1.4.1 Set 'password' for 'enable secret'

Information

Use the enable secret command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a nonreversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server.

Rationale:

Requiring the enable secret setting protects privileged EXEC mode. By default, a strong password is not required, a user can just press the Enter key at the Password prompt to start privileged mode. The enable password command causes the device to enforce use of a password to access privileged mode. Enable secrets use a one-way cryptographic hash (MD5). This is preferred to Level 7 enable passwords that use a weak, well-known, and easily reversible encryption algorithm.

Impact:

Organizations should protect privileged EXEC mode through policies requiring the 'enabling secret' setting, which enforces a one-way cryptographic hash (MD5).

Solution

Configure a strong, enable secret password.

hostname(config)#enable secret {ENABLE_SECRET_PASSWORD}

Default Value:

No enable secret password setup by default

See Also

https://workbench.cisecurity.org/files/3801

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.3

Plugin: Cisco

Control ID: 2ff503fcc0a07c311014a075cc7ca8b7f79b184e8b4cede47ee457d0c493c303