how to delete enable_15 on cisco ASA

I have been audited for PCI and the auditor wants me to delete the enable_15 user on our ASAs. I have added other privilege level 15 accounts and when I login as the new user to the asdm,  I do not have the option of removing that username. How can I delete it?
LVL 1
jbla9028Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Ernie BeekConnect With a Mentor ExpertCommented:
Ah got it.
This is a (implicit) default account which cannot be removed. It's used to give you complete access to the firewall when you issue hte 'enable' command. i.e. user gone: access gone: can't configure the firewall anymore.

There are ways to make sure users don't need to use this enable password, have a look at this:
http://cisconews.co.uk/2008/01/11/asa-7x-local-users/

Quote:

'The recommended method is to configure authentication for the enable command as follows:

Firewall(config)# aaa authentication enable console LOCAL

This forces users into their assigned privileged level by requiring their own password instead of the enable one. For example, typing the enable command from user EXEC mode now requires the user’s password, not the enable password. There is no indication of this to the user as the prompt is the same. Used in conjunction with local command authorization, this provides a basic level of security to the administration of your ASA.'
0
 
Ernie BeekExpertCommented:
Have you tried it through the CLI?
0
 
jbla9028Author Commented:
what commands do I have to run to delete the username?
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
Ernie BeekExpertCommented:
-log in to the asa
-type: enable
-give password
-type: conf t
-type: wr t

It will now show your configuration, fine the line with the user enable_15
Copy this line and paste it back putting: no in front of it.

Like no user enable_15 blahblah

-commit to memory: wr mem

That should do it
0
 
jbla9028Author Commented:
doesn't seem to "know" there's a username in the CLI. I type

config t
no user enable_15

I get this output

ERROR: username <enable_15> does not exist

it does not show up in the running config as a user?
0
 
Ernie BeekExpertCommented:
So do you have a user which looks like that (for example ena_15)? or do you just see the users you created?
0
 
jbla9028Author Commented:
I just see the users I've created but in the ASDM I see this enable_15 user and the auditor wants me to remove it.
0
 
Istvan KalmarHead of IT Security Division Commented:
username enable_15 defaulty showing ASDM, but not real username!
0
 
jbla9028Author Commented:
so is it a bug?
0
 
jbla9028Author Commented:
thanks
0
All Courses

From novice to tech pro — start learning today.