1.2.3 Set 'no exec' for 'line aux 0'

Information

The 'no exec' command restricts a line to outgoing connections only.

Rationale:

Unused ports should be disabled, if not required, since they provide a potential access path for attackers. Some devices include both an auxiliary and console port that can be used to locally connect to and configure the device. The console port is normally the primary port used to configure the device; even when remote, backup administration is required via console server or Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily used for dial-up administration via an external modem; instead, use other available methods.

Impact:

Organizations can reduce the risk of unauthorized access by disabling the 'aux' port with the 'no exec' command. Conversely, not restricting access through the 'aux' port increases the risk of remote unauthorized access.

Solution

Disable the EXEC process on the auxiliary port.

hostname(config)#line aux 0
hostname(config-line)#no exec

See Also

https://workbench.cisecurity.org/files/3801

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, CSCv7|9.2

Plugin: Cisco

Control ID: fec73f5746d1bc805e9fed77403af5bdcf4c796d179fef552952f62c816a7f95