Detections
Analytics

6.9.2 Ensure Root Password is Unique

Information

The Root Password should be unique.

Rationale:

Due to the rights associated with the Root user account it must be protected at all costs to prevent malicious users taking ownership of the router.

Using the same password for an individual User or other usage exposes the extremely privileged Root user account to abuse by that user and introduces the need to manually change the Root password should that user leave the organization.

Further risks are presented by the lower level hashing algorithm which may be used to protect other system passwords. On some JUNOS systems or External AAA platforms these utilize MD5, a demonstrably less secure protocol then SHA1 which used for the Root password. Theoretically an attacker could exploit the weaker hashing used on these lesser system passwords to recover the Root password.

Finally, the Root password should not be reused on other systems, including other routers, and should be stored securely - such as using a Password Manager. If the Root Password was the same across all of the routers and other systems in your network, the compromise of one host could result in the compromise of all hosts.

Impact:

Root Authentication must be set prior to JUNOS allowing the first commit on a new system. Ensure that, while the Root password is complex, it is safely stored in a Password Vault or remembered as it will be required for access to the system until other accounts are configured or to perform certain tasks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Users will generally be prompted to set the Root password during initial setup of the router, however, a password may be set from the CLI using either of the two methods below from the [edit system] hierarchy; To enter a new Root Password in plain text type:

[edit system]
user@host#set root-authentication plain-text-password

You will be prompted to enter the new Password twice and, if the Passwords match, JUNOS will add a SHA1 hash of the Password to the configuration. If you already have a SHA1 hash of your Root Password (from an existing router configuration, for example), enter the following command:

[edit system]
user@host#set root-authentication encrypted-password '<SHA1 hash>'

If JWEB is installed on your router, the Root Password may also be changed through the Configuration > Quick Configuration > Setup page.

Default Value:

The Root Authentication is blank by default, but must be set prior to JUNOS allowing the first configuration to be committed.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Juniper

Control ID: c730e1fe7bb39423783eb54dfdf8b0981809940ec6f8445aa397725f637f4844