RFC 3871           Operational Security Requirements      September 2004

2.12.15.  Support Recovery Of Privileged Access

   Requirement.

      The device MUST support a mechanism to allow authorized

      individuals to recover full privileged administrative access in

      the event that access is lost.  Use of the mechanism MUST require

      physical access to the device.  There MAY be a mechanism for

      disabling the recovery feature.

   Justification.

      There are times when local administrative passwords are forgotten,

      when the only person who knows them leaves the company, or when

      hackers set or change the password.  In all these cases,

      legitimate administrative access to the device is lost.  There

      should be a way to recover access.  Requiring physical access to

      invoke the procedure makes it less likely that it will be abused.

      Some organizations may want an even higher level of security and

      be willing to risk total loss of authorized access by disabling

      the recovery feature, even for those with physical access.

   Examples.

      Some examples of ways to satisfy this requirement are to have the

      device give the user the chance to set a new administrative

      password when:

      *  The user sets a jumper on the system board to a particular

         position.

      *  The user sends a special sequence to the RS232 console port

         during the initial boot sequence.

      *  The user sets a "boot register" to a particular value.

   Warnings.

      This mechanism, by design,  provides a "back door" to complete

      administrative control of the device and may not be appropriate

      for environments where those with physical access to the device

      can not be trusted.

      Also see the warnings in Section 2.3.1 (Support a 'Console'

      Interface).

Jones                        Informational                     [Page 64]