User's Manual

ManualsBrandsCisco Systems ManualsSecurity CameraCisco Systems CL-28826-01

1481

35-14

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 35 Getting Started with IPS Configuration

Managing User Accounts and Password Requirements

• Viewer—Users can view the device configuration and events, but they cannot modify any

configuration data except their user passwords.

• Operator—Users can view everything and they can modify the following options:

–

Signature tuning (priority, disable or enable).

–

Virtual sensor definition.

–

Managed routers.

–

Their user passwords.

• Administrator—Users can view everything and they can modify all options that Operators can

modify in addition to the following:

–

Sensor addressing configuration.

–

List of hosts allowed to connect as configuration or viewing agents.

–

Assignment of physical sensing interfaces.

–

Enable or disable control of physical interfaces.

–

Add and delete users and passwords.

–

Generate new SSH host keys and server certificates.

• Service—Only one user with service privileges can exist on a sensor. The service user cannot log in

to IDM or IME. The service user logs in to a bash shell rather than the CLI. The service role is a

special role that allows you to bypass the CLI if needed.

Note The purpose of the Service account is to provide Cisco Technical Support access to

troubleshoot unique and unusual problems. It is not needed for normal system configuration

and troubleshooting. You should carefully consider whether you want to create a service

account. The service account provides shell access to the system, which makes the system

vulnerable. However, you can use the service account to create a password if the

administrator password is lost. Analyze your situation to decide if you want a service

account existing on the system.

Understanding Managed and Unmanaged IPS Passwords

Every IPS local user account has a password, which allows secure user login to the device. These user

passwords are encrypted on the IPS device. Thus, when you add an IPS device to the Security Manager

inventory, Security Manager cannot read the actual user passwords.

Because Security Manager cannot read the password, it is unable to deploy newly-discovered user

account passwords to the device. To avoid putting user accounts into a state where the passwords are

unknown and unusable, Security Manager marks discovered user account passwords as unmanaged.

The status of a password is indicated in the Is Password Managed? column of the Platform > Device

Admin > Device Access > User Accounts policy:

• If No is indicated, the password for this account is not configured in Security Manager. When you

deploy this policy, Security Manager will not attempt to configure the password for this user

account.

• If Yes is indicated, the password for this account was configured or updated in Security Manager.

When you deploy this policy, Security Manager reconfigures the passwords for all managed

accounts, not just the passwords that changed since the last deployment.