What email address or phone number would you like to use to sign in to Docs.com?
If you already have an account that you use with Office or other Microsoft services, enter it here.
Or sign in with:
Signing in allows you to download and like content, and it provides the authors analytical data about your interactions with their content.
Embed code for: 18.6 Disabling Unused Services
Select a size
18.6 Disabling Unused Services
Disabling Unused Services Section 18: Implementing Device Hardening To facilitate deployment, Cisco routers and switches have a default set of services enabled that are considered appropriate for most network environments. However, because not all networks have the same requirements, some of these services may not be needed. Disabling these unnecessary services has two benefits. It helps preserve system resources and eliminates the potential for security exploits on the unneeded services. You can use the show control-plane host open-ports command to see which UDP or TCP ports the router is listening to and determine which services need to be disabled. In the following example, services that are enabled on the router are SSH, Telnet, TACACS, and DHCP. Router# show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:22 *:0 SSH-Server LISTEN tcp *:23 *:0 Telnet LISTEN udp *:49 172.26.150.206:0 TACACS service LISTEN udp *:67 *:0 DHCPD Receive LISTEN The following are general best practices: Unless they are explicitly needed, ensure that the fingerservice, the identification (identd) service, and the TCP and UDP small services remain disabled on all routers and switches. In Cisco IOS Software Release 15.0 and later, these services are disabled by default. Disable Cisco Discovery Protocol on interfaces where the service may represent a risk. Examples are external interfaces, such as those at the Internet edge, and data only ports at the campus and branch access. Cisco Discovery Protocol is enabled by default in Cisco IOS Software Release15.0 and later. It is strongly recommended that you turn off the HTTP service that is running on the router. HTTPS can remain enabled. HTTP service is disabled by default in Cisco IOS Software Release 15.0 and later. There are two options for disabling Cisco Discovery Protocol: Disable it globally (on all interfaces). If you prefer not to use the Cisco Discovery Protocol device discovery capability at all, you can disable it with the no cdp run command in global configuration mode. To reenable Cisco Discovery Protocol after disabling it, use the cdp run command in global configuration mode. Disable it on a specific interface by using the no cdp enable command in interface configuration mode. Cisco Discovery Protocol is enabled by default on all supported interfaces. It is not enabled by default on Frame Relay interfaces. To reenable Cisco Discovery Protocol on an interface after disabling it, use the cdp enable command in interface configuration mode. To disable the HTTP service on the router, use the no ip http server command in global configuration mode . If you want to reenable the HTTP service after disabling it, use the ip http server command in global configuration mode. As an alternative, Cisco IOS Software provides the AutoSecure function that helps disable these unnecessary services while enabling other security services. Content Unavailable This content is unavailable in this version of the course. Up Next: Network Time Protocol