Disabling Password Recovery - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 43 Troubleshooting the Security Appliance
Performing Password Recovery
Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9
monitor> address 10.21.1.99
address 10.21.1.99
monitor> server 172.18.125.3
server 172.18.125.3
monitor> file np70.bin
file np52.bin
monitor> gateway 10.21.1.1
gateway 10.21.1.1
monitor> ping 172.18.125.3
Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> tftp
tftp np52.bin@172.18.125.3 via 10.21.1.1...................................
Received 73728 bytes
Cisco PIX password tool (4.0) #0: Tue Aug 22 23:22:19 PDT 2005
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xd8000
Do you wish to erase the passwords? [yn] y
Passwords have been erased.
Rebooting....

Disabling Password Recovery

You might want to disable password recovery to ensure that unauthorized users cannot use the password
recovery mechanism to compromise the security appliance. To disable password recovery, enter the
following command:
hostname(config)# no service password-recovery
On the ASA 5500 series adaptive security appliance, the no service password-recovery command
prevents a user from entering ROMMON with the configuration intact. When a user enters ROMMON,
the security appliance prompts the user to erase all Flash file systems. The user cannot enter ROMMON
without first performing this erasure. If a user chooses not to erase the Flash file system, the security
appliance reloads. Because password recovery depends on using ROMMON and maintaining the
existing configuration, this erasure prevents you from recovering a password. However, disabling
password recovery prevents unauthorized users from viewing the configuration or inserting different
passwords. In this case, to recover the system to an operating state, load a new image and a backup
configuration file, if available. The service password-recovery command appears in the configuration
file for informational purposes only; when you enter the command at the CLI prompt, the setting is saved
in NVRAM. The only way to change the setting is to enter the command at the CLI prompt. Loading a
new configuration with a different version of the command does not change the setting. If you disable
password recovery when the security appliance is configured to ignore the startup configuration at
startup (in preparation for password recovery), then the security appliance changes the setting to boot
the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the
startup configuration, then the same change is made to the configuration register when the no service
password recovery command replicates to the standby unit.
On the PIX 500 series security appliance, the no service password-recovery command forces the PIX
password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX password
tool without first performing this erasure. If a user chooses not to erase the Flash file system, the security
appliance reloads. Because password recovery depends on maintaining the existing configuration, this
Cisco Security Appliance Command Line Configuration Guide
43-9
OL-10088-01