Check: CISR-ND-000062
Cisco IOS XE Release 3 NDM STIG:
CISR-ND-000062
(in versions v1 r5 through v1 r4)
Title
The Cisco IOS XE router must store only encrypted representations of passwords. (Cat II impact)
Discussion
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Network devices must enforce password encryption when storing passwords.
Check Content
Verify that Cisco IOS XE router has password encryption enabled. The configuration should look similar to the example below: password encryption aes service password-encryption If password encryption is not enabled, this is a finding.
Fix Text
Add the following command to encrypt local passwords: service password-encryption
Additional Identifiers
Rule ID: SV-88697r2_rule
Vulnerability ID: V-74023
Group Title: SRG-APP-000171-NDM-000258
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000196 |
The information system, for password-based authentication, stores only cryptographically-protected passwords. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |