DIGITAL EDUCATION SERIES

JOB AID

Securing the Default

System Maintenance
Accounts (Root and Admin)
 DIGITAL EDUCATION SERIES
JOB AID

TABLE OF CONTENTS

Creating a New Local Administrator Account 3

Create a New Local Administrator Account from the Configuration Utility 3
Create a New Local Administrator Account from TMSH 5

Designating a New Primary Administrator User 6

Designate a New Primary Administrator User from the Configuration Utility 6
Designate a New Primary Administrator User from TMSH 7

Disabling the Root Account 8

Disable the Root Account from the Configuration Utility 8
Disable the Root Account from TMSH 9

DIGITAL 2
EDUCATION
SERIES
 BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM

SECURING THE DEFAULT SYSTEM MAINTENANCE

ACCOUNTS (ROOT AND ADMIN)

Creating a New Local Administrator Account

By default, every BIG-IP system includes two system maintenance or administrator user accounts,
named root and admin, whose passwords are default and admin respectively. User admin has administrative
access to the Configuration utility, and user root has administrative access to the command line, including the TMOS
shell (or TMSH) and Linux bash. These accounts are provided to help you initially set up a BIG-IP system. However,
since they are present on all BIG-IP systems, they represent a security exposure and are not designed to be used in
the long term. While these accounts cannot be deleted, they can be effectively disabled and replaced by a separate,
local administrator account that conforms to your enterprise's security requirements. The steps below show you how
to create such a new user account from either the Configuration utility or TMSH.

Create a New Local Administrator Account from the Configuration Utility

Requirements: You must be an Administrator to perform these steps

The example below walks you through creating a new, local administrator account with Advanced shell access from
the Configuration utility. This account will later replace both of the default system maintenance
accounts, root and admin.
1. Currently, the default admin account is the primary administrative user on this BIG-IP system, as shown in the
User Administration section of the System » Platform page.

DIGITAL 3
EDUCATION
SERIES
 BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM

2. On the BIG-IP system, navigate to System » Users and create a new, local Administrator user account with
access to all partitions and to all command line functions (Advanced shell). In this example, the username is set
to DarthVader66.

3. This BIG-IP system now has two local user accounts. Both are designated Administrators on All Partitions,
but the admin account is still the primary administrative user. Continue on to the section entitled Designate a
New Primary Administrator User from the Configuration Utility for instructions on how to disable the default
admin user and designate an alternate.

Continue on to the section entitled Designate a New Primary Administrator User

from the Configuration Utility for instructions on how to disable the default admin
user and designate an alternate.

DIGITAL 4
EDUCATION
SERIES
 BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM

Create a New Local Administrator Account from TMSH

Requirements: You must be an Administrator to perform the tmsh create step shown below.
1. List the current default admin user account.

(tmos)# list /auth user admin

auth user admin {
description "Admin User"
encrypted-password
$6$tXUeHdRT$NR7/rmHdh6Iv4MG/80oong0fnpW0aVQdGl72MyZtCnRkUkOajCLGYJWKs/dx3D
pQcCGzn
partition Common
partition-access {
all-partitions {
role admin
}
}
shell none
}

2. Create a new, local user with access to all partitions in the Administrator role, and with access to Linux bash
and TMSH. List the new user's configuration settings after creation.

(tmos)# create /auth user DarthVader66 partition-access add {

all-partitions { role admin } } shell bash prompt-for-password
changing password for DarthVader66
password:
confirm password:
(tmos)# list /auth user DarthVader66
auth user DarthVader66 {
description DarthVader66
encrypted-password
$6$ZGOIKqxQ$WT0nPP5j5GSrGW92cxnRyk4Oo/zoo/DtJ2MT1veeHypaU/SzUXAfCG0rWPuiTn
GNKYF61
partition Common
partition-access {
all-partitions {
role admin
}
}
shell bash
}

3. If you want to keep this modification permanently, remember to save the configuration.

(tmos)# save /sys config

DIGITAL 5
EDUCATION
SERIES
 BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM

Designating a New Primary Administrator User

By default, the admin account is the primary administrator user on the BIG-IP system. Once you have created a
new local administrator account, you can effectively disable the default admin account by designating this new
account as the primary. You can do this from either the Configuration utility or TMSH, as shown in the examples
below.

Designate a New Primary Administrator User from the Configuration Utility

In the example below, the new local administrator user named DarthVader66 is designated as the primary
administrator user, effectively disabling the default admin user. Any users currently logged into the BIG-IP system
as admin will be immediately disconnected. Any new attempt to log in with the default admin user credentials will fail
unless it is once again designated as the primary administrator user.
Requirements: You must be an Administrator to perform step 1. Also, if you perform step 1 while logged in as
the admin user or as the alternate user you specify in the step, you will be logged out.

If you perform step 1 below while logged in as the admin user or as the alternate
user you specify in the step, you will be logged out.

1. On the BIG-IP system, navigate to System » Platform and in the User Administration section, check
the Disable default admin, use alternate checkbox, and specify an alternate account to use as the primary
administrator user. You must know the password for the account you specify as the alternate. In this example,
the new local administrator account created above - DarthVader66 is designated as the primary administrator
user.

DIGITAL 6
EDUCATION
SERIES
 BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM

2. Notice the default admin user now no longer appears in the User List on the Configuration utility. (It does
appear if you list all users from TMSH, as shown further below, but it is disabled for use with the Configuration
utility.)

Designate a New Primary Administrator User from TMSH

Requirements: You must be an Administrator to perform the tmsh modify steps shown below.
1. List the current primary administrator user. This example shows the default configuration which names admin as
the primary administrator user.

(tmos)# list /sys db systemauth.primaryadminuser

sys db systemauth.primaryadminuser {
value "admin"
}

2. Designate the custom administrator account named DarthVader66 as the primary administrator user and list the
primary administrator user again.

(tmos)# modify /sys db systemauth.primaryadminuser value DarthVader66

(tmos.sys.db)# list /sys db systemauth.primaryadminuser
sys db systemauth.primaryadminuser {
value "DarthVader66"
}

3. If you want to keep this modification permanently, remember to save the configuration.

(tmos)# save /sys config

DIGITAL 7
EDUCATION
SERIES
 BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM

Disabling the Root Account

Although the default system maintenance account named root cannot be deleted, it can be disabled. Before
disabling the root account, you should ensure you have at least one other local administrator account with advanced
shell access. Failure to do so may put you in a position where you are unable to administer your BIG-IP system.

Before disabling the root account, you should ensure you have at least one other
local administrator account with advanced shell access. Failure to do so may put
you in a position where you are unable to administer your BIG-IP system.

Disable the Root Account from the Configuration Utility

1. On the BIG-IP system, navigate to System » Platform and in the User Administration section, check
the Disable login checkbox for the Root Account. Note: The Password and Confirm fields for the Root
Account will disappear.

2. Click the Update button to save your changes.

DIGITAL 8
EDUCATION
SERIES
 BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM

Disable the Root Account from TMSH

Requirements: You must be an Administrator to perform the tmsh modify steps shown below.
1. List the current value for the BIG-IP DB variable that controls the root system maintenance account. When its
value is false, the root user is enabled and can be used to sign into the BIG-IP system's command line
interface. When true, the root user is disabled, and cannot be used to access the BIG-IP system's command
line interface. (Note: The root user has no access to the Configuration utility.)

(tmos)# list /sys db systemauth.disablerootlogin

sys db systemauth.disablerootlogin {
value "false"
}

2. Disable the root user account and list the variable's value again. Note: Any users currently signed into the BIG-IP
system as root will remain signed in and able to perform administrative activities until they sign out or their
session terminates.

(tmos)# modify /sys db systemauth.disablerootlogin value true

(tmos)# list /sys db systemauth.disablerootlogin
sys db systemauth.disablerootlogin {
value "true"
}

3. If you want to keep this modification permanently, remember to save the configuration.

(tmos)# save /sys config

DIGITAL 9
EDUCATION
SERIES