https://community.extremenetworks.com/t5/extremeswitching-exos-switch/disable-password-recovery-and-factory-reset-through-console-port/m-p/57177#M16887 Hello,<BR /> How can I disable password recovery and configuration removal through boot menu on Extreme Switches? Its a security risk as anyone can connect to the console port and undo all the configuration. Sun, 24 Apr 2016 13:22:00 GMT f3rha4n 2016-04-24T13:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/disable-password-recovery-and-factory-reset-through-console-port/m-p/57177#M16887 Hello,<BR /> How can I disable password recovery and configuration removal through boot menu on Extreme Switches? Its a security risk as anyone can connect to the console port and undo all the configuration. Sun, 24 Apr 2016 13:22:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/disable-password-recovery-and-factory-reset-through-console-port/m-p/57177#M16887 f3rha4n 2016-04-24T13:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/disable-password-recovery-and-factory-reset-through-console-port/m-p/57178#M16888 I don't think there is any way to prevent this - which is actually a good thing; you need to be able to recover a switch for a number of very legitimate reasons sometimes.<BR /> <BR /> There was a recent version of the boot menu that disabled 'config none' - and a lot of people complained to the TAC and this was reversed (the only way to recover one of those switches was a very slow erase and TFTP new code onto it).<BR /> <BR /> If someone has physical access to your infrastructure, no amount of clever software features are going to close that security hole. I would expect that someone erasing the configuration would cause an outage more than being a security risk to you though?<BR /> <BR /> Paul.<BR /> <BR /> Sun, 24 Apr 2016 13:37:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/disable-password-recovery-and-factory-reset-through-console-port/m-p/57178#M16888 Paul_Thornton 2016-04-24T13:37:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/disable-password-recovery-and-factory-reset-through-console-port/m-p/57179#M16889 other vendors have similar options to counter this risk, like in cicso you can prevent the NVRAM register value to be changed. I think the option should be there and it should be up to the customer whether they want to implement it or not. Sun, 24 Apr 2016 14:27:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/disable-password-recovery-and-factory-reset-through-console-port/m-p/57179#M16889 f3rha4n 2016-04-24T14:27:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/disable-password-recovery-and-factory-reset-through-console-port/m-p/57180#M16890 To be fair, there's a big difference between changing the config register and then booting a Cisco to selecting no config in the EXOS bootrom.<BR /> <BR /> If you change the confreg, you can boot and get to the config with no password trivially with a 'show conf'; this isn't possible on EXOS - the switch will boot with a default config and there is no way to show the non-booted configuration.<BR /> <BR /> I may be missing an attack vector here, and if so I apologise; but I still think that if someone has physical access to a device then you have a much harder job to secure it. I could, for example, de-solder the flash chips and read them directly if I have the switch - you'd notice that for sure, but you can't prevent that even with encryption because the keys would also have to be there, so the switch could decrypt the config on boot <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> <BR /> Paul.<BR /> Sun, 24 Apr 2016 16:06:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/disable-password-recovery-and-factory-reset-through-console-port/m-p/57180#M16890 Paul_Thornton 2016-04-24T16:06:00Z