What about nsroot passwords and complexity?

Two people asking questions about the same thing...

Hello!

Ok, so I didn’t know the details of this until I was asked about it and did some digging. This got me thinking…If I don’t see this stuff…who else is in the dark?

Introduction

There are various accounts with passwords local to the NetScaler. Obviously, Security will be all over the deployment if those accounts don’t have passwords that are compliant with the company password policy in some way. Likely for both length and complexity.

The defaults don’t include very strong passwords, and they are also a bit short (4 characters!). This piece will point you to the places to correct that and how to audit weak accounts.

Assumptions

• You have an admin account for the NetScaler.

• You have a change window!

References

There is a great support document that offers some of the key commands, plus it has some details about the characters you can have in the password. CTX233298 is an excellent resource. The info is here

Useful document references: This doc page is really quite useful too. Link

While searching, I also found this document, CTX224027. This is simply how to change an nsroot password. Which might be useful if you are starting on the appliance. You can read the info in that document here.

Where do I start?

Let’s assume that you have an appliance and need to set some strong password polices. Plus, you want to get a look at weak passwords.

Secure nsroot with the cli

My policy is to have complex passwords enabled with 12 characters as the minimum length. Looking at CTX233298, the commands are:

CLI commands

Nsroot now needs to be reset to meet these standards. I didn’t read the ERROR message, and added an uppercase ‘P’ in password, making it so much more secure…

nsroot password reset.

Secure nsroot with the GUI

I need to navigate to System-Settings and choose ‘Settings’ on the RHS and ‘Change Global System settings’.

Settings on the RHS

The password options are listed in this box.

Password GUI options

Strong passwords

Please ensure all the existing user passwords adhere to this restriction. Minimum Password Length is set to 4 as the default.

Note: Command Strongpassword can have values enableall, enablelocal or disabled. By default, it is disabled. If you want to force strong passwords for local accounts, then we can set the value to enablelocal.

After enabling strong password (enableall / enablelocal - not included in exclude list), all the passwords / sensitive information must have - Atleast 1 Lower case character, Atleast 1 Upper case character, Atleast 1 numeric character, Atleast 1 special character ( ~, `, !, @, #, $, %, ^, &, *, -, _, =, +, {, }, [, ], |, \, :, <, >, /, ., ,, " ").

After enabling strong passwords for the appliance, make sure that you update the passwords to match the strong password criteria. Otherwise, users with weak passwords cannot access the appliance. To locate the weak passwords, in the shell, go to the "/netscaler" directory and run the "nsconfigaudit -weakpasswd" utility.

Min password length

When a strong password is enabled default minimum length is 4. User user-entered value can be greater than or equal to 4. The default minimum value is 1 when a strong password is disabled. The maximum value is 127 in both cases. Minimum value: 1 Maximum value: 127

Audit other accounts

Now that nsroot is more secure, what about the other accounts that you might have in use? CTX233298 also has the commands to take a look at other accounts’ passwords. Looking at the output below, I have not followed Steven Wright's best practice deployment guide. Here

Weak password

The output has some places to look to tidy things up.

Summary

The defaults are quite weak, from a security perspective. However, they are simple to change when you know where to reset them.