Never authorize “changeto” command on Cisco ASA

That is correct, as a security administrator, you should never, ever, authorize the changeto command for any privilege level.

Reason: When a user with a lower privilege level, who’s authorized to use the changeto command, switches his context, by default he gets full privilege level 15 access to the context he just switched to.

To make it simple, lets assume the ASA has been configured with two contexts namely, admin-context and Context-A.

Image - 1

A user called as Shyam has privilege level 5 access in admin-context.

Image - 2

In the admin-context, privilege level 5 has been authorized to execute the changeto command.

Image - 3

And here’s the aaa configuration, for reference:

Image - 4

Being a privilege level 5 user, he’s not allowed access to the global configuration mode, as seen below:

Image - 5

The show curpriv command shows that Shyam is currently a privilege level 5 user. And he’s being denied access to the global configuration mode due to the aaa authorization.

Now when he changes his context using the changeto command:

Image - 6

As see above, in the new context that he switches to (Context-A in this case), he gets full privilege level access even though his privilege level still shows the same.

And what happens when he switches back to his original context?

Image - 7

Voila, he gets full access to the context in which he was configured as a privilege level 5 user 🙂 !

So what is the reason for this?

According to Cisco, when a user switches context, by default he logs in to the new context using the default username of enable_15, giving him full access.

So bottom line, for security reasons never authorize the changeto command for any privilege level. If the user does require access to multiple contexts, you could ask him to log in to each context individually.

Add a Comment

Your email address will not be published. Required fields are marked *