentication potentially enabling unfettered access to an attacker that is able to reach the device. Creating a local account with privilege level 1 permissions only allows the local user to access the device with EXEC-level permissions and will be unable to modify the device without using the enable password. In addition, require the use of an encrypted password as well (see Section 1.1.4.4 - Require Encrypted User Passwords).

Impact:

Organizations should create policies requiring all local accounts with 'privilege level 1' with encrypted passwords to reduce the risk of unauthorized access. Default configuration settings do not provide strong user authentication to the device.

Solution

Set the local user to privilege level 1.

hostname(config)#username <LOCAL_USERNAME> privilege 1

See Also

https://workbench.cisecurity.org/files/3829

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4

Plugin: Cisco

Control ID: 3e7bf79cb3b8690c8bbf71ea3956a13bd0a5cec23640ca10dac513a739bd50c6