?
Solved

how to delete enable_15 on cisco ASA

Posted on 2010-11-17
10
Medium Priority
?
9,077 Views
Last Modified: 2012-05-10
I have been audited for PCI and the auditor wants me to delete the enable_15 user on our ASAs. I have added other privilege level 15 accounts and when I login as the new user to the asdm,  I do not have the option of removing that username. How can I delete it?
0
Comment
Question by:jbla9028
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34157665
Have you tried it through the CLI?
0
 
LVL 1

Author Comment

by:jbla9028
ID: 34157720
what commands do I have to run to delete the username?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34157811
-log in to the asa
-type: enable
-give password
-type: conf t
-type: wr t

It will now show your configuration, fine the line with the user enable_15
Copy this line and paste it back putting: no in front of it.

Like no user enable_15 blahblah

-commit to memory: wr mem

That should do it
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 1

Author Comment

by:jbla9028
ID: 34157835
doesn't seem to "know" there's a username in the CLI. I type

config t
no user enable_15

I get this output

ERROR: username <enable_15> does not exist

it does not show up in the running config as a user?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34157888
So do you have a user which looks like that (for example ena_15)? or do you just see the users you created?
0
 
LVL 1

Author Comment

by:jbla9028
ID: 34157915
I just see the users I've created but in the ASDM I see this enable_15 user and the auditor wants me to remove it.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34158200
username enable_15 defaulty showing ASDM, but not real username!
0
 
LVL 1

Author Comment

by:jbla9028
ID: 34158207
so is it a bug?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 34158291
Ah got it.
This is a (implicit) default account which cannot be removed. It's used to give you complete access to the firewall when you issue hte 'enable' command. i.e. user gone: access gone: can't configure the firewall anymore.

There are ways to make sure users don't need to use this enable password, have a look at this:
http://cisconews.co.uk/2008/01/11/asa-7x-local-users/

Quote:

'The recommended method is to configure authentication for the enable command as follows:

Firewall(config)# aaa authentication enable console LOCAL

This forces users into their assigned privileged level by requiring their own password instead of the enable one. For example, typing the enable command from user EXEC mode now requires the user’s password, not the enable password. There is no indication of this to the user as the prompt is the same. Used in conjunction with local command authorization, this provides a basic level of security to the administration of your ASA.'
0
 
LVL 1

Author Closing Comment

by:jbla9028
ID: 34159676
thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question